(no commit message)

[people/ms/strongswan.git] / doc / web.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<STYLE TYPE="text/css"><!--
BODY { font-family: serif }
H1 { font-family: sans-serif }
H2 { font-family: sans-serif }
H3 { font-family: sans-serif }
H4 { font-family: sans-serif }
H5 { font-family: sans-serif }
H6 { font-family: sans-serif }
SUB { font-size: smaller }
SUP { font-size: smaller }
PRE { font-family: monospace }
--></STYLE>
</HEAD>
<BODY>
<A HREF="toc.html">Contents</A>
<A HREF="mail.html">Previous</A>
<A HREF="glossary.html">Next</A>
<HR>
<H1><A name="weblink">Web links</A></H1>
<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
<P>The main project web site is<A href="http://www.freeswan.org/">
 www.freeswan.org</A>.</P>
<P>Links to other project-related<A href="intro.html#sites"> sites</A>
 are provided in our introduction section.</P>
<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
<P>Some user-contributed patches have been integrated into the FreeS/WAN
 distribution. For a variety of reasons, those listed below have not.</P>
<P>Note that not all patches are a good idea.</P>
<UL>
<LI>There are a number of &quot;features&quot; of IPsec which we do not implement
 because they reduce security. See this<A href="compat.html#dropped">
 discussion</A>. We do not recommend using patches that implement these.
 One example is aggressive mode.</LI>
<LI>We do not recommend adding &quot;features&quot; of any sort unless they are
 clearly necessary, or at least have clear benefits. For example,
 FreeS/WAN would not become more secure if it offerred a choice of 14
 ciphers. If even one was flawed, it would certainly become less secure
 for anyone using that cipher. Even with 14 wonderful ciphers, it would
 be harder to maintain and administer, hence more vulnerable to various
 human errors.</LI>
</UL>
<P>This is not to say that patches are necessarily bad, only that using
 them requires some deliberation. For example, there might be perfectly
 good reasons to add a specific cipher in your application: perhaps GOST
 to comply with government standards in Eastern Europe, or AES for
 performance benefits.</P>
<H4>Current patches</H4>
<P>Patches believed current::</P>
<UL>
<LI>patches for<A href="http://www.strongsec.com/freeswan/"> X.509
 certificate support</A>, also available from a<A href="http://www.twi.ch/~sna/strongsec/freeswan/">
 mirror site</A></LI>
<LI>patches to add<A href="http://www.irrigacion.gov.ar/juanjo/ipsec">
 AES and other ciphers</A>. There is preliminary data indicating AES
 gives a substantial<A href="performance.html#perf.more"> performance
 gain</A>.</LI>
</UL>
<P>There is also one add-on that takes the form of a modified FreeS/WAN
 distribution, rather than just patches to the standard distribution:</P>
<UL>
<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
 support</A></LI>
</UL>
<P>Before using any of the above,, check the<A href="mail.html"> mailing
 lists</A> for news of newer versions and to see whether they have been
 incorporated into more recent versions of FreeS/WAN.</P>
<H4>Older patches</H4>
<UL>
<LI><A href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
 acceleration</A></LI>
<LI>a<A href="http://tzukanov.narod.ru/"> series</A> of patches that
<UL>
<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler</LI>
<LI>add GOST to OpenSSL</LI>
<LI>add GOST to the International kernel patch</LI>
<LI>let FreeS/WAN use International kernel patch ciphers</LI>
</UL>
</LI>
<LI>Neil Dunbar's patches for<A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
 certificate support</A>, using code from<A href="http://www.openssl.org">
 Open SSL</A>.</LI>
<LI>Luc Lanthier's<A href="ftp://ftp.netwinder.org/users/f/firesoul/">
 patches</A> for<A href="glossary.html#PKIX"> PKIX</A> support.</LI>
<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
 to add<A href="glossary.html#blowfish"> Blowfish</A>,<A href="glossary.html#IDEA">
 IDEA</A> and<A href="glossary.html#CAST128"> CAST-128</A> to FreeS/WAN</LI>
<LI>patches for FreeS/WAN 1.3, Pluto support for<A href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">
 external authentication</A>, for example with a smartcard or SKEYID.</LI>
<LI><A href="http://www.zengl.net/freeswan/download/">patches and
 utilities</A> for using FreeS/WAN with PGPnet</LI>
<LI><A href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">
Blowfish encryption and Tiger hash</A></LI>
<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
patches</A> for aggressive mode support</LI>
</UL>
<P>These patches are for older versions of FreeS/WAN and will likely not
 work with the current version. Older versions of FreeS/WAN may be
 available on some of the<A href="intro.html#sites"> distribution sites</A>
, but we recommend using the current release.</P>
<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
<P>Finally, there are some patches to other code that may be useful with
 FreeS/WAN:</P>
<UL>
<LI>a<A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
 patch</A> to make IPsec, PPTP and SSH VPNs work through a Linux
 firewall with<A href="glossary.html#masq"> IP masquerade</A>.</LI>
<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
Linux VPN Masquerade HOWTO</A></LI>
</UL>
<P>Note that this is not required if the same machine does IPsec and
 masquerading, only if you want a to locate your IPsec gateway on a
 masqueraded network. See our<A href="firewall.html#NAT"> firewalls</A>
 document for discussion of why this is problematic.</P>
<P>At last report, this patch could not co-exist with FreeS/WAN on the
 same machine.</P>
<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
<P>The introductory section of our document set lists several<A href="intro.html#distwith">
 Linux distributions</A> which include FreeS/WAN.</P>
<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
<UL>
<LI><A href="http://openpgp.net/random">/dev/random</A> support page,
 discussion of and code for the Linux<A href="glossary.html#random">
 random number driver</A>. Out-of-date when we last checked (January
 2000), but still useful.</LI>
<LI>other programs related to random numbers:
<UL>
<LI><A href="http://www.mindrot.org/audio-entropyd.html">audio entropy
 daemon</A> to gather noise from a sound card and feed it into
 /dev/random</LI>
<LI>an<A href="http://www.lothar.com/tech/crypto/"> entropy-gathering
 daemon</A></LI>
<LI>a driver for the random number generator in recent<A href="http://sourceforge.net/projects/gkernel/">
 Intel chipsets</A>. This driver is included as standard in 2.4 kernels.</LI>
</UL>
</LI>
<LI>a Linux<A href="http://www.marko.net/l2tp/"> L2TP Daemon</A> which
 might be useful for communicating with Windows 2000 which builds L2TP
 tunnels over its IPsec connections</LI>
<LI>to use opportunistic encryption, you need a recent version of<A href="glossary.html#BIND">
 BIND</A>. You can get one from the<A href="http://www.isc.org">
 Internet Software Consortium</A> who maintain BIND.</LI>
</UL>
<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
<UL>
<LI>other Linux<A href="#linuxipsec"> IPsec implementations</A></LI>
<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
 implementation of Sun's<A href="glossary.html#SKIP"> SKIP</A> protocol</LI>
<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPsec VPN
 daemon for Linux which creates tunnels using<A href="glossary.html#Blowfish">
 Blowfish</A> encryption</LI>
<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
 GPLd tunnel-building program with Linux and Win32 versions. The name is
 from<STRONG> Z</STRONG>lib compression,<STRONG> B</STRONG>lowfish
 encryption and<STRONG> D</STRONG>iffie-Hellman key exchange.</LI>
<LI>There are at least two PPTP implementations for Linux
<UL>
<LI>Moreton Bay's<A href="http://www.moretonbay.com/vpn/pptp.html">
 PoPToP</A></LI>
<LI><A href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</A>
</LI>
</UL>
</LI>
<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
 (crypto IP encapsulation) project, using their own lightweight protocol
 to encrypt between routers</LI>
<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
</UL>
<P>There is a list of<A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
 Linux VPN</A> software in the<A href="http://www.securityportal.com/lskb/kben00000001.html">
 Linux Security Knowledge Base</A>.</P>
<H2><A name="ipsec.link">The IPsec Protocols</A></H2>
<H3><A name="general">General IPsec or VPN information</A></H3>
<UL>
<LI>The<A href="http://www.vpnc.org"> VPN Consortium</A> is a group for
 vendors of IPsec products. Among other things, they have a good
 collection of<A href="http://www.vpnc.org/white-papers.html"> IPsec
 white papers</A>.</LI>
<LI>A VPN mailing list with a<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
 home page</A>, a FAQ, some product comparisons, and many links.</LI>
<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
<LI>a<A href="http://www.epm.ornl.gov/~dunigan/vpn.html"> collection</A>
 of VPN links, and some explanation</LI>
</UL>
<H3><A name="overview">IPsec overview documents or slide sets</A></H3>
<UL>
<LI>the FreeS/WAN<A href="ipsec.html"> document section</A> on these
 protocols</LI>
</UL>
<H3><A name="otherlang">IPsec information in languages other than
 English</A></H3>
<UL>
<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
German</A></LI>
<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
<LI>Feczak Szabolcs' thesis in<A href="http://feczo.koli.kando.hu/vpn/">
 Hungarian</A></LI>
<LI>Davide Cerri's thesis and some presentation slides<A href="http://www.linux.it/~davide/doc/">
 Italian</A></LI>
</UL>
<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
<UL>
<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
 Linux FreeS/WAN and giving various ways of obtaining both RFCs and
 Internet Drafts.</LI>
<LI><A href="http://www.vpnc.org/vpn-standards.html">VPN Standards</A>
 page maintained by<A href="glossary.html#VPNC"> VPNC</A>. This covers
 both RFCs and Drafts, and classifies them in a fairly helpful way.</LI>
<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
 related to IPsec</LI>
<LI>US government<A href="http://www.itl.nist.gov/div897/pubs"> site</A>
 with their<A href="glossary.html#FIPS"> FIPS</A> standards</LI>
<LI>Archives of the ipsec@tis.com mailing list where discussion of
 drafts takes place.
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A></LI>
<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
</UL>
</LI>
</UL>
<H3><A name="analysis">Analysis and critiques of IPsec protocols</A></H3>
<UL>
<LI>Counterpane's<A href="http://www.counterpane.com/ipsec.pdf">
 evaluation</A> of the protocols</LI>
<LI>Simpson's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
 IKE Considered Dangerous</A> paper. Note that this is a link to an
 archive of our mailing list. There are several replies in addition to
 the paper itself.</LI>
<LI>Fate Labs<A href="http://www.fatelabs.com/loki-vpn.pdf"> Virual
 Private Problems: the Broken Dream</A></LI>
<LI>Catherine Meadows' paper<CITE> Analysis of the Internet Key Exchange
 Protocol Using the NRL Protocol Analyzer</CITE>, in<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
 PDF</A> or<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
 Postscript</A>.</LI>
<LI>Perlman and Kaufmnan
<UL>
<LI><A href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">
Key Exchange in IPsec</A></LI>
<LI>a newer<A href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">
 PDF paper</A>,<CITE> Analysis of the IPsec Key Exchange Standard</CITE>
.</LI>
</UL>
</LI>
<LI>Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
 papers</A> page including his:
<UL>
<LI><CITE>Security Problems in the TCP/IP Protocol Suite</CITE> (1989)</LI>
<LI><CITE>Problem Areas for the IP Security Protocols</CITE> (1996)</LI>
<LI><CITE>Probable Plaintext Cryptanalysis of the IP Security Protocols</CITE>
 (1997)</LI>
</UL>
</LI>
<LI>An<A href="http://www.lounge.org/ike_doi_errata.html"> errata list</A>
 for the IPsec RFCs.</LI>
</UL>
<H3><A name="IP.background">Background information on IP</A></H3>
<UL>
<LI>An<A href="http://ipprimer.windsorcs.com/"> IP tutorial</A> that
 seems to be written mainly for Netware or Microsoft LAN admins entering
 a new world</LI>
<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
 Authority</LI>
<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
 Classless Inter-Domain Routing</LI>
<LI>Also see our<A href="biblio.html"> bibliography</A></LI>
</UL>
<H2><A name="implement">IPsec Implementations</A></H2>
<H3><A name="linuxprod">Linux products</A></H3>
<P>Vendors using FreeS/WAN in turnkey firewall or VPN products are
 listed in our<A href="intro.html#turnkey"> introduction</A>.</P>
<P>Other vendors have Linux IPsec products which, as far as we know, do
 not use FreeS/WAN</P>
<UL>
<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
 provide an open source Linux driver for their PCI hardware VPN card.
 This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
 specialised crypto chips, and claimed encryption performance of 45
 Mbit/sec. The PC sees it as an Ethernet board.</LI>
<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
 offer a Linux-based VPN with hardware encryption</LI>
<LI><A href="http://www.watchguard.com/">Watchguard</A> use Linux in
 their Firebox product.</LI>
<LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
 toolkit for using their<A href="glossary.html#PKI"> PKI</A> for IPsec
 authentication</LI>
<LI>According to a report on our mailing list,<A href="http://www.axent.com">
 Axent</A> have a Linux version of their product.</LI>
</UL>
<H3><A name="router">IPsec in router products</A></H3>
<P>All the major router vendors support IPsec, at least in some models.</P>
<UL>
<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
 IPsec information</LI>
<LI>Ascend, now part of<A href="http://www.lucent.com/"> Lucent</A>,
 have some IPsec-based products</LI>
<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
 of Nortel, use IPsec in their Contivity switch product line</LI>
<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A> have
 a number of VPN products, some using IPsec</LI>
</UL>
<H3><A name="fw.web">IPsec in firewall products</A></H3>
<P>Many firewall vendors offer IPsec, either as a standard part of their
 product, or an optional extra. A few we know about are:</P>
<UL>
<LI><A href="http://www.borderware.com/">Borderware</A></LI>
<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
 Laurent</A></LI>
<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2</LI>
</UL>
<P>Vendors using FreeS/WAN in turnkey firewall products are listed in
 our<A href="intro.html#turnkey"> introduction</A>.</P>
<H3><A name="ipsecos">Operating systems with IPsec support</A></H3>
<P>All the major open source operating systems support IPsec. See below
 for details on<A href="#BSD"> BSD-derived</A> Unix variants.</P>
<P>Among commercial OS vendors, IPsec players include:</P>
<UL>
<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
Microsoft</A> have put IPsec in their Windows 2000 and XP products</LI>
<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
 announce a release of OS390 with IPsec support via a crypto
 co-processor</LI>
<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
Sun</A> include IPsec in Solaris 8</LI>
<LI><A href="http://www.hp.com/security/products/extranet-security.html">
Hewlett Packard</A> offer IPsec for their Unix machines</LI>
<LI>Certicom have IPsec available for the<A href="http://www.certicom.com/products/movian/movianvpn_tech.html">
 Palm</A>.</LI>
<LI>There were reports before the release that Apple's Mac OS X would
 have IPsec support built in, but it did not seem to be there when we
 last checked. If you find, it please let us know via the<A href="mail.html">
 mailing list</A>.</LI>
</UL>
<H3><A NAME="29_3_5">IPsec on network cards</A></H3>
<P>Network cards with built-in IPsec acceleration are available from at
 least Intel, 3Com and Redcreek.</P>
<H3><A name="opensource">Open source IPsec implementations</A></H3>
<H4><A name="linuxipsec">Other Linux IPsec implementations</A></H4>
<P>We like to think of FreeS/WAN as<EM> the</EM> Linux IPsec
 implementation, but it is not the only one. Others we know of are:</P>
<UL>
<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
 lightweight implementation of IPsec for Linux. Does not require kernel
 recompilation.</LI>
<LI>Petr Novak's<A href="ftp://ftp.eunet.cz/icz/ipnsec/"> ipnsec</A>,
 based on the OpenBSD IPsec code and using<A href="glossary.html#photuris">
 Photuris</A> for key management</LI>
<LI>A now defunct project at<A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
 U of Arizona</A> (export controlled)</LI>
<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
 (export controlled)</LI>
</UL>
<H4><A name="BSD">IPsec for BSD Unix</A></H4>
<UL>
<LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
 several large Japanese companies co-operating on IPv6 and IPsec</LI>
<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
 implementation of IPv6 and of IPsec for IPv4 (export controlled)</LI>
<LI><A href="http://www.openbsd.org">OpenBSD</A> includes IPsec as a
 standard part of the distribution</LI>
<LI><A href="http://www.r4k.net/ipsec">IPsec for FreeBSD</A></LI>
<LI>a<A href="http://www.netbsd.org/Documentation/network/ipsec/"> FAQ</A>
 on NetBSD's IPsec implementation</LI>
</UL>
<H4><A name="misc">IPsec for other systems</A></H4>
<UL>
<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
 Technolgy</A> have implemented IPsec for Solaris, Java and Macintosh</LI>
</UL>
<H3><A name="interop.web">Interoperability</A></H3>
<P>The IPsec protocols are designed so that different implementations
 should be able to work together. As they say &quot;the devil is in the
 details&quot;. IPsec has a lot of details, but considerable success has been
 achieved.</P>
<H4><A name="result">Interoperability results</A></H4>
<P>Linux FreeS/WAN has been tested for interoperability with many other
 IPsec implementations. Results to date are in our<A href="interop.html">
 interoperability</A> section.</P>
<P>Various other sites have information on interoperability between
 various IPsec implementations:</P>
<UL>
<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop results</A>
 from a bakeoff in Atlanta, September 1999.</LI>
<LI>a French company, HSC's,<A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
 interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
 pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
<LI><A href="http://www.icsa.net/">ICSA</A> offer certification programs
 for various security-related products. See their list of<A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
 certified IPsec</A> products. Linux FreeS/WAN is not currently on that
 list, but several products with which we interoperate are.</LI>
<LI>VPNC have a page on why they are not yet doing<A href="http://www.vpnc.org/interop.html">
 interoperability</A> testing and a page on the<A href="http://www.vpnc.org/conformance.html">
 spec conformance</A> testing that they are doing</LI>
<LI>a<A href="http://www.commweb.com/article/COM20000912S0009"> review</A>
 comparing a dozen commercial IPsec implemetations. Unfortunately, the
 reviewers did not look at Open Source implementations such as FreeS/WAN
 or OpenBSD.</LI>
<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
results</A> from interoperability tests at a conference. FreeS/WAN was
 not tested there.</LI>
<LI>test results from the<A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
 IPSEC 2000</A> conference</LI>
</UL>
<H4><A name="test1">Interoperability test sites</A></H4>
<UL>
<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
 project with free IPsec validation software</LI>
<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
 Standards and Technology</A></LI>
<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A></LI>
</UL>
<H2><A name="linux.link">Linux links</A></H2>
<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
<UL>
<LI>Linux<A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
 Getting Started</A> HOWTO document</LI>
<LI>A getting started guide from the<A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
 U of Oregon</A></LI>
<LI>A large<A href="http://www.herring.org/techie.html"> link collection</A>
 which includes a lot of introductory and tutorial material on Unix,
 Linux, the net, . . .</LI>
</UL>
<H3><A name="general">General Linux sites</A></H3>
<UL>
<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
<LI><A href="http://slashdot.org">Slashdot</A> &quot;News for Nerds&quot;</LI>
<LI><A href="http://www.linux.org">Linux Online</A></LI>
<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
<LI><A href="http://www.tux.org">tux.org</A></LI>
</UL>
<H3><A name="docs.ldp">Documentation</A></H3>
<P>Nearly any Linux documentation you are likely to want can be found at
 the<A href="http://metalab.unc.edu/LDP"> Linux Documentation Project</A>
 or LDP.</P>
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
 guide to Linux information sources</LI>
<LI>The LDP's HowTo documents are a standard Linux reference. See this<A href="http://www.linuxdoc.org/docs.html#howto">
 list</A>. Documents there most relevant to a FreeS/WAN gateway are:
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
 HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
Networking Overview HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
Security HOWTO</A></LI>
</UL>
</LI>
<LI>The LDP do a series of Guides, book-sized publications with more
 detail (and often more &quot;why do it this way?&quot;) than the HowTos. See this<A
href="http://www.linuxdoc.org/guides.html"> list</A>. Documents there
 most relevant to a FreeS/WAN gateway are:
<UL>
<LI><A href="http://www.tml.hut.fi/~viu/linux/sag/">System
 Administrator's Guide</A></LI>
<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
 Adminstrator's Guide</A></LI>
<LI><A href="http://www.seifried.org/lasg/">Linux Administrator's
 Security Guide</A></LI>
</UL>
</LI>
</UL>
<P>You may not need to go to the LDP to get this material. Most Linux
 distributions include the HowTos on their CDs and several include the
 Guides as well. Also, most of the Guides and some collections of HowTos
 are available in book form from various publishers.</P>
<P>Much of the LDP material is also available in languages other than
 English. See this<A href="http://www.linuxdoc.org/links/nenglish.html">
 LDP page</A>.</P>
<H3><A name="advroute.web">Advanced routing</A></H3>
<P>The Linux IP stack has some new features in 2.4 kernels. Some HowTos
 have been written:</P>
<UL>
<LI>several HowTos for the<A href="http://netfilter.samba.org/unreliable-guides/">
 netfilter</A> firewall code in newer kernels</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
2.4 networking</A> HowTo</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
2.4 routing</A> HowTo</LI>
</UL>
<H3><A name="linsec">Security for Linux</A></H3>
<P>See also the<A href="#docs.ldp"> LDP material</A> above.</P>
<UL>
<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
Trinity OS guide to setting up Linux</A></LI>
<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
 filesystem</LI>
<LI><A href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
 HowTo</A> (outdated when last checked, had an Oct 2000 revision date in
 March 2002)</LI>
</UL>
<H3><A name="firewall.linux">Linux firewalls</A></H3>
<P>Our<A href="firewall.html"> FreeS/WAN and firewalls</A> document
 includes links to several sets of<A href="firewall.html#examplefw">
 scripts</A> known to work with FreeS/WAN.</P>
<P>Other information sources:</P>
<UL>
<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
<LI><A href="http://netfilter.samba.org/unreliable-guides/">netfilter</A>
 firewall code in 2.4 kernels</LI>
<LI>Our list of general<A href="#firewall.web"> firewall references</A>
 on the web</LI>
<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool for
 automatically configuring Linux firewalls</LI>
<LI>the web cache software<A href="http://www.squid-cache.org/"> squid</A>
 and<A href="http://www.squidguard.org/"> squidguard</A> which turns
 Squid into a filtering web proxy</LI>
</UL>
<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
<UL>
<LI><A href="http://lwn.net/current/dists.php3">Linux distribution
 vendors</A></LI>
<LI><A href="http://www.linux.org/groups/">Linux User Groups</A></LI>
</UL>
<H2><A name="crypto.link">Crypto and security links</A></H2>
<H3><A name="security">Crypto and security resources</A></H3>
<H4><A name="std.links">The standard link collections</A></H4>
<P>Two enormous collections of links, each the standard reference in its
 area:</P>
<DL>
<DT>Gene Spafford's<A href="http://www.cerias.purdue.edu/coast/hotlist/">
 COAST hotlist</A></DT>
<DD>Computer and network security.</DD>
<DT>Peter Gutmann's<A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
 Encryption and Security-related Resources</A></DT>
<DD>Cryptography.</DD>
</DL>
<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
<UL>
<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
 FAQ</A></LI>
<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
 Programming FAQ</A></LI>
<LI>FAQs for specific programs are listed in the<A href="#tools"> tools</A>
 section below.</LI>
</UL>
<H4><A name="cryptover">Tutorials</A></H4>
<UL>
<LI>Gary Kessler's<A href="http://www.garykessler.net/library/crypto.html">
 Overview of Cryptography</A></LI>
<LI>Terry Ritter's<A href="http://www.ciphersbyritter.com/LEARNING.HTM">
 introduction</A></LI>
<LI>Peter Gutman's<A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
 cryptography</A> tutorial (500 slides in PDF format)</LI>
<LI>Amir Herzberg of IBM's sildes for his course<A href="http://www.hrl.il.ibm.com/mpay/course.html">
 Introduction to Cryptography and Electronic Commerce</A></LI>
<LI>the<A href="http://www.gnupg.org/gph/en/manual/c173.html"> concepts
 section</A> of the<A href="glossary.html#GPG"> GNU Privacy Guard</A>
 documentation</LI>
<LI>Bruce Schneier's self-study<A href="http://www.counterpane.com/self-study.html">
 cryptanalysis</A> course</LI>
</UL>
<P>See also the<A href="#interesting"> interesting papers</A> section
 below.</P>
<H4><A name="standards">Crypto and security standards</A></H4>
<UL>
<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
 international computer and network security standards to replace the
 &quot;Rainbow&quot; series</LI>
<LI>AES<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
 Advanced Encryption Standard</A> which will replace DES</LI>
<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
 standard</A></LI>
<LI>our collection of links for the<A href="#ipsec.link"> IPsec</A>
 standards</LI>
<LI>history of<A href="http://www.visi.com/crypto/evalhist/index.html">
 formal evaluation</A> of security policies and implementation</LI>
</UL>
<H4><A name="quotes">Crypto quotes</A></H4>
<P>There are several collections of cryptographic quotes on the net:</P>
<UL>
<LI><A href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</A></LI>
<LI><A href="http://www.samsimpson.com/cquotes.php">Sam Simpson</A></LI>
<LI><A href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
 Kutchling</A></LI>
</UL>
<H3><A name="policy">Cryptography law and policy</A></H3>
<H4><A name="legal">Surveys of crypto law</A></H4>
<UL>
<LI>International survey of<A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
 crypto law</A>.</LI>
<LI>International survey of<A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
 digital signature law</A></LI>
</UL>
<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
<UL>
<LI>The<A href="glossary.html#EFF"> EFF</A>'s archives on<A href="http://www.eff.org/pub/Privacy/">
 privacy</A> and<A href="http://www.eff.org/pub/Privacy/ITAR_export/">
 export control</A>.</LI>
<LI><A href="http://www.gilc.org">Global Internet Liberty Campaign</A></LI>
<LI><A href="http://www.cdt.org/crypto">Center for Democracy and
 Technology</A></LI>
<LI><A href="http://www.privacyinternational.org/">Privacy International</A>
, who give out<A href="http://www.bigbrotherawards.org/"> Big Brother
 Awards</A> to snoopy organisations</LI>
</UL>
<H4><A name="other.policy">Other information on crypto policy</A></H4>
<UL>
<LI><A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</A>, the<A href="glossary.html#IAB">
 IAB</A> and<A href="glossary.html#IESG"> IESG</A> Statement on
 Cryptographic Technology and the Internet.</LI>
<LI>John Young's collection of<A href="http://cryptome.org/"> documents</A>
 of interest to the cryptography, open government and privacy movements,
 organized chronologically</LI>
<LI>AT&amp;T researcher Matt Blaze's Encryption, Privacy and Security<A href="http://www.crypto.com">
 Resource Page</A></LI>
<LI>A good<A href="http://cryptome.org/crypto97-ne.htm"> overview</A> of
 the issues from Australia.</LI>
</UL>
<P>See also our documentation section on the<A href="politics.html">
 history and politics</A> of cryptography.</P>
<H3><A name="crypto.tech">Cryptography technical information</A></H3>
<H4><A name="cryptolinks">Collections of crypto links</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
 Gutman's links</A></LI>
<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
</LI>
<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
</UL>
<H4><A name="papers">Lists of online cryptography papers</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
<LI><A href="http://www.cryptography.com/resources/papers">
cryptography.com</A></LI>
<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
</UL>
<H4><A name="interesting">Particularly interesting papers</A></H4>
<P>These papers emphasize important issues around the use of
 cryptography, and the design and management of secure systems.</P>
<UL>
<LI><A href="http://www.counterpane.com/keylength.html">Key length
 requirements for security</A></LI>
<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
 Cryptosystems Fail</A></LI>
<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
 encryption</A></LI>
<LI><A href="http://www.counterpane.com/pitfalls.html">Security pitfalls
 in cryptography</A></LI>
<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
 Trust</A>, Ken Thompson on Trojan horse design</LI>
<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
 Compelled Disclosure</A>, how to maintain privacy in the face of legal
 or other coersion</LI>
</UL>
<H3><A name="compsec">Computer and network security</A></H3>
<H4><A name="seclink">Security links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
<LI>DMOZ open directory project<A href="http://dmoz.org/Computers/Security/">
 computer security</A> links</LI>
<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
<LI>Mike Fuhr's<A href="http://www.fuhr.org/~mfuhr/computers/security.html">
 link collection</A></LI>
<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
 emphasis on intrusion detection</LI>
</UL>
<H4><A name="firewall.web">Firewall links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
</LI>
<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
</UL>
<H4><A name="vpn">VPN links</A></H4>
<UL>
<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
<LI>First VPN's<A href="http://www.firstvpn.com/research/rhome.html">
 white paper</A> collection</LI>
</UL>
<H4><A name="tools">Security tools</A></H4>
<UL>
<LI>PGP -- mail encryption
<UL>
<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
 commercial versions</LI>
<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
 the NAI product for non-commercial use</LI>
<LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
</UL>
 A message in our mailing list archive has considerable detail on<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
 available versions</A> of PGP and on IPsec support in them.
<P><STRONG>Note:</STRONG> A fairly nasty bug exists in all commercial
 PGP versions from 5.5 through 6.5.3. If you have one of those,<STRONG>
 upgrade now</STRONG>.</P>
</LI>
<LI>SSH -- secure remote login
<UL>
<LI><A href="http://www.ssh.fi">SSH Communications Security</A>, for the
 original software. It is free for trial, academic and non-commercial
 use.</LI>
<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD team's
 free replacement</LI>
<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
 implementations for many systems</LI>
<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
, an SSH client for Windows</LI>
</UL>
</LI>
<LI>Tripwire saves message digests of your system files. Re-calculate
 the digests and compare to saved values to detect any file changes.
 There are several versions available:
<UL>
<LI><A href="http://www.tripwiresecurity.com/">commercial version</A></LI>
<LI><A href="http://www.tripwire.org/">Open Source</A></LI>
</UL>
</LI>
<LI><A href="http://www.snort.org">Snort</A> and<A href="http://www.lids.org">
 LIDS</A> are intrusion detection system for Linux</LI>
<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A> System
 Administrators Tool for Analysing Networks</LI>
<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
 Venema's page</A> with various tools</LI>
<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
, various tools to analyze network traffic, mostly scripts to organise
 and format tcpdump(8) output for specific purposes</LI>
<LI><A name="ssmail">ssmail -- sendmail patched to do</A><A href="glossary.html#carpediem">
 opportunistic encryption</A>
<UL>
<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
 links to code and to a Usenix paper describing it, in PDF</LI>
</UL>
</LI>
<LI><A href="http://www.openca.org/">Open CA</A> project to develop a
 freely distributed<A href="glossary.html#CA"> Certification Authority</A>
 for building a open<A href="glossary.html#PKI"> Public Key
 Infrastructure</A>.</LI>
</UL>
<H3><A name="people">Links to home pages</A></H3>
<P>David Wagner at Berkeley provides a set of links to<A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
 home pages</A> of cryptographers, cypherpunks and computer security
 people.</P>
<HR>
<A HREF="toc.html">Contents</A>
<A HREF="mail.html">Previous</A>
<A HREF="glossary.html">Next</A>
</BODY>
</HTML>