2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / web.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE> Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY>
<A HREF="toc.html">Contents</a>
<A HREF="mail.html">Previous</a>
<A HREF="glossary.html">Next</a>
<HR>
<H1><A name="weblink">Web links</A></H1>
<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
<P>The main project web site is <A href="http://www.freeswan.org/">
www.freeswan.org</A>.</P>
<P>Links to other project-related <A href="intro.html#webdocs">sites</A>
 are provided in our introduction section.</P>
<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
<P> Some user-contributed patches gave been integrated into the 
FreeS/WAN distribution. For a variety of reasons, those listed below 
have not.</P>
<P>Patches believed current at time of writing (March 2001, just before 
1.9 release):</P>
<UL>
<LI><A href="http://www.zengl.net/freeswan/download/">patches and 
utilities</A> for  using FreeS/WAN with PGPnet</LI>
<LI>patches for <A href="http://www.strongsec.com/freeswan/">X.509 
 certificate support</A>, also available from a <A href="http://www.twi.ch/~sna/strongsec/freeswan/">
mirror site</A></LI>
<LI>a <A href="http://tzukanov.narod.ru/">series</A> of patches that 
<UL>
<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler </LI>
<LI>add GOST to OpenSSL </LI>
<LI>add GOST to the International kernel patch </LI>
<LI>let FreeS/WAN use International kernel patch ciphers </LI>
</UL>
</LI>
<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6 
support</A></LI>
</UL>
<P> Before using these, check the <A href="mail.html">mailing list</A>
 for news of newer versions and to see whether they have been 
incorporated into more recent versions of FreeS/WAN.</P>
<P><STRONG> Note:</STRONG> At one point the way PGP generates RSA keys 
and the way FreeS/WAN checks them for validity before using them were 
slightly different, so quite a few PGP-generated keys would be rejected 
by FreeS/WAN, confusing users no end. This is fixed in 1.9. </P>
<P> A set of PKIX patches were recently announced on the mailing list:</P>
<PRE>
Subject: a different PKIX patch.
   Date: Mon, 5 Mar 2001
   From: Luc Lanthier &lt;firesoul@netwinder.org&gt;

I'd like to invite volunteers to use the now-complete PKIX project I've
been working on since about August. Because of this, the patch is for
FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since
I don't use IPV6 nor DNSSec.

This is similar, but different than Andreas Steffen's pkix
implementation. I've based this work on Neil Dunbar's openssl-pkix patch
for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and
added support for ID_DER_ASN1_DN ID packet support. It will do LDAP
certificate lookups no problem, as well as local flatfile, directory, or
DB lookup for testing or speed.

IE: It's a full CA-compatible client, capable of looking up, checking the
CRL for expiry and such. It will not only do the classic PSK and RSASIG
freeswan methods just fine, but also does PKIX's RSASIG, PKE and
RPKE. I've spent a lot of time adding RoadWarrior support for these last
IKE exchange methods.

The patch can be found as: 
  ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch
There are also freeswan-1.5 - kernel 2.4 patches for those who need them.

Let me know. Feedback is appreciated.
</PRE>
<P> Older patches:</P>
<UL>
<LI>Neil Dunbar's patches for <A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
 certificate  support</A>, using code from <A href="www.openssl.com">
Open SSL</A>.</LI>
<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
 to add <A href="glossary.html#blowfish">Blowfish</A>, <A href="glossary.html#IDEA">
IDEA</A> and <A href="glossary.html#CAST128">CAST-128</A> to FreeS/WAN</LI>
<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
patches</A> for aggressive  mode support </LI>
</UL>
<P> These patches are for older versions of FreeS/WAN and will likely 
not work with the current version.  Older versions of FreeS/WAN may be 
available on some of the <A href="intro.html#site">distribution sites</A>
, but we recommend using the current release.</P>
<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
 Finally, there are some patches to other code that may be useful with 
FreeS/WAN: 
<UL>
<LI>a <A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
patch</A> to make IPSEC, PPTP and SSH VPNs work through a Linux 
firewall with <A href="glossary.html#masq">IP masquerade</A>. </LI>
<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
Linux VPN Masquerade HOWTO</A></LI>
</UL>
 Note that this is not required if the same machine does IPSEC and 
masquerading, only if you want a to locate your IPSEC gateway on a 
masqueraded network. See our <A href="firewall.html#NAT">firewalls</A>
 document for discussion of why this is problematic. 
<P> At last report, this patch could not co-exist with FreeS/WAN on the 
same machine. </P>
<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
<P>The introductory section of our document set lists several <A href="intro.html#distwith">
Linux distributions</A> which include FreeS/WAN.</P>
<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
<UL>
<LI><A href="http://openpgp.net/random">/dev/random</A> support page, 
 discussion of and code for the Linux <A href="glossary.html#random">
random number  driver</A>. Out-of-date when we last checked (January 
2000), but still  useful.</LI>
<LI>other programs related to random numbers: 
<UL>
<LI><A href="http://www.mindrot.org/code/audio-entropyd.php3">audio 
entropy daemon</A> to gather noise from a sound card and feed it into 
/dev/random </LI>
<LI>an <A href="http://www.lothar.com/tech/crypto/">entropy-gathering 
 daemon</A></LI>
<LI>a driver for the random number generator in recent <A href="http://gtf.org/garzik/drivers/i810_rng/">
Intel  chipsets</A></LI>
</UL>
</LI>
<LI>a Linux <A href="http://www.marko.net/l2tp/">L2TP Daemon</A> which 
 might be useful for communicating with Windows 2000 which builds L2TP 
 tunnels over its IPSEC connections</LI>
<LI><A href="http://www.bhconsult.com/packetspy/">packet spy</A>, a 
packet  sniffer whose author said in a Dec 1999 message &quot;It's very 
unfinished,  especially the filter, but it can give you an ascii and 
hex dump at the  same time. I started it specifically for snooping a 
FreeS/WAN  installation.&quot;</LI>
<LI>to use opportunistic encryption, you need a recent version of <A href="glossary.html#BIND">
 BIND</A>. Get one from the <A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">
 FreeS/WAN site</A> or from the <A href="http://www.isc.org">Internet 
Software Consortium</A> who maintain BIND. </LI>
</UL>
<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
<UL>
<LI>other Linux <A href="#linuxIPSEC">IPSEC implementations</A></LI>
<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free 
 implementation of Sun's <A href="glossary.html#SKIP">SKIP</A> protocol</LI>
<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPSEC VPN 
daemon  for Linux which creates tunnels using <A href="glossary.html#blowfish">
Blowfish</A> encryption</LI>
<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple 
GPLd  tunnel-building program with Linux and Win32 versions. The name 
is from <STRONG> Z</STRONG>lib compression, <STRONG>B</STRONG>lowfish 
encryption  and <STRONG>D</STRONG>iffie-Hellman key exchange.</LI>
<LI>LinuxCare's <A href="http://www.strongcrypto.com/">VPS (Virtual 
 Private Server)</A> which builds tunnels using <A href="glossary.html#SSH">
SSH</A></LI>
<LI>Moreton Bay's <A href="http://www.moretonbay.com/vpn/pptp.html">
PoPToP</A>, PPTP for  Linux</LI>
<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
 (crypto IP routers)  project, using their own lightweight protocol to 
encrypt between  routers</LI>
<LI><A href="http://vtun.netpedia.net/">vtun</A> &quot;virtual tunnels&quot;, 
using  Blowfish</LI>
<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
</UL>
<P> There is a list of <A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
Linux VPN</A> software in the <A href="http://www.securityportal.com/lskb/kben00000001.html">
Linux Security Knowledge Base</A>. </P>
<H2><A name="ipsec.link">The IPSEC Protocols</A></H2>
<H3><A name="general">General IPSEC or VPN information</A></H3>
<UL>
<LI>The <A href="http://www.vpnc.org">VPN Consortium</A> is a group for 
 vendors of IPSEC products. Among other things, they have a good 
 collection of <A href="http://www.vpnc.org/white-papers.html">IPSEC 
 white papers</A>.</LI>
<LI>A VPN mailing list with a <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
home page</A>, a  FAQ, some product comparisons, and many links.</LI>
<LI>A list of <A href="http://www.cs.umass.edu/~lmccarth/ipsec.html">
IPSEC  links</A> from Lewis McCarthy at U Mass.</LI>
<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer  page</A></LI>
<LI>a <A href="http://www.epm.ornl.gov/~dunigan/vpn.html">collection</A>
 of VPN links, and some explanation </LI>
</UL>
<H3><A name="overview">IPSEC overview documents or slide sets</A></H3>
<UL>
<LI>the FreeS/WAN <A href="ipsec.html">document section</A> on these 
protocols</LI>
<LI>A good <A href="http://www.data.com/tutorials/bullet.html">
 introductory article </A> with links to several articles on related 
 topics</LI>
<LI><A href="http://www.ipsec.com/ipsectech.html">SSH Communications 
 Security</A></LI>
<LI>Timestep Corporation's tutorial: go to their <A href="http://www.timestep.com">
web site</A>, then follow the &quot;VPN  Overview&quot; link</LI>
</UL>
<H3><A name="otherlang">IPSEC information in languages other than 
English</A></H3>
<UL>
<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
German</A></LI>
<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
</UL>
<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
<UL>
<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to 
Linux  FreeS/WAN and giving various ways of obtaining both RFCs and 
Internet  Drafts.</LI>
<LI><A href="http://www.vpnc.org/ipsec-standards.html">IPSEC standards</A>
 page maintained by <A href="glossary.html#VPNC">VPNC</A>. This covers 
both RFCs and  Drafts, and classifies them in a fairly helpful way.</LI>
<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
 related to IPSEC</LI>
<LI>US government <A href="http://www.itl.nist.gov/div897/pubs"> site</A>
 with their <A href="glossary.html#FIPS">FIPS</A> standards</LI>
<LI>Archives of the ipsec@tis.com mailing list where discussion of 
drafts  takes place. 
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern  Canada</A>
</LI>
<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
</UL>
</LI>
</UL>
<H3><A name="analysis">Analysis and critiques of IPSEC protocols</A></H3>
<UL>
<LI>Counterpane's <A href="http://www.counterpane.com/ipsec.pdf">
evaluation</A> of the  protocols</LI>
<LI>Simpson's <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
IKE  Considered Dangerous</A> paper. Note that this is a link to an 
archive  of our mailing list. There are several replies in addition to 
the paper  itself.</LI>
<LI>Bellovin's <A href="http://www.research.att.com/~smb/papers/index.html">
papers</A> page including his: 
<UL>
<LI>Security Problems in the TCP/IP Protocol Suite (1989)</LI>
<LI>Problem Areas for the IP Security Protocols (1996)</LI>
<LI>Probable Plaintext Cryptanalysis of the IP Security Protocols 
 (1997)</LI>
</UL>
</LI>
<LI>Catherine Meadows of NRL applied the NRL Protocol Analyzer to IKE. 
Her  paper is available in <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
PDF</A> or <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
Postscript</A>.</LI>
<LI>An <A href="http://www.lounge.org/ike_doi_errata.html">errata list</A>
 for the IPSEC RFCs.</LI>
</UL>
<H3><A name="IP.background">Background information on IP</A></H3>
<UL>
<LI>An introduction to <A href="http://www.3com.com/nsc/501302.html">IP 
 addressing</A> from 3Com</LI>
<LI>An <A href="http://ipprimer.windsorcs.com/">IP tutorial</A> that 
seems  to be written mainly for Netware or Microsoft LAN admins 
entering a new  world</LI>
<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers 
 Authority</LI>
<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>, 
 Classless Inter-Domain Routing</LI>
<LI>Also see our <A href="biblio.html">bibliography</A></LI>
</UL>
<H2><A name="implement">IPSEC Implementations</A></H2>
<H3><A name="linuxprod">Linux products</A></H3>
<P> Vendors using FreeS/WAN in turnkey firewall or VPN products are 
listed in  our <A href="intro.html#turnkey">introduction</A>.</P>
<P>Other vendors have Linux IPSEC products which, as far as we know, do 
not  use FreeS/WAN</P>
<UL>
<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
 provide an open source Linux driver for their PCI hardware VPN card. 
 This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more 
 specialised crypto chips, and claimed encryption performance of 45 
 Mbit/sec. The PC sees it as an Ethernet board.</LI>
<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
 offer a Linux-based VPN with hardware encryption </LI>
<LI>According to a report on our mailing list, <A href="http://www.watchguard.com/">
Watchguard</A> use Linux in their  Firebox product.</LI>
<LI><A href="http://www.entrust.com">Entrust</A> offer a developers' 
 toolkit for using their <A href="glossary.html#PKI">PKI</A> for IPSEC 
 authentication</LI>
<LI>According to a report on our mailing list, <A href="www.axent.com">
Axent</A> have a Linux version of their product. </LI>
</UL>
<H3><A name="router">IPSEC in router products</A></H3>
<P> All the major router vendors support IPSEC, at least in some models.</P>
<UL>
<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
 IPSEC  information</LI>
<LI><A href="http://www.ascend.com/">Ascend</A>, now part of Lucent, 
have  some IPSEC-based products</LI>
<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part 
of  Nortel, use IPSEC in their Contivity switch product line</LI>
<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A>
 have a  number of VPN products, some using IPSEC</LI>
</UL>
<H3><A name="fw.web">IPSEC in firewall products</A></H3>
 Many firewall vendors offer IPSEC, either as a standard part of their 
product, or an optional extra. A few we know about are: 
<UL>
<LI><A href="http://www.borderware.com/">Borderware</A></LI>
<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley 
Laurent</A></LI>
<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2 </LI>
</UL>
<P> Vendors using FreeS/WAN in turnkey firewall products are listed in 
our <A href="turnkey">introduction</A>.</P>
<H3><A name="ipsecos">Operating systems with IPSEC support</A></H3>
<P>All the major open source operating systems support IPSEC. See below 
for  details on <A href="#BSD">BSD-derived</A> Unix variants.</P>
<P>Among commercial OS vendors, IPSEC players include:</P>
<UL>
<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
Microsoft</A> have put IPSEC in their Windows 2000 products</LI>
<LI>Apple's <A href="http://www.appleinsider.com/macosx.shtml">Mac OS X</A>
 has IPSEC support built in</LI>
<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
 announce a release of OS390 with IPSEC support via a crypto 
 co-processor</LI>
<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
Sun</A> include IPSEC in Solaris 8</LI>
<LI><A href="http://www.hp.com/security/products/extranet-security.html">
Hewlett  Packard</A> offer IPSEC for their Unix machines</LI>
</UL>
<H3><A name="opensource">Open source IPSEC implementations</A></H3>
<H4><A name="linuxIPSEC">Other Linux IPSEC implementations</A></H4>
<P>We like to think of FreeS/WAN as <EM>the</EM> Linux IPSEC 
implementation,  but it is not the only one. Others we know of are:</P>
<UL>
<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a 
 lightweight implementation of IPSEC for Linux. Does not require kernel 
 recompilation.</LI>
<LI>Petr Novak's <A href="ftp://ftp.eunet.cz/icz/ipnsec/">ipnsec</A>, 
 based on the OpenBSD IPSEC code and using <A href="glossary.html#photuris">
Photuris</A> for key management</LI>
<LI>A now defunct project at <A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
U of  Arizona</A> (export controlled)</LI>
<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
 (export  controlled)</LI>
</UL>
<H4><A name="BSD">IPSEC for BSD Unix</A></H4>
<UL>
<LI><A href="http://www.kame.net/project-overview.html">KAME</A>, 
several  large Japanese companies co-operating on IPv6 and IPSEC</LI>
<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
 implementation of IPv6 and of IPSEC for IPv4 (export controlled)</LI>
<LI><A href="http://www.openbsd.org/crypto">OpenBSD</A> includes IPSEC 
as  a standard part of the distribution</LI>
<LI><A href="http://www.r4k.net/ipsec">IPSEC for FreeBSD</A></LI>
<LI>a <A href="http://www.netbsd.org/Documentation/network/ipsec/">FAQ</A>
 on NetBSD's IPSEC implementation</LI>
</UL>
<H4><A name="misc">IPSEC for other systems</A></H4>
<UL>
<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of 
 Technolgy</A> have implemented IPSEC for Solaris, Java and  Macintosh</LI>
</UL>
<H3><A name="interop">Interoperability</A></H3>
<P> The IPSEC protocols are designed so that different implementations 
should be able to work together. As they say &quot;the devil is in the 
details&quot;. IPSEC has a lot of details, but considerable success has been 
achieved.</P>
<H4><A name="result">Interoperability results</A></H4>
<P> Linux FreeS/WAN has been tested for interoperability with many 
other  IPSEC implementations. Results to date are in our <A href="interop.html">
interoperability</A> section.</P>
<P>Various other sites have information on interoperability between 
various  IPSEC implementations:</P>
<UL>
<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop 
 results</A> from a bakeoff in Atlanta, September 1999.</LI>
<LI>a French company, HSC's, <A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux 
pipsecd, Checkpoint, Red  Creek Ravlin, and Cisco IOS</LI>
<LI><A href="http://www.icsa.net/">ICSA</A> offer certification 
programs  for various security-related products. See their list of <A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
 certified IPSEC</A> products. Linux FreeS/WAN is not currently on that 
 list, but several products with which we interoperate are.</LI>
<LI>VPNC have a page on why they are not yet doing <A href="http://www.vpnc.org/interop.html">
 interoperability</A> testing and a  page on the <A href="http://www.vpnc.org/conformance.html">
spec conformance</A> testing that they are doning</LI>
<LI>a <A href="http://www.commweb.com/article/COM20000912S0009">review</A>
 comparing a dozen commercial IPSEC implemetations. Unfortunately, the 
 reviewers did not look at Open Source implementations such as 
FreeS/WAN  or OpenBSD.</LI>
<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
results</A> from interoperability tests at a conference. FreeS/WAN was 
not tested  there.</LI>
<LI>test results from the <A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
IPSEC 2000</A> conference </LI>
</UL>
<H4><A name="test1">Interoperability test sites</A></H4>
<UL>
<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing 
 project with free IPSEC validation software </LI>
<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of 
 Standards and Technology</A></LI>
<LI><A href="http://www.rsa.com/rsa/SWAN/swan_test1.html">RSA Data 
 Security</A></LI>
<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications  Security</A>
</LI>
<LI><A href="http://www2.internetdevices.com/arch-lab/interop-testing">
Internet  Devices</A></LI>
</UL>
<H2><A name="linux.link">Linux links</A></H2>
<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
<UL>
<LI>Linux <A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
Getting  Started</A> HOWTO document</LI>
<LI>A getting started guide from the <A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
U of  Oregon</A></LI>
<LI>A large <A href="http://www.herring.org/techie.html">link 
 collection</A> which includes a lot of introductory and tutorial 
 material on Unix, Linux, the net, . . .</LI>
</UL>
<H3><A name="general">General Linux sites</A></H3>
<UL>
<LI><A href="http://members.aa.net/~swear/pedia/index.html">Gary's 
 Encyclopedia</A>, several thousand Linux links, over 100 categories</LI>
<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
<LI><A href="http://slashdot.org">Slashdot</A> &quot;News for Nerds&quot;</LI>
<LI><A href="http://www.linux.org">Linux Online</A></LI>
<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
<LI><A href="http://www.tux.org">tux.org</A></LI>
</UL>
<H3><A name="docs1">Documentation</A></H3>
<UL>
<LI><A href="http://metalab.unc.edu/LDP">Linux Documentation Project</A>
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
 guide to Linux information sources</LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/HOWTO-INDEX-3.html">Index 
of  HOWTO documents</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel 
 HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
Security  HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
Networking  Overview HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/NET-3-HOWTO.html">Net 3 
 HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/LDP/sag/node1.html">System 
 Administrator's Guide</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">Network 
 Adminstrator's Guide</A></LI>
</UL>
</LI>
<LI><A href="www.oswg.org">Open Source Writers' Group</A>, cover the 
BSD  derivatives as well as Linux 
<UL>
<LI><A href="http://www.oswg.org/oswg/query/osdi">document  index</A></LI>
<LI>some good <A href="">essays</A> on open source ideas</LI>
</UL>
</LI>
<LI>Tucows <A href="">Linux HowTo collection</A>, mostly a mirror of 
LDP  material</LI>
</UL>
<H3><A name="advroute.web">Advanced routing</A></H3>
<P>The Linux IP stack is getting some new features in 2.4 kernels. Most 
are  already available as experimental code in 2.3 kernels. Some HowTos 
have been  written:</P>
<UL>
<LI>several HowTos for the <A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
netfilter</A> firewall code in newer kernels</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
2.4  networking</A> HowTo</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
2.4  routing</A> HowTo</LI>
</UL>
<H3><A name="linsec">Security for Linux</A></H3>
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
Security  HOWTO</A></LI>
<LI>Linux Security <A href="http://www.securityportal.com/lskb/kben00000001.html">
Knowledge Base</A></LI>
<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
Trinity  OS guide to setting up Linux</A></LI>
<LI><A href="https://www.seifried.org/lasg/">Linux Administrator's 
 Security Guide</A></LI>
<LI><A href="http://www.ecst.csuchico.edu/~jtmurphy/">Linux security</A>
 page</LI>
<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting 
 filesystem</LI>
<LI><A href="http://fachschaft.physik.uni-bielefeld.de/leute/marc/Encryption-HOWTO/">
Linux  Encryption HowTo</A> This does not cover FreeS/WAN (or didn't 
when I  last checked, April 2000), only gives a pointer to our web 
site, but  does have some good information on other things.</LI>
</UL>
<H3><A name="firewall.linux">Linux firewalls</A></H3>
<UL>
<LI><A href="http://rlz.ne.mediaone.net/linux">Linux Firewall  page</A></LI>
<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
<LI><A href="http://www.rustcorp.com/linux/ipchains">IP chains</A>, the 
 firewall code in 2.2 kernels.</LI>
<LI><A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
netfilter</A> firewall code in kernels from 2.3.15 on</LI>
<LI>Our list of general <A href="firewall.html#firewall">firewall 
references</A> on the  web</LI>
<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool 
for  automatically configuring Linux firewalls</LI>
<LI><A href="http://seawall.sourceforge.net/">Seattle Firewall</A>
 tools for  building a firewall using ipchains and FreeS?WAN </LI>
<LI>the web cache software <A href="http://www.squid-cache.org/">squid</A>
 and <A href="http://www.squidguard.org/">squidguard</A> which turns 
 Squid into a filtering web proxy</LI>
</UL>
<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
<UL>
<LI><A href="http://lwn.net/current/dists.php3">List of Linux 
distribution  vendors</A></LI>
<LI>FAQ for the <A href="http://www.miscellaneous.net/linux/linux-admin-FAQ/linux-admin-FAQ-1.html">
 Linux adminstration</A> mailing list</LI>
<LI>A web page about PPTP for Linux with a list of other <A href="http://www.moretonbay.com/vpn/pptp.html">
Linux VPN</A> software</LI>
</UL>
<H2><A name="crypto.link">Crypto and security links</A></H2>
<H3><A name="security">Crypto and security resources</A></H3>
<H4><A name="std.links">The standard link collections</A></H4>
<P>Two enormous collections of links, each the standard reference in 
its  area:</P>
<DL>
<DT>Gene Spafford's <A href="http://www.cerias.purdue.edu/coast/hotlist/">
COAST hotlist</A></DT>
<DD>Computer and network security.</DD>
<DT>Peter Gutmann's <A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
Encryption and  Security-related Resources</A></DT>
<DD>Cryptography.</DD>
</DL>
<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
<UL>
<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography 
 FAQ</A></LI>
<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
<LI>A FAQ listing computer security <A href="">mailing lists</A></LI>
<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix 
 Programming FAQ</A></LI>
<LI>FAQs for specific programs are listed in the <A href="#tools">tools</A>
 section below.</LI>
</UL>
<H4><A name="cryptover">Tutorials</A></H4>
<UL>
<LI>Gary Kessler's <A href="http://www.garykessler.net/library/crypto.html">
Overview of  Cryptography</A></LI>
<LI>Terry Ritter's <A href="http://www.io.com/~ritter/LEARNING.HTM">
introduction</A></LI>
<LI>Kurt Seifried's online <A href="http://www.securityportal.com/research/cryptodocs/basic-book/">
introductory  book</A></LI>
<LI>Peter Gutman's <A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
cryptography</A> tutorial (500 slides in PDF format)</LI>
<LI>Amir Herzberg of IBM's sildes for his course <A href="http://www.hrl.il.ibm.com/mpay/course.html">
Introduction to  Cryptography and Electronic Commerce</A></LI>
<LI>the <A href="http://www.gnupg.org/gph/en/manual/c173.html">concepts 
 section</A> of the <A href="glossary.html#GPG">GNU Privacy Guard</A>
 documentation</LI>
<LI>Bruce Schneier's self-study <A href="http://www.counterpane.com/self-study.html">
cryptanalysis</A> course</LI>
</UL>
<P>See also the <A href="#interesting">interesting papers</A> section 
 below.</P>
<H4><A name="standards">Crypto and security standards</A></H4>
<UL>
<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new 
 international computer and network security standards to replace the 
 &quot;Rainbow&quot; series</LI>
<LI>AES <A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
 Advanced Encryption Standard </A> which will replace DES</LI>
<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public 
key  standard</A></LI>
<LI>our collection of links for the <A href="#ipsec.link">IPSEC</A>
 standards</LI>
<LI>history of <A href="http://www.visi.com/crypto/evalhist/index.html">
formal  evaluation</A> of security policies and implementation</LI>
</UL>
<H3><A name="policy">Cryptography law and policy</A></H3>
<H4><A name="legal">Surveys of crypto law</A></H4>
<UL>
<LI>International survey of <A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
 crypto  law</A>.</LI>
<LI>International survey of <A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
 digital signature  law</A></LI>
</UL>
<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
<UL>
<LI>The <A href="glossary.html#EFF">EFF</A>'s archives on <A href="http://www.eff.org/pub/Privacy/">
privacy</A> and <A href="http://www.eff.org/pub/Privacy/ITAR_export/">
export  control</A>.</LI>
<LI><A href="www.gilc.org">Global Internet Liberty Campaign</A></LI>
<LI><A href="http://www.cdt.org/crypto">Center for Democracy and 
 Technology</A></LI>
<LI><A href="http://www.privacyinternational.org/">Privacy 
 International</A>, who give out <A href="http://www.bigbrotherawards.org/">
Big Brother Awards</A> to snoopy  organisations</LI>
</UL>
<H4><A name="other.policy">Other information on crypto policy</A></H4>
<UL>
<LI><A href="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1984.txt">
RFC  1984</A>, the <A href="glossary.html#IAB">IAB</A> and <A href="glossary.html#IESG">
IESG</A> Statement on Cryptographic Technology and the Internet.</LI>
<LI>John Young's collection of <A href="http://jya.com/crypto.htm">
documents</A> of interest to the  cryptography, open government and 
privacy movements, organized  chronologically</LI>
<LI>Encryption, Privacy and Security <A href="http://www.crypto.com">
Resource Page</A> with a mainly US  focus</LI>
<LI><A href="ftp://ftp.cygnus.com/pub/export/export.html">Cryptography 
 Export Control Archive</A>, mainly links to court and govenment 
 documents on various challenges to US law</LI>
<LI>A good <A href="http://cryptome.org/crypto97-ne.htm">overview</A>
 of  the issues from Australia.</LI>
</UL>
<P>See also our documentation section on the <A href="politics.html">
history and  politics</A> of cryptography.</P>
<H3><A name="crypto.tech">Cryptography technical information</A></H3>
<H4><A name="cryptolinks">Collections of crypto links</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter 
 Gutman's links</A></LI>
<LI><A href="http://home.cyber.ee/helger/crypto/">Helger Lipmaa's  links</A>
</LI>
<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI  links</A>
</LI>
<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
</UL>
<H4><A name="papers">Lists of online cryptography papers</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
<LI><A href="http://www.cryptography.com/resources/papers">
cryptography.com</A></LI>
<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
</UL>
<H4><A name="interesting">Particularly interesting papers</A></H4>
<P>These papers emphasize important issues around the use of 
cryptography,  and the design and management of secure systems.</P>
<UL>
<LI><A href="http://www.counterpane.com/keylength.html">Key length 
 requirements for security</A></LI>
<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why 
 Cryptosystems Fail</A></LI>
<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed 
 encryption</A></LI>
<LI><A href="http://www.counterpane.com/pitfalls.html">Security 
pitfalls  in cryptography</A></LI>
<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting 
 Trust</A>, Ken Thompson on Trojan horse design</LI>
<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against 
Compelled  Disclosure</A>, how to maintain privacy in the face of legal 
or other coersion </LI>
</UL>
<H3><A name="compsec">Computer and network security</A></H3>
<H4><A name="seclink">Security links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST  Hotlist</A></LI>
<LI>DMOZ open directory project <A href="http://dmoz.org/Computers/Security/">
computer security</A> links</LI>
<LI><A href="http://www.telstra.com.au/info/security.html">Telstra</A></LI>
<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet  Yee</A></LI>
<LI><A href="http://www.excelmail.com">Email Security and PKI  Documents</A>
</LI>
<LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of 
 links to freely available security tools</LI>
<LI>Mike Fuhr's <A href="http://www.fuhr.org/~mfuhr/computers/security.html">
link collection</A></LI>
<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an 
emphasis on intrusion  detection </LI>
</UL>
<H4><A name="firewall3">Firewall links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST  firewalls</A>
</LI>
<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
<LI><A href="http://www.digital.de/~jmh/fw-stuff.html">Firewall info 
 list</A></LI>
<LI><A href="http://www.idx.com.au/~amilev/Firewalls1.htm">Ami 
 Levartovsky</A></LI>
</UL>
<H4><A name="vpn">VPN links</A></H4>
<UL>
<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
<LI>First VPN's <A href="http://www.firstvpn.com/research/rhome.html">
white paper</A> collection</LI>
<LI>oddsites.com <A href="http://www.oddsites.com/vpn/">VPN links</A></LI>
</UL>
<H4><A name="tools">Security tools</A></H4>
<UL>
<LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of 
 links to freely available security tools</LI>
<LI>PGP -- mail encryption 
<UL>
<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for 
 commercial versions</LI>
<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes 
 the NAI product for non-commercial use</LI>
<LI><A href="http://www.pgpi.org/">international</A> distribution  site</LI>
<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
</UL>
 A message in our mailing list archive has considerable detail on <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
 available versions</A> of PGP and on IPSEC support in them. </LI>
<P><STRONG> Note:</STRONG> A fairly nasty bug exists in all commercial 
PGP  versions from 5.5 through 6.5.3. If you have one of those, read 
the <A href="http://www.pgp.com/other/advisories/adk.asp"> security 
advisory</A> and <STRONG>upgrade now</STRONG>. </P>
<LI>SSH -- secure remote login 
<UL>
<LI><A href="www.ssh.fi">SSH Communications Security</A>, for the 
 original software. It is free for trial, academic and non-commercial 
 use.</LI>
<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD 
 team's free replacement</LI>
<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free 
 implementations for many systems</LI>
<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH  FAQ</A></LI>
<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
, an SSH client for Windows </LI>
</UL>
</LI>
<LI><A name="ssmail">ssmail -- sendmail patched to do <A href="carpediem">
opportunistic encryption</A>
<UL>
<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with 
 links to code and to a Usenix paper describing it, in PDF</LI>
</UL>
</A></LI>
<LI><A href="ftp://ftp.cert.org/pub/tools/cops">COPS</A> Computer 
Oracle  and Password System; tests a system for various weaknesses</LI>
<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A>
 System  Administrators Tool for Analysing Networks</LI>
<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic  Archive</A>
, various tools to analyze network traffic, mostly scripts to  organise 
and format tcpdump(8) output for specific purposes</LI>
<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse 
 Venema's page</A> with various tools</LI>
<LI><A href="ftp://ftp.cert.org/pub/tools/crack">Crack</A> password 
 cracker</LI>
<LI><A href="ftp://coast.cs.purdue.edu/pub/COAST/Tripwire">Tripwire</A>
 saves message digests of your system files. Re-calculate the digests 
and  compare to saved values to detect any file changes.</LI>
<LI><A href="http://all.net/dtk.html">Deception Toolkit</A>, a 
collection  of &quot;honeypot&quot; servers which emulate widely exploited 
weaknesses while  logging the attacks.</LI>
<LI><A href="http://www.openca.org/">Open CA</A> project to develop a 
 freely distributed <A href="glossary.html#CA">Certification Authority</A>
 for  building a open <A href="glossary.html#PKI">Public Key 
Infrastructure</A>.</LI>
<LI><A href="http://expert.cc.purdue.edu/~frantzen/">ISIC</A>, <STRONG>
 IP</STRONG><STRONG> s</STRONG>tack <STRONG>i</STRONG>ntegrity <STRONG>
 c</STRONG>hecker, generates legitmate and bogus packets &quot;to test  the 
stability of an IP Stack and its component stacks (TCP, UDP, ICMP  et. 
al.)&quot;</LI>
</UL>
<H3><A name="people">Links to home pages</A></H3>
<P> David Wagner at Berkeley provides a set of links to <A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
home pages</A> of cryptographers, cypherpunks and computer security 
people.</P>
<HR>
<A HREF="toc.html">Contents</a>
<A HREF="mail.html">Previous</a>
<A HREF="glossary.html">Next</a>
</BODY>
</HTML>