Slashdot Mirror
FreeS/WAN Project Bows Out
V. Mole writes "After five years, the FreeS/WAN project has decided to end development. The main reason seems to be that although the project was technically successful, it was not making much progress with its political goals of encrypting a significant portion of all Internet communications, although one might guess that the selection of KAME for the standard Linux IPSEC implementation might also have influenced this decision. And don't panic, the software will remain available, and of course some other group is free to continue development."
I'm sure some corp will pick up the project... I know a lot of people use it.. so i dont really see any reason for it to die
This is rather bad news for the not insignificant FreeS/WAN install base out there. The company I worked for last year, for instance, poured a significant quantity of time and money into a corporate VPN based on FreeS/WAN, and even bundled it into products. They don't have the resources or experience to support FreeS/WAN in house themselves, so they'll be in for an intersting ride if problems are discovered. AFAIK, they were hoping not to have to upgrade to Linux 2.6 for at least a year, but that may have to change now. Who all out there is getting left in the lurch by this?
As I understand it, they wanted to use opptunistic encryption to do the "common man" encryption of the 5% of the internet. Has this actually become standard yet? If so, it's only been within the last couple of years I think (since I've stopped dealing with VPN).
Also, aren't there other problems inherant with OE? IE: the need to have secure DNS before this can really happen, or a PKI infrastructure or public key escrow or something? I'd love to just install freeswan on my firewall and have encrypted connections happen, but a) would it really help things and b) would it be like being the first one on the block to have a videophone?
My project for 1996 was to secure 5% of the Internet traffic against passive wiretapping. It didn't happen in 1996, so I'm still working on it in 1999! If we get 5% in 1999 or 2000, we can secure 20% the next year, against both active and passive attacks; and 80% the following year. Soon the whole Internet will be private and secure. The project is called S/WAN or S/Wan or Swan for Secure Wide Area Network; since it's free software, we call it FreeS/WAN to distinguish it from various commercial implementations. RSA came up with the term "S/WAN". Our main web site is at http://www.freeswan.org. Want to help? The idea is to deploy PC-based boxes that will sit between your local area network and the Internet (near your firewall or router) which opportunistically encrypt your Internet packets. Whenever you talk to a machine (like a Web site) that doesn't support encryption, your traffic goes out "in the clear" as usual. Whenever you connect to a machine that does support this kind of encryption, this box automatically encrypts all your packets, and decrypts the ones that come in. In effect, each packet gets put into an "envelope" on one side of the net, and removed from the envelope when it reaches its destination. This works for all kinds of Internet traffic, including Web access, Telnet, FTP, email, IRC, Usenet, etc. The encryption boxes are standard PC's that use freely available Linux software that you can download over the Internet, or install from a cheap CDROM. This wasn't just my idea; lots of people have been working on it for years. The encryption protocols for these boxes are called IPSEC (IP Security). They have been developed by the IP Security Working Group of the Internet Engineering Task Force, and will be a standard part of the next major version of the Internet protocols (IPv6). For today's (IP version 4) Internet, they are an option. The Internet Architecture Board and Internet Engineering Steering Group have taken a strong stand that the Internet should use powerful encryption to provide security and privacy. I think these protocols are the best chance to do that, because they can be deployed very easily, without changing your hardware or software or retraining your users. They offer the best security we know how to build, using the Triple-DES, RSA, and Diffie-Hellman algorithms. This "opportunistic encryption box" offers the "fax effect". As each person installs one for their own use, it becomes more valuable for their neighbors to install one too, because there's one more person to use it with. The software automatically notices each newly installed box, and doesn't require a network administrator to reconfigure it. Instead of "virtual private networks" we have a "REAL private network"; we add privacy to the real network instead of layering a manually-maintained virtual network on top of an insecure Internet. programmers working all over the world and coordinating over the Internet. Linux is distributed under the GNU Public License, which gives everyone the right to copy it, improve it, give it to their friends, sell it commercially, or do just about anything else with it, without paying anyone for the privilege. Organizations that want to secure their network will be able to put two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM or by downloading it over the net, and plug it in between their Ethernet and their Internet link or firewall. That's all they'll have to do to encrypt their Internet traffic everywhere outside their own local area network. Travelers will be able to run Linux on their laptops, to secure their connection back to their home network (and to everywhere else that they connect to, such as customer sites). Anyone who runs Linux on a standalone PC will also be able to secure their network connections, without changing their application software or how they operate their computer from day to day. There are already numerous commercially available hardware and software products that use the IPSEC technology. The FreeS/WAN team regularly participates in intero
GENERATION O98346: The first time you see this, copy it into your sig and remove a random number from the generation. T
Lets pick a company at random... Microsoft.
Does Windows 98 have a large install base?
Yes.
Are Microsoft still supporting Windows 98?
No.
No, so what exactly was your point?
Not if they go out of business, change business models, or decide that a particular product is no longer profitable.
In all of these cases, if you depended on access to and updates for their software, you would be SOL.
With OSS, you get the source code and have the freedom to recompile it to new targets and make whatever small patches are neccessary to keep it running. If it's important enough to your company (or to you as a personal user) you can take over the maintainence yourself.
The parent is alluding to this fact.
It seems that FreeS/WAN's goals of opportunistic encryption were in opposition to the complexity that their implementation required (DNS changes, etc.)
PGP.net (oh, where have you gone) provided opportunistic encryption with no infrastructure requirements other than the two machines communicating use the PGP.net software.
Controlling the two endpoints seems a lot easier than trying to control them plus the DNS servers to exchange info.
Anyone know what happened to PGP.net?
If FreeS/WAN has neither secured the Internet, nor secured the right of US citizens to export software that could do so, it has still had positive benefit.
Talk about two goals that are just plain swimming uphill.
Getting the Internet to change what's not broken is very hard. The fact that our default mode of communications is plaintext doesn't quite scare most pointy haired bosses. They want their stuff secured, but there's no sense in switching protocols when we can just secure on top of the existing protocols with things like VPNs, SSH, PGP, SSL, etc.
Meanwhile, getting the government to lift the crypto-export bans just isn't going to happen either. September 11th, 2001 will always be brought up anytime anybody wants to loosen crypto rules. Being able to talk in a way that the US Government can't intercept and understand is something that truely scares the military and the CIA... because if they can't intercept communications, they lose one of their strongest tools in battle. Maybe the crypto-export rules are weak and aren't going to stop much, but at least it stops everything we can stop using a law, and that's better than zero.
So, another open source project with great ideas but not quite enough resources to get the job done packs it in. Oh, well. So it goes.
I think one of the reasons Microsoft reconsidered was that WINE on linux would suddenly look like a great idea to all these companies who wanted to use Win98 software, but didn't like the idea of being hung out to dry support-wise if they didn't want to upgrade. I've been considering it myself - there are only a dozen or so win-only apps that I need on my measly p266 laptop (with only 64mb of ram) - I could install RH 9, plonk WINE on top of that, and be good to go.
What's wrong with implementing OpenVPN- the SSL approach? I suppose it may be difficult for some companies to upgrade . . . but if they require it, and it is a viable alternative- why not?
Would it really be that difficult for somebody to take over the development? Maybe their role could be more to administer the operation rather than code a lot of it.
Also, this (google's cache) or the PDF version of the above claims that FreeS/WAN does not support PKI.
No I'm not trolling I'm asking a question here. Outside of admins, how many people really care whether their connection is secure or not. I always reference this out regarding IPSec and the likes, so I'll point out eBay as an example. Now a company such as eBay in my opinion should have SSL based log on by default, period. It's optional. Why? Because most users outside of the geekrealm, and system admin realm don't understand the escape key from their space bar. So when it comes to things like... "Will you accept this certificate?" and the likes, they don't know, and they certainly don't care. Same goes for VPN's. Why should the people care if Freeswan "was not making much progress with its political goals of encrypting a significant portion of all Internet communications" when the typical user doesn't know about Freeswan, and more than likely wouldn't care.
MoFscker
I'll bite the troll... and will give an example from personal experience.
In our lab here, there are plots created with stuff like WingZ (NeXT based spreadsheet/plotting program) and AppsoftDraw (a visio like program) -- both type of plots from about 1995.... The programs no longer exist. We don't even bother to make changes to them.
On the other hand, we also have plots created with gnuplot, xfig, and much older documents created with latex. They all work as if they are created just now...
In this particular case, people behind latex and xfig have incentive to keep working on them -- and it wouldn't really matter that much even if all the development with latex and xfig stop. Just like the core components of emacs, the development occurs at galactic time scales, but that is not a big deal...
S
Actually, zealotry had little or nothing to do with Hurds non-progression. Remember that Hurd was the first big GNU package that RMS did *not* work on. If zealotry was a problem, GCC, Emacs, GDB, and many of the GNU command line utils would have failed long ago. (GNU Libc was mostly Richard-less, but he did have a hand in it.)
The failure of the Hurd was a bad gamble. Possibly encouraged by the fact that they had written almost an entire operating system (using tried-and-true designs), the GNU projecteers decided to try a latest-and-greatest (fad) design for the GNU kernel - it didn't work out as it was meant to, but luckily Linus had worked on this same project from the conventional angle, so we still ended up with a completely free software OS.
Please help publicise swpat.org - the software patents wiki
Actually, I've implemented FreeS/WAN on some VPNs that operate over wireless ISPs in Mexico, and is seems unusually tolerant of the, shall we say, continuous stream of new and exciting conditions that exist on those networks. It's been far more stable than some commercial products we tried (for big $$$).
That being said, I did believe (from reading the docs) that the development team was far more interested in making a (pointless, IMHO) political statement than in creating a useable piece of software. For most small / medium businesses, Oportunistic Encryption is the last thing you want - typically these companies have one interface to the Internet, and having trusted and untrusted-from-random-IP-subnets coming in on the same connection creates a firewall design nightmare. I'm sure there's a way to make it work, but frankly if information is worth securing, we can and do secure it. If it isn't, then we just don't care - I'd rather just Keep It Simple, Stupid.
Help save the critically endangered Blue Iguana
I've spent so many weekends playing with connecting FreeS/WAN to my OpenBSD router. Every time I'd end up with some insanely cryptic error message (on both ends, openbsd isn't much better). This weekend I downloaded KAME for the 2.6 kernel, and had it working within half an hour, including the time to recompile my kernel.
FreeS/WAN is an unfortunate example of a project too focused on a far out goal (OE) to make the simple foundations work.
This is just one more example how wrongheaded it is to place politics at the forefront of a project, instead of technical achievements.
Most people don't give a flying fuck what political goals your project has. Only the code, and the software matter. All else is gravy.
You can add this to the graveyard of noble goals brought down by zealotry.
I find this particular outlook sad and disturbing, especially when that outlook is probably more than a little true. It's the nature of the human animal to push boulders up hills, and then become resigned, cynical, and despairing when the effort seems to be overshadowed by the results (or lack thereof.) It's also part of the human animal that a room full of us passionately engaged (or for that matter enraged), will just as likely pull in twenty different directions as a single useful or meaningful one. That said, we can be certain that nothing lasting or important will ever get done if we can't put our own egos, and personal agendas aside for the greater good.
In any project that seems to be as much social engineering as software generation, the two arms must be separate, distinct, and managed tightly by a group of wise men that can be trusted to steer that project. The code heads must be safe, and cozy, whacking away at the bits, while the political engineers are busy spreading memes and building coalition in legistative circles. All the while, cool heads, men and women selected for their integrity and sanity, must guide and nuture the process with patience and forebearance.
Protecting the security, and anonymity of people, is an important endeavor. It deserves bringing to bear, people with moral distinction and the skills needed to manage the long haul, because we live in a world that doesn't do the logical thing, and this will certainly be a long haul. I hope that the software finds a new home, and people with the fortitude to take it to it's logical conclusion. As well, I hope that OSS projects like this can begin to create operational structures that insure the realization of their goals, even in the face of great political/social resistance, and internal conflict. In the end, being a part of an OSS project is ultimately about making a contribution to the human condition... when it becomes something else, projects fail and we all lose.
Genda
"A business man can pull a phone out of his pocket and talk at length to someone halfway around the world. The same man, will sit in a dark room with his wife and childen all evening and never say a word.. clearly something isn't working." -- Dave Cunningham
And I can say that it the most obtuse, cryptic product I have ever had to wrestle with.
There was absolutely no way that 'normal' users were ever going to be able to make use of this product for the 'opportunistic encryption' the project aimed for, I honestly don't think you could design a more opaque and confusing piece of software if you were actually trying.
That being said, once you get over the configuration hurdles and realise you will have to employ script-based kludges to do simple things e.g. get it to route packets though multiple tunnels terminating on the same local IP address, it mostly works quite well.
I gots ta ding a ding dang my dang a long ling long
Long time ago there was an awsome program called ecco pro. This program was always highly rated by magazines and users and had a devoted following. Netmanage bought this program from the original company (arabasque) and shortly thereafter shelved it for mysterious reasons (many people suspected MS foul play).
That was a very long time ago and today there is still a vibrant community of ecco users who swear up and down that no other product even comes close. They beg Netmanage to sell the code to them or to open up the source code but Netmanage just ignores their requests. Oddly enough Netmanage does let people download the binary.
To me what netmanage is doing is just cruel. They are not making money off of it, they don't support it and yet they refuse to sell it or open it up. Why did they buy this program for so much money just to mothball it?
Companies are like that. They sometimes suck.
The best way to support the US war effort is to continue buying American products.
No, it doesn't. 2.6 IPsec has all sorts of problems with MTU, and 2.4 with 2.6 backport doesn't even understand it's own behaviour. You'll end up with situations like this:
valentijn:~# ping -s 1435 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
The 2.6 native IPsec does have some MTU issues as well, but I haven't had time to research them well enough. However, from what I've seen, I think that having a 2.6 machine routing between two tunnels will most likely give you a headache, as larger IP fragments will not come through and 2.6 doesn't cut them to adjust to the new 1442 MTU. Besides, the 2.6 IPsec implementation doesn't handle IPsec in combination with iptables too well as there's no well defined way the packets travel through the tables. Encryption is handled somewhere between OUTPUT and POSTROUTING, which, for example, eliminates the possibility to use NAT. IPsec 2.6 works, but only in theory, so to say.
my other sig is a 500 page novel