1 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
5 <meta http-equiv="Content-Type" content="text/html">
6 <title>FreeS/WAN web links</title>
8 content="Linux, IPsec, VPN, security, FreeSWAN, links, web">
11 Written by Sandy Harris for the Linux FreeS/WAN project
12 Freely distributable under the GNU General Public License
14 More information at www.freeswan.org
15 Feedback to users@lists.freeswan.org
18 RCS ID: $Id: web.html,v 1.56 2002/03/25 17:24:28 sandy Exp $
19 Last changed: $Date: 2002/03/25 17:24:28 $
20 Revision number: $Revision: 1.56 $
22 CVS revision numbers do not correspond to FreeS/WAN release numbers.
27 <h1><a name="weblink">Web links</a></h1>
29 <h2><a name="freeswan">The Linux FreeS/WAN Project</a></h2>
31 <p>The main project web site is <a
32 href="http://www.freeswan.org/">www.freeswan.org</a>.</p>
34 <p>Links to other project-related <a href="intro.html#sites">sites</a> are
35 provided in our introduction section.</p>
37 <h3><a name="patch">Add-ons and patches for FreeS/WAN</a></h3>
39 <p>Some user-contributed patches have been integrated into the FreeS/WAN
40 distribution. For a variety of reasons, those listed below have not.</p>
42 <p>Note that not all patches are a good idea.</p>
44 <li>There are a number of "features" of IPsec which we do not implement
45 because they reduce security. See this <a
46 href="compat.html#dropped">discussion</a>. We do not recommend using
47 patches that implement these. One example is aggressive mode.</li>
48 <li>We do not recommend adding "features" of any sort unless they are
49 clearly necessary, or at least have clear benefits. For example,
50 FreeS/WAN would not become more secure if it offerred a choice of 14
51 ciphers. If even one was flawed, it would certainly become less secure
52 for anyone using that cipher. Even with 14 wonderful ciphers, it would be
53 harder to maintain and administer, hence more vulnerable to various human
57 <p>This is not to say that patches are necessarily bad, only that using them
58 requires some deliberation. For example, there might be perfectly good
59 reasons to add a specific cipher in your application: perhaps GOST to comply
60 with government standards in Eastern Europe, or AES for performance
63 <h4>Current patches</h4>
65 <p>Patches believed current::</p>
67 <li>patches for <a href="http://www.strongsec.com/freeswan/">X.509
68 certificate support</a>, also available from a <a
69 href="http://www.twi.ch/~sna/strongsec/freeswan/">mirror site</a></li>
70 <li>patches to add <a href="http://www.irrigacion.gov.ar/juanjo/ipsec">AES
71 and other ciphers</a>. There is preliminary data indicating AES gives a
72 substantial <a href="performance.html#perf.more">performance
76 <p>There is also one add-on that takes the form of a modified FreeS/WAN
77 distribution, rather than just patches to the standard distribution:</p>
79 <li><a href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
83 <p>Before using any of the above,, check the <a href="mail.html">mailing
84 lists</a> for news of newer versions and to see whether they have been
85 incorporated into more recent versions of FreeS/WAN.</p>
87 <h4>Older patches</h4>
89 <li><a href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
91 <li>a <a href="http://tzukanov.narod.ru/">series</a> of patches that
93 <li>provide GOST, a Russian gov't. standard cipher, in MMX
95 <li>add GOST to OpenSSL</li>
96 <li>add GOST to the International kernel patch</li>
97 <li>let FreeS/WAN use International kernel patch ciphers</li>
100 <li>Neil Dunbar's patches for <a
101 href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">certificate
102 support</a>, using code from <a href="http://www.openssl.org">Open
104 <li>Luc Lanthier's <a
105 href="ftp://ftp.netwinder.org/users/f/firesoul/">patches</a> for <a
106 href="glossary.html#PKIX">PKIX</a> support.</li>
107 <li><a href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</a>
108 to add <a href="glossary.html#blowfish">Blowfish</a>, <a
109 href="glossary.html#IDEA">IDEA</a> and <a
110 href="glossary.html#CAST128">CAST-128</a> to FreeS/WAN</li>
111 <li>patches for FreeS/WAN 1.3, Pluto support for <a
112 href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">external
113 authentication</a>, for example with a smartcard or SKEYID.</li>
114 <li><a href="http://www.zengl.net/freeswan/download/">patches and
115 utilities</a> for using FreeS/WAN with PGPnet</li>
117 href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">Blowfish
118 encryption and Tiger hash</a></li>
120 href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">patches</a>
121 for aggressive mode support</li>
124 <p>These patches are for older versions of FreeS/WAN and will likely not work
125 with the current version. Older versions of FreeS/WAN may be available on
126 some of the <a href="intro.html#sites">distribution sites</a>, but we
127 recommend using the current release.</p>
129 <h4><a name="VPN.masq">VPN masquerade patches</a></h4>
131 <p>Finally, there are some patches to other code that may be useful with
135 href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">patch</a>
136 to make IPsec, PPTP and SSH VPNs work through a Linux firewall with <a
137 href="glossary.html#masq">IP masquerade</a>.</li>
138 <li><a href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">Linux
139 VPN Masquerade HOWTO</a></li>
142 <p>Note that this is not required if the same machine does IPsec and
143 masquerading, only if you want a to locate your IPsec gateway on a
144 masqueraded network. See our <a href="firewall.html#NAT">firewalls</a>
145 document for discussion of why this is problematic.</p>
147 <p>At last report, this patch could not co-exist with FreeS/WAN on the same
150 <h3><a name="dist">Distributions including FreeS/WAN</a></h3>
152 <p>The introductory section of our document set lists several <a
153 href="intro.html#distwith">Linux distributions</a> which include
156 <h3><a name="used">Things FreeS/WAN uses or could use</a></h3>
158 <li><a href="http://openpgp.net/random">/dev/random</a> support page,
159 discussion of and code for the Linux <a
160 href="glossary.html#random">random number driver</a>. Out-of-date when we
161 last checked (January 2000), but still useful.</li>
162 <li>other programs related to random numbers:
164 <li><a href="http://www.mindrot.org/audio-entropyd.html">audio entropy
165 daemon</a> to gather noise from a sound card and feed it into
167 <li>an <a href="http://www.lothar.com/tech/crypto/">entropy-gathering
169 <li>a driver for the random number generator in recent <a
170 href="http://sourceforge.net/projects/gkernel/">Intel chipsets</a>.
171 This driver is included as standard in 2.4 kernels.</li>
174 <li>a Linux <a href="http://www.marko.net/l2tp/">L2TP Daemon</a> which
175 might be useful for communicating with Windows 2000 which builds L2TP
176 tunnels over its IPsec connections</li>
177 <li>to use opportunistic encryption, you need a recent version of <a
178 href="glossary.html#BIND">BIND</a>. You can get one from the <a
179 href="http://www.isc.org">Internet Software Consortium</a> who maintain
183 <h3><a name="alternatives">Other approaches to VPNs for Linux</a></h3>
185 <li>other Linux <a href="#linuxipsec">IPsec implementations</a></li>
186 <li><a href="http://www.tik.ee.ethz.ch/~skip/">ENskip</a>, a free
187 implementation of Sun's <a href="glossary.html#SKIP">SKIP</a>
189 <li><a href="http://sunsite.auc.dk/vpnd/">vpnd</a>, a non-IPsec VPN daemon
190 for Linux which creates tunnels using <a
191 href="glossary.html#Blowfish">Blowfish</a> encryption</li>
192 <li><a href="http://www.winton.org.uk/zebedee/">Zebedee</a>, a simple GPLd
193 tunnel-building program with Linux and Win32 versions. The name is from
194 <strong>Z</strong>lib compression, <strong>B</strong>lowfish encryption
195 and <strong>D</strong>iffie-Hellman key exchange.</li>
196 <li>There are at least two PPTP implementations for Linux
199 href="http://www.moretonbay.com/vpn/pptp.html">PoPToP</a></li>
201 href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</a></li>
204 <li><a href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</a>
205 (crypto IP encapsulation) project, using their own lightweight protocol
206 to encrypt between routers</li>
207 <li><a href="http://tinc.nl.linux.org/">tinc</a>, a VPN Daemon</li>
210 <p>There is a list of <a
211 href="http://www.securityportal.com/lskb/10000000/kben10000005.html">Linux
212 VPN</a> software in the <a
213 href="http://www.securityportal.com/lskb/kben00000001.html">Linux Security
214 Knowledge Base</a>.</p>
216 <h2><a name="ipsec.link">The IPsec Protocols</a></h2>
218 <h3><a name="general">General IPsec or VPN information</a></h3>
220 <li>The <a href="http://www.vpnc.org">VPN Consortium</a> is a group for
221 vendors of IPsec products. Among other things, they have a good
222 collection of <a href="http://www.vpnc.org/white-papers.html">IPsec white
224 <li>A VPN mailing list with a <a
225 href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">home page</a>, a FAQ,
226 some product comparisons, and many links.</li>
227 <li><a href="http://www.opus1.com/vpn/index.html">VPN pointer page</a></li>
228 <li>a <a href="http://www.epm.ornl.gov/~dunigan/vpn.html">collection</a> of
229 VPN links, and some explanation</li>
232 <h3><a name="overview">IPsec overview documents or slide sets</a></h3>
234 <li>the FreeS/WAN <a href="ipsec.html">document section</a> on these
238 <h3><a name="otherlang">IPsec information in languages other than
242 href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">German</a></li>
243 <li><a href="http://www.kame.net/index-j.html">Japanese</a></li>
244 <li>Feczak Szabolcs' thesis in <a
245 href="http://feczo.koli.kando.hu/vpn/">Hungarian</a></li>
246 <li>Davide Cerri's thesis and some presentation slides <a
247 href="http://www.linux.it/~davide/doc/">Italian</a></li>
250 <h3><a name="RFCs1">RFCs and other reference documents</a></h3>
252 <li><a href="rfc.html">Our document</a> listing the RFCs relevant to Linux
253 FreeS/WAN and giving various ways of obtaining both RFCs and Internet
255 <li><a href="http://www.vpnc.org/vpn-standards.html">VPN Standards</a> page
256 maintained by <a href="glossary.html#VPNC">VPNC</a>. This covers both
257 RFCs and Drafts, and classifies them in a fairly helpful way.</li>
258 <li><a href="http://www.rfc-editor.org">RFC archive</a></li>
259 <li><a href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</a>
260 related to IPsec</li>
261 <li>US government <a href="http://www.itl.nist.gov/div897/pubs"> site</a>
262 with their <a href="glossary.html#FIPS">FIPS</a> standards</li>
263 <li>Archives of the ipsec@tis.com mailing list where discussion of drafts
266 <li><a href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern
268 <li><a href="http://www.vpnc.org/ietf-ipsec">California</a>.</li>
273 <h3><a name="analysis">Analysis and critiques of IPsec protocols</a></h3>
276 href="http://www.counterpane.com/ipsec.pdf">evaluation</a> of the
279 href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">IKE
280 Considered Dangerous</a> paper. Note that this is a link to an archive of
281 our mailing list. There are several replies in addition to the paper
283 <li>Fate Labs <a href="http://www.fatelabs.com/loki-vpn.pdf">Virual Private
284 Problems: the Broken Dream</a></li>
285 <li>Catherine Meadows' paper <cite>Analysis of the Internet Key Exchange
286 Protocol Using the NRL Protocol Analyzer</cite>, in <a
287 href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">PDF</a>
289 href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">Postscript</a>.</li>
290 <li>Perlman and Kaufmnan
293 href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">Key
294 Exchange in IPsec</a></li>
296 href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">PDF
297 paper</a>, <cite>Analysis of the IPsec Key Exchange
298 Standard</cite>.</li>
302 href="http://www.research.att.com/~smb/papers/index.html">papers</a> page
305 <li><cite>Security Problems in the TCP/IP Protocol Suite</cite>
307 <li><cite>Problem Areas for the IP Security Protocols</cite> (1996)</li>
308 <li><cite>Probable Plaintext Cryptanalysis of the IP Security
309 Protocols</cite> (1997)</li>
312 <li>An <a href="http://www.lounge.org/ike_doi_errata.html">errata list</a>
313 for the IPsec RFCs.</li>
316 <h3><a name="IP.background">Background information on IP</a></h3>
318 <li>An <a href="http://ipprimer.windsorcs.com/">IP tutorial</a> that seems
319 to be written mainly for Netware or Microsoft LAN admins entering a new
321 <li><a href="http://www.iana.org">IANA</a>, Internet Assigned Numbers
323 <li><a href="http://public.pacbell.net/dedicated/cidr.html">CIDR</a>,
324 Classless Inter-Domain Routing</li>
325 <li>Also see our <a href="biblio.html">bibliography</a></li>
328 <h2><a name="implement">IPsec Implementations</a></h2>
330 <h3><a name="linuxprod">Linux products</a></h3>
332 <p>Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in
333 our <a href="intro.html#turnkey">introduction</a>.</p>
335 <p>Other vendors have Linux IPsec products which, as far as we know, do not
338 <li><a href="http://www.redcreek.com/products/shareware.html">Redcreek</a>
339 provide an open source Linux driver for their PCI hardware VPN card. This
340 card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more specialised
341 crypto chips, and claimed encryption performance of 45 Mbit/sec. The PC
342 sees it as an Ethernet board.</li>
343 <li><a href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</a>
344 offer a Linux-based VPN with hardware encryption</li>
345 <li><a href="http://www.watchguard.com/">Watchguard</a> use Linux in their
346 Firebox product.</li>
347 <li><a href="http://www.entrust.com">Entrust</a> offer a developers'
348 toolkit for using their <a href="glossary.html#PKI">PKI</a> for IPsec
350 <li>According to a report on our mailing list, <a
351 href="http://www.axent.com">Axent</a> have a Linux version of their
355 <h3><a name="router">IPsec in router products</a></h3>
357 <p>All the major router vendors support IPsec, at least in some models.</p>
359 <li><a href="http://www.cisco.com/warp/public/707/16.html">Cisco</a> IPsec
361 <li>Ascend, now part of <a href="http://www.lucent.com/">Lucent</a>, have
362 some IPsec-based products</li>
363 <li><a href="http://www.nortelnetworks.com/">Bay Networks</a>, now part of
364 Nortel, use IPsec in their Contivity switch product line</li>
365 <li><a href="http://www.3com.com/products/enterprise.html">3Com</a> have a
366 number of VPN products, some using IPsec</li>
369 <h3><a name="fw.web">IPsec in firewall products</a></h3>
371 <p>Many firewall vendors offer IPsec, either as a standard part of their
372 product, or an optional extra. A few we know about are:</p>
374 <li><a href="http://www.borderware.com/">Borderware</a></li>
375 <li><a href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
377 <li><a href="http://www.watchguard.com">Watchguard</a></li>
378 <li><a href="http://www.fx.dk/firewall/ipsec.html">Injoy</a> for OS/2</li>
381 <p>Vendors using FreeS/WAN in turnkey firewall products are listed in our <a
382 href="intro.html#turnkey">introduction</a>.</p>
384 <h3><a name="ipsecos">Operating systems with IPsec support</a></h3>
386 <p>All the major open source operating systems support IPsec. See below for
387 details on <a href="#BSD">BSD-derived</a> Unix variants.</p>
389 <p>Among commercial OS vendors, IPsec players include:</p>
392 href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">Microsoft</a>
393 have put IPsec in their Windows 2000 and XP products</li>
395 href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</a>
396 announce a release of OS390 with IPsec support via a crypto
399 href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">Sun</a>
400 include IPsec in Solaris 8</li>
402 href="http://www.hp.com/security/products/extranet-security.html">Hewlett
403 Packard</a> offer IPsec for their Unix machines</li>
404 <li>Certicom have IPsec available for the <a
405 href="http://www.certicom.com/products/movian/movianvpn_tech.html">Palm</a>.</li>
406 <li>There were reports before the release that Apple's Mac OS X would have
407 IPsec support built in, but it did not seem to be there when we last
408 checked. If you find, it please let us know via the <a
409 href="mail.html">mailing list</a>.</li>
412 <h3>IPsec on network cards</h3>
414 <p>Network cards with built-in IPsec acceleration are available from at least
415 Intel, 3Com and Redcreek.</p>
417 <h3><a name="opensource">Open source IPsec implementations</a></h3>
419 <h4><a name="linuxipsec">Other Linux IPsec implementations</a></h4>
421 <p>We like to think of FreeS/WAN as <em>the</em> Linux IPsec implementation,
422 but it is not the only one. Others we know of are:</p>
424 <li><a href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</a>, a
425 lightweight implementation of IPsec for Linux. Does not require kernel
427 <li>Petr Novak's <a href="ftp://ftp.eunet.cz/icz/ipnsec/">ipnsec</a>, based
428 on the OpenBSD IPsec code and using <a
429 href="glossary.html#photuris">Photuris</a> for key management</li>
430 <li>A now defunct project at <a
431 href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">U of
432 Arizona</a> (export controlled)</li>
433 <li><a href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</a> (export
437 <h4><a name="BSD">IPsec for BSD Unix</a></h4>
439 <li><a href="http://www.kame.net/project-overview.html">KAME</a>, several
440 large Japanese companies co-operating on IPv6 and IPsec</li>
441 <li><a href="http://web.mit.edu/network/isakmp">US Naval Research Lab</a>
442 implementation of IPv6 and of IPsec for IPv4 (export controlled)</li>
443 <li><a href="http://www.openbsd.org">OpenBSD</a> includes IPsec as a
444 standard part of the distribution</li>
445 <li><a href="http://www.r4k.net/ipsec">IPsec for FreeBSD</a></li>
446 <li>a <a href="http://www.netbsd.org/Documentation/network/ipsec/">FAQ</a>
447 on NetBSD's IPsec implementation</li>
450 <h4><a name="misc">IPsec for other systems</a></h4>
452 <li><a href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
453 Technolgy</a> have implemented IPsec for Solaris, Java and Macintosh</li>
456 <h3><a name="interop.web">Interoperability</a></h3>
458 <p>The IPsec protocols are designed so that different implementations should
459 be able to work together. As they say "the devil is in the details". IPsec
460 has a lot of details, but considerable success has been achieved.</p>
462 <h4><a name="result">Interoperability results</a></h4>
464 <p>Linux FreeS/WAN has been tested for interoperability with many other IPsec
465 implementations. Results to date are in our <a
466 href="interop.html">interoperability</a> section.</p>
468 <p>Various other sites have information on interoperability between various
469 IPsec implementations:</p>
471 <li><a href="http://www.opus1.com/vpn/atl99display.html">interop
472 results</a> from a bakeoff in Atlanta, September 1999.</li>
473 <li>a French company, HSC's, <a
474 href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">interoperability</a>
475 test data covers FreeS/WAN, Open BSD, KAME, Linux pipsecd, Checkpoint,
476 Red Creek Ravlin, and Cisco IOS</li>
477 <li><a href="http://www.icsa.net/">ICSA</a> offer certification programs
478 for various security-related products. See their list of <a
479 href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
480 certified IPsec</a> products. Linux FreeS/WAN is not currently on that
481 list, but several products with which we interoperate are.</li>
482 <li>VPNC have a page on why they are not yet doing <a
483 href="http://www.vpnc.org/interop.html">interoperability</a> testing and
484 a page on the <a href="http://www.vpnc.org/conformance.html">spec
485 conformance</a> testing that they are doing</li>
486 <li>a <a href="http://www.commweb.com/article/COM20000912S0009">review</a>
487 comparing a dozen commercial IPsec implemetations. Unfortunately, the
488 reviewers did not look at Open Source implementations such as FreeS/WAN
491 href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">results</a>
492 from interoperability tests at a conference. FreeS/WAN was not tested
494 <li>test results from the <a
495 href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">IPSEC
496 2000</a> conference</li>
499 <h4><a name="test1">Interoperability test sites</a></h4>
501 <li><a href="http://www.tahi.org/">TAHI</a>, a Japanese IPv6 testing
502 project with free IPsec validation software</li>
503 <li><a href="http://ipsec-wit.antd.nist.gov">National Institute of
504 Standards and Technology</a></li>
505 <li><a href="http://isakmp-test.ssh.fi/">SSH Communications
509 <h2><a name="linux.link">Linux links</a></h2>
511 <h3><a name="linux.basic">Basic and tutorial Linux information</a></h3>
514 href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">Getting
515 Started</a> HOWTO document</li>
516 <li>A getting started guide from the <a
517 href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">U of
519 <li>A large <a href="http://www.herring.org/techie.html">link
520 collection</a> which includes a lot of introductory and tutorial material
521 on Unix, Linux, the net, . . .</li>
524 <h3><a name="general">General Linux sites</a></h3>
526 <li><a href="http://www.freshmeat.net">Freshmeat</a> Linux news</li>
527 <li><a href="http://slashdot.org">Slashdot</a> "News for Nerds"</li>
528 <li><a href="http://www.linux.org">Linux Online</a></li>
529 <li><a href="http://www.linuxhq.com">Linux HQ</a></li>
530 <li><a href="http://www.tux.org">tux.org</a></li>
533 <h3><a name="docs.ldp">Documentation</a></h3>
535 <p>Nearly any Linux documentation you are likely to want can be found at the
536 <a href="http://metalab.unc.edu/LDP">Linux Documentation Project</a> or
539 <li><a href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</a>
540 guide to Linux information sources</li>
541 <li>The LDP's HowTo documents are a standard Linux reference. See this <a
542 href="http://www.linuxdoc.org/docs.html#howto">list</a>. Documents there
543 most relevant to a FreeS/WAN gateway are:
545 <li><a href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
548 href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">Networking
549 Overview HOWTO</a></li>
551 href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">Security
555 <li>The LDP do a series of Guides, book-sized publications with more detail
556 (and often more "why do it this way?") than the HowTos. See this <a
557 href="http://www.linuxdoc.org/guides.html">list</a>. Documents there most
558 relevant to a FreeS/WAN gateway are:
560 <li><a href="http://www.tml.hut.fi/~viu/linux/sag/">System
561 Administrator's Guide</a></li>
562 <li><a href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
563 Adminstrator's Guide</a></li>
564 <li><a href="http://www.seifried.org/lasg/">Linux Administrator's
565 Security Guide</a></li>
570 <p>You may not need to go to the LDP to get this material. Most Linux
571 distributions include the HowTos on their CDs and several include the Guides
572 as well. Also, most of the Guides and some collections of HowTos are
573 available in book form from various publishers.</p>
575 <p>Much of the LDP material is also available in languages other than
576 English. See this <a href="http://www.linuxdoc.org/links/nenglish.html">LDP
579 <h3><a name="advroute.web">Advanced routing</a></h3>
581 <p>The Linux IP stack has some new features in 2.4 kernels. Some HowTos have
584 <li>several HowTos for the <a
585 href="http://netfilter.samba.org/unreliable-guides/">netfilter</a>
586 firewall code in newer kernels</li>
588 href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">2.4
589 networking</a> HowTo</li>
591 href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">2.4
592 routing</a> HowTo</li>
595 <h3><a name="linsec">Security for Linux</a></h3>
597 <p>See also the <a href="#docs.ldp">LDP material</a> above.</p>
600 href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">Trinity
601 OS guide to setting up Linux</a></li>
602 <li><a href="http://www.deter.com/unix">Unix security</a> page</li>
603 <li><a href="http://linux01.gwdg.de/~alatham/">PPDD</a> encrypting
605 <li><a href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
606 HowTo</a> (outdated when last checked, had an Oct 2000 revision date in
610 <h3><a name="firewall.linux">Linux firewalls</a></h3>
612 <p>Our <a href="firewall.html">FreeS/WAN and firewalls</a> document includes
613 links to several sets of <a href="firewall.html#examplefw">scripts</a> known
614 to work with FreeS/WAN.</p>
616 <p>Other information sources:</p>
618 <li><a href="http://ipmasq.cjb.net/">IP Masquerade resource page</a></li>
619 <li><a href="http://netfilter.samba.org/unreliable-guides/">netfilter</a>
620 firewall code in 2.4 kernels</li>
621 <li>Our list of general <a href="#firewall.web">firewall references</a> on
623 <li><a href="http://users.dhp.com/~whisper/mason/">Mason</a>, a tool for
624 automatically configuring Linux firewalls</li>
625 <li>the web cache software <a href="http://www.squid-cache.org/">squid</a>
626 and <a href="http://www.squidguard.org/">squidguard</a> which turns Squid
627 into a filtering web proxy</li>
630 <h3><a name="linux.misc">Miscellaneous Linux information</a></h3>
632 <li><a href="http://lwn.net/current/dists.php3">Linux distribution
634 <li><a href="http://www.linux.org/groups/">Linux User Groups</a></li>
637 <h2><a name="crypto.link">Crypto and security links</a></h2>
639 <h3><a name="security">Crypto and security resources</a></h3>
641 <h4><a name="std.links">The standard link collections</a></h4>
643 <p>Two enormous collections of links, each the standard reference in its
646 <dt>Gene Spafford's <a
647 href="http://www.cerias.purdue.edu/coast/hotlist/">COAST hotlist</a></dt>
648 <dd>Computer and network security.</dd>
649 <dt>Peter Gutmann's <a
650 href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Encryption and
651 Security-related Resources</a></dt>
652 <dd>Cryptography.</dd>
655 <h4><a name="FAQ">Frequently Asked Question (FAQ) documents</a></h4>
657 <li><a href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
659 <li><a href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</a></li>
660 <li><a href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
661 Programming FAQ</a></li>
662 <li>FAQs for specific programs are listed in the <a href="#tools">tools</a>
666 <h4><a name="cryptover">Tutorials</a></h4>
668 <li>Gary Kessler's <a
669 href="http://www.garykessler.net/library/crypto.html">Overview of
670 Cryptography</a></li>
671 <li>Terry Ritter's <a
672 href="http://www.ciphersbyritter.com/LEARNING.HTM">introduction</a></li>
673 <li>Peter Gutman's <a
674 href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">cryptography</a>
675 tutorial (500 slides in PDF format)</li>
676 <li>Amir Herzberg of IBM's sildes for his course <a
677 href="http://www.hrl.il.ibm.com/mpay/course.html">Introduction to
678 Cryptography and Electronic Commerce</a></li>
679 <li>the <a href="http://www.gnupg.org/gph/en/manual/c173.html">concepts
680 section</a> of the <a href="glossary.html#GPG">GNU Privacy Guard</a>
682 <li>Bruce Schneier's self-study <a
683 href="http://www.counterpane.com/self-study.html">cryptanalysis</a>
687 <p>See also the <a href="#interesting">interesting papers</a> section
690 <h4><a name="standards">Crypto and security standards</a></h4>
692 <li><a href="http://csrc.nist.gov/cc">Common Criteria</a>, new
693 international computer and network security standards to replace the
694 "Rainbow" series</li>
695 <li>AES <a href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
696 Advanced Encryption Standard </a> which will replace DES</li>
697 <li><a href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
699 <li>our collection of links for the <a href="#ipsec.link">IPsec</a>
702 href="http://www.visi.com/crypto/evalhist/index.html">formal
703 evaluation</a> of security policies and implementation</li>
706 <h4><a name="quotes">Crypto quotes</a></h4>
708 <p>There are several collections of cryptographic quotes on the net:</p>
710 <li><a href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</a></li>
711 <li><a href="http://www.samsimpson.com/cquotes.php">Sam Simpson</a></li>
712 <li><a href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
716 <h3><a name="policy">Cryptography law and policy</a></h3>
718 <h4><a name="legal">Surveys of crypto law</a></h4>
720 <li>International survey of <a
721 href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm"> crypto
723 <li>International survey of <a
724 href="http://rechten.kub.nl/simone/ds-lawsu.htm"> digital signature
728 <h4><a name="oppose">Organisations opposing crypto restrictions</a></h4>
730 <li>The <a href="glossary.html#EFF">EFF</a>'s archives on <a
731 href="http://www.eff.org/pub/Privacy/">privacy</a> and <a
732 href="http://www.eff.org/pub/Privacy/ITAR_export/">export
734 <li><a href="http://www.gilc.org">Global Internet Liberty Campaign</a></li>
735 <li><a href="http://www.cdt.org/crypto">Center for Democracy and
737 <li><a href="http://www.privacyinternational.org/">Privacy
738 International</a>, who give out <a
739 href="http://www.bigbrotherawards.org/">Big Brother Awards</a> to snoopy
743 <h4><a name="other.policy">Other information on crypto policy</a></h4>
745 <li><a href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</a>, the <a
746 href="glossary.html#IAB">IAB</a> and <a
747 href="glossary.html#IESG">IESG</a> Statement on Cryptographic Technology
748 and the Internet.</li>
749 <li>John Young's collection of <a href="http://cryptome.org/">documents</a>
750 of interest to the cryptography, open government and privacy movements,
751 organized chronologically</li>
752 <li>AT&T researcher Matt Blaze's Encryption, Privacy and Security <a
753 href="http://www.crypto.com">Resource Page</a></li>
754 <li>A good <a href="http://cryptome.org/crypto97-ne.htm">overview</a> of
755 the issues from Australia.</li>
758 <p>See also our documentation section on the <a href="politics.html">history
759 and politics</a> of cryptography.</p>
761 <h3><a name="crypto.tech">Cryptography technical information</a></h3>
763 <h4><a name="cryptolinks">Collections of crypto links</a></h4>
765 <li><a href="http://www.counterpane.com/hotlist.html">Counterpane</a></li>
766 <li><a href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
767 Gutman's links</a></li>
768 <li><a href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI
770 <li><a href="http://crypto.yashy.com/www/">Robert Guerra's links</a></li>
773 <h4><a name="papers">Lists of online cryptography papers</a></h4>
775 <li><a href="http://www.counterpane.com/biblio">Counterpane</a></li>
777 href="http://www.cryptography.com/resources/papers">cryptography.com</a></li>
778 <li><a href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</a></li>
781 <h4><a name="interesting">Particularly interesting papers</a></h4>
783 <p>These papers emphasize important issues around the use of cryptography,
784 and the design and management of secure systems.</p>
786 <li><a href="http://www.counterpane.com/keylength.html">Key length
787 requirements for security</a></li>
788 <li><a href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
789 Cryptosystems Fail</a></li>
790 <li><a href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
792 <li><a href="http://www.counterpane.com/pitfalls.html">Security pitfalls in
793 cryptography</a></li>
794 <li><a href="http://www.acm.org/classics/sep95">Reflections on Trusting
795 Trust</a>, Ken Thompson on Trojan horse design</li>
796 <li><a href="http://www.apache-ssl.org/disclosure.pdf">Security against
797 Compelled Disclosure</a>, how to maintain privacy in the face of legal or
801 <h3><a name="compsec">Computer and network security</a></h3>
803 <h4><a name="seclink">Security links</a></h4>
805 <li><a href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</a></li>
806 <li>DMOZ open directory project <a
807 href="http://dmoz.org/Computers/Security/">computer security</a>
809 <li><a href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</a></li>
811 href="http://www.fuhr.org/~mfuhr/computers/security.html">link
813 <li><a href="http://www.networkintrusion.co.uk/">links</a> with an emphasis
814 on intrusion detection</li>
817 <h4><a name="firewall.web">Firewall links</a></h4>
819 <li><a href="http://www.cs.purdue.edu/coast/firewalls">COAST
821 <li><a href="http://www.zeuros.co.uk">Firewalls Resource page</a></li>
824 <h4><a name="vpn">VPN links</a></h4>
826 <li><a href="http://www.vpnc.org">VPN Consortium</a></li>
827 <li>First VPN's <a href="http://www.firstvpn.com/research/rhome.html">white
828 paper</a> collection</li>
831 <h4><a name="tools">Security tools</a></h4>
833 <li>PGP -- mail encryption
835 <li><a href="http://www.pgp.com/">PGP Inc.</a> (part of NAI) for
836 commercial versions</li>
837 <li><a href="http://web.mit.edu/network/pgp.html">MIT</a> distributes
838 the NAI product for non-commercial use</li>
839 <li><a href="http://www.pgpi.org/">international</a> distribution
841 <li><a href="http://gnupg.org">GNU Privacy Guard (GPG)</a></li>
842 <li><a href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</a></li>
844 A message in our mailing list archive has considerable detail on <a
845 href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">available
846 versions</a> of PGP and on IPsec support in them.
847 <p><strong>Note:</strong> A fairly nasty bug exists in all commercial PGP
848 versions from 5.5 through 6.5.3. If you have one of those,
849 <strong>upgrade now</strong>.</p>
851 <li>SSH -- secure remote login
853 <li><a href="http://www.ssh.fi">SSH Communications Security</a>, for
854 the original software. It is free for trial, academic and
855 non-commercial use.</li>
856 <li><a href="http://www.openssh.com/">Open SSH</a>, the Open BSD team's
857 free replacement</li>
858 <li><a href="http://www.freessh.org/">freessh.org</a>, links to free
859 implementations for many systems</li>
860 <li><a href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</a></li>
862 href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</a>,
863 an SSH client for Windows</li>
866 <li>Tripwire saves message digests of your system files. Re-calculate the
867 digests and compare to saved values to detect any file changes. There are
868 several versions available:
870 <li><a href="http://www.tripwiresecurity.com/">commercial
872 <li><a href="http://www.tripwire.org/">Open Source</a></li>
875 <li><a href="http://www.snort.org">Snort</a> and <a
876 href="http://www.lids.org">LIDS</a> are intrusion detection system for
878 <li><a href="http://www.fish.com/~zen/satan/satan.html">SATAN</a> System
879 Administrators Tool for Analysing Networks</li>
880 <li><a href="http://www.insecure.org/nmap/">NMAP</a> Network Mapper</li>
881 <li><a href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
882 Venema's page</a> with various tools</li>
883 <li><a href="http://ita.ee.lbl.gov/index.html">Internet Traffic
884 Archive</a>, various tools to analyze network traffic, mostly scripts to
885 organise and format tcpdump(8) output for specific purposes</li>
886 <li><a name="ssmail">ssmail -- sendmail patched to do</a> <a
887 href="glossary.html#carpediem">opportunistic encryption</a>
889 <li><a href="http://www.home.aone.net.au/qualcomm/">web page</a> with
890 links to code and to a Usenix paper describing it, in PDF</li>
893 <li><a href="http://www.openca.org/">Open CA</a> project to develop a
894 freely distributed <a href="glossary.html#CA">Certification Authority</a>
895 for building a open <a href="glossary.html#PKI">Public Key
896 Infrastructure</a>.</li>
899 <h3><a name="people">Links to home pages</a></h3>
901 <p>David Wagner at Berkeley provides a set of links to <a
902 href="http://www.cs.berkeley.edu/~daw/people/crypto.html">home pages</a> of
903 cryptographers, cypherpunks and computer security people.</p>