1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
4 <TITLE> Introduction to FreeS/WAN</TITLE>
5 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
8 <A HREF="toc.html">Contents</a>
9 <A HREF="mail.html">Previous</a>
10 <A HREF="glossary.html">Next</a>
12 <H1><A name="weblink">Web links</A></H1>
13 <H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
14 <P>The main project web site is <A href="http://www.freeswan.org/">
15 www.freeswan.org</A>.</P>
16 <P>Links to other project-related <A href="intro.html#webdocs">sites</A>
17 are provided in our introduction section.</P>
18 <H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
19 <P> Some user-contributed patches gave been integrated into the
20 FreeS/WAN distribution. For a variety of reasons, those listed below
22 <P>Patches believed current at time of writing (March 2001, just before
25 <LI><A href="http://www.zengl.net/freeswan/download/">patches and
26 utilities</A> for using FreeS/WAN with PGPnet</LI>
27 <LI>patches for <A href="http://www.strongsec.com/freeswan/">X.509
28 certificate support</A>, also available from a <A href="http://www.twi.ch/~sna/strongsec/freeswan/">
30 <LI>a <A href="http://tzukanov.narod.ru/">series</A> of patches that
32 <LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler </LI>
33 <LI>add GOST to OpenSSL </LI>
34 <LI>add GOST to the International kernel patch </LI>
35 <LI>let FreeS/WAN use International kernel patch ciphers </LI>
38 <LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
41 <P> Before using these, check the <A href="mail.html">mailing list</A>
42 for news of newer versions and to see whether they have been
43 incorporated into more recent versions of FreeS/WAN.</P>
44 <P><STRONG> Note:</STRONG> At one point the way PGP generates RSA keys
45 and the way FreeS/WAN checks them for validity before using them were
46 slightly different, so quite a few PGP-generated keys would be rejected
47 by FreeS/WAN, confusing users no end. This is fixed in 1.9. </P>
48 <P> A set of PKIX patches were recently announced on the mailing list:</P>
50 Subject: a different PKIX patch.
52 From: Luc Lanthier <firesoul@netwinder.org>
54 I'd like to invite volunteers to use the now-complete PKIX project I've
55 been working on since about August. Because of this, the patch is for
56 FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since
57 I don't use IPV6 nor DNSSec.
59 This is similar, but different than Andreas Steffen's pkix
60 implementation. I've based this work on Neil Dunbar's openssl-pkix patch
61 for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and
62 added support for ID_DER_ASN1_DN ID packet support. It will do LDAP
63 certificate lookups no problem, as well as local flatfile, directory, or
64 DB lookup for testing or speed.
66 IE: It's a full CA-compatible client, capable of looking up, checking the
67 CRL for expiry and such. It will not only do the classic PSK and RSASIG
68 freeswan methods just fine, but also does PKIX's RSASIG, PKE and
69 RPKE. I've spent a lot of time adding RoadWarrior support for these last
72 The patch can be found as:
73 ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch
74 There are also freeswan-1.5 - kernel 2.4 patches for those who need them.
76 Let me know. Feedback is appreciated.
78 <P> Older patches:</P>
80 <LI>Neil Dunbar's patches for <A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
81 certificate support</A>, using code from <A href="www.openssl.com">
83 <LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
84 to add <A href="glossary.html#blowfish">Blowfish</A>, <A href="glossary.html#IDEA">
85 IDEA</A> and <A href="glossary.html#CAST128">CAST-128</A> to FreeS/WAN</LI>
86 <LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
87 patches</A> for aggressive mode support </LI>
89 <P> These patches are for older versions of FreeS/WAN and will likely
90 not work with the current version. Older versions of FreeS/WAN may be
91 available on some of the <A href="intro.html#site">distribution sites</A>
92 , but we recommend using the current release.</P>
93 <H4><A name="VPN.masq">VPN masquerade patches</A></H4>
94 Finally, there are some patches to other code that may be useful with
97 <LI>a <A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
98 patch</A> to make IPSEC, PPTP and SSH VPNs work through a Linux
99 firewall with <A href="glossary.html#masq">IP masquerade</A>. </LI>
100 <LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
101 Linux VPN Masquerade HOWTO</A></LI>
103 Note that this is not required if the same machine does IPSEC and
104 masquerading, only if you want a to locate your IPSEC gateway on a
105 masqueraded network. See our <A href="firewall.html#NAT">firewalls</A>
106 document for discussion of why this is problematic.
107 <P> At last report, this patch could not co-exist with FreeS/WAN on the
109 <H3><A name="dist">Distributions including FreeS/WAN</A></H3>
110 <P>The introductory section of our document set lists several <A href="intro.html#distwith">
111 Linux distributions</A> which include FreeS/WAN.</P>
112 <H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
114 <LI><A href="http://openpgp.net/random">/dev/random</A> support page,
115 discussion of and code for the Linux <A href="glossary.html#random">
116 random number driver</A>. Out-of-date when we last checked (January
117 2000), but still useful.</LI>
118 <LI>other programs related to random numbers:
120 <LI><A href="http://www.mindrot.org/code/audio-entropyd.php3">audio
121 entropy daemon</A> to gather noise from a sound card and feed it into
123 <LI>an <A href="http://www.lothar.com/tech/crypto/">entropy-gathering
125 <LI>a driver for the random number generator in recent <A href="http://gtf.org/garzik/drivers/i810_rng/">
126 Intel chipsets</A></LI>
129 <LI>a Linux <A href="http://www.marko.net/l2tp/">L2TP Daemon</A> which
130 might be useful for communicating with Windows 2000 which builds L2TP
131 tunnels over its IPSEC connections</LI>
132 <LI><A href="http://www.bhconsult.com/packetspy/">packet spy</A>, a
133 packet sniffer whose author said in a Dec 1999 message "It's very
134 unfinished, especially the filter, but it can give you an ascii and
135 hex dump at the same time. I started it specifically for snooping a
136 FreeS/WAN installation."</LI>
137 <LI>to use opportunistic encryption, you need a recent version of <A href="glossary.html#BIND">
138 BIND</A>. Get one from the <A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">
139 FreeS/WAN site</A> or from the <A href="http://www.isc.org">Internet
140 Software Consortium</A> who maintain BIND. </LI>
142 <H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
144 <LI>other Linux <A href="#linuxIPSEC">IPSEC implementations</A></LI>
145 <LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
146 implementation of Sun's <A href="glossary.html#SKIP">SKIP</A> protocol</LI>
147 <LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPSEC VPN
148 daemon for Linux which creates tunnels using <A href="glossary.html#blowfish">
149 Blowfish</A> encryption</LI>
150 <LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
151 GPLd tunnel-building program with Linux and Win32 versions. The name
152 is from <STRONG> Z</STRONG>lib compression, <STRONG>B</STRONG>lowfish
153 encryption and <STRONG>D</STRONG>iffie-Hellman key exchange.</LI>
154 <LI>LinuxCare's <A href="http://www.strongcrypto.com/">VPS (Virtual
155 Private Server)</A> which builds tunnels using <A href="glossary.html#SSH">
157 <LI>Moreton Bay's <A href="http://www.moretonbay.com/vpn/pptp.html">
158 PoPToP</A>, PPTP for Linux</LI>
159 <LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
160 (crypto IP routers) project, using their own lightweight protocol to
161 encrypt between routers</LI>
162 <LI><A href="http://vtun.netpedia.net/">vtun</A> "virtual tunnels",
164 <LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
166 <P> There is a list of <A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
167 Linux VPN</A> software in the <A href="http://www.securityportal.com/lskb/kben00000001.html">
168 Linux Security Knowledge Base</A>. </P>
169 <H2><A name="ipsec.link">The IPSEC Protocols</A></H2>
170 <H3><A name="general">General IPSEC or VPN information</A></H3>
172 <LI>The <A href="http://www.vpnc.org">VPN Consortium</A> is a group for
173 vendors of IPSEC products. Among other things, they have a good
174 collection of <A href="http://www.vpnc.org/white-papers.html">IPSEC
175 white papers</A>.</LI>
176 <LI>A VPN mailing list with a <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
177 home page</A>, a FAQ, some product comparisons, and many links.</LI>
178 <LI>A list of <A href="http://www.cs.umass.edu/~lmccarth/ipsec.html">
179 IPSEC links</A> from Lewis McCarthy at U Mass.</LI>
180 <LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
181 <LI>a <A href="http://www.epm.ornl.gov/~dunigan/vpn.html">collection</A>
182 of VPN links, and some explanation </LI>
184 <H3><A name="overview">IPSEC overview documents or slide sets</A></H3>
186 <LI>the FreeS/WAN <A href="ipsec.html">document section</A> on these
188 <LI>A good <A href="http://www.data.com/tutorials/bullet.html">
189 introductory article </A> with links to several articles on related
191 <LI><A href="http://www.ipsec.com/ipsectech.html">SSH Communications
193 <LI>Timestep Corporation's tutorial: go to their <A href="http://www.timestep.com">
194 web site</A>, then follow the "VPN Overview" link</LI>
196 <H3><A name="otherlang">IPSEC information in languages other than
199 <LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
201 <LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
203 <H3><A name="RFCs1">RFCs and other reference documents</A></H3>
205 <LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
206 Linux FreeS/WAN and giving various ways of obtaining both RFCs and
207 Internet Drafts.</LI>
208 <LI><A href="http://www.vpnc.org/ipsec-standards.html">IPSEC standards</A>
209 page maintained by <A href="glossary.html#VPNC">VPNC</A>. This covers
210 both RFCs and Drafts, and classifies them in a fairly helpful way.</LI>
211 <LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
212 <LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
213 related to IPSEC</LI>
214 <LI>US government <A href="http://www.itl.nist.gov/div897/pubs"> site</A>
215 with their <A href="glossary.html#FIPS">FIPS</A> standards</LI>
216 <LI>Archives of the ipsec@tis.com mailing list where discussion of
219 <LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A>
221 <LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
225 <H3><A name="analysis">Analysis and critiques of IPSEC protocols</A></H3>
227 <LI>Counterpane's <A href="http://www.counterpane.com/ipsec.pdf">
228 evaluation</A> of the protocols</LI>
229 <LI>Simpson's <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
230 IKE Considered Dangerous</A> paper. Note that this is a link to an
231 archive of our mailing list. There are several replies in addition to
232 the paper itself.</LI>
233 <LI>Bellovin's <A href="http://www.research.att.com/~smb/papers/index.html">
234 papers</A> page including his:
236 <LI>Security Problems in the TCP/IP Protocol Suite (1989)</LI>
237 <LI>Problem Areas for the IP Security Protocols (1996)</LI>
238 <LI>Probable Plaintext Cryptanalysis of the IP Security Protocols
242 <LI>Catherine Meadows of NRL applied the NRL Protocol Analyzer to IKE.
243 Her paper is available in <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
244 PDF</A> or <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
246 <LI>An <A href="http://www.lounge.org/ike_doi_errata.html">errata list</A>
247 for the IPSEC RFCs.</LI>
249 <H3><A name="IP.background">Background information on IP</A></H3>
251 <LI>An introduction to <A href="http://www.3com.com/nsc/501302.html">IP
252 addressing</A> from 3Com</LI>
253 <LI>An <A href="http://ipprimer.windsorcs.com/">IP tutorial</A> that
254 seems to be written mainly for Netware or Microsoft LAN admins
255 entering a new world</LI>
256 <LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
258 <LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
259 Classless Inter-Domain Routing</LI>
260 <LI>Also see our <A href="biblio.html">bibliography</A></LI>
262 <H2><A name="implement">IPSEC Implementations</A></H2>
263 <H3><A name="linuxprod">Linux products</A></H3>
264 <P> Vendors using FreeS/WAN in turnkey firewall or VPN products are
265 listed in our <A href="intro.html#turnkey">introduction</A>.</P>
266 <P>Other vendors have Linux IPSEC products which, as far as we know, do
267 not use FreeS/WAN</P>
269 <LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
270 provide an open source Linux driver for their PCI hardware VPN card.
271 This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
272 specialised crypto chips, and claimed encryption performance of 45
273 Mbit/sec. The PC sees it as an Ethernet board.</LI>
274 <LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
275 offer a Linux-based VPN with hardware encryption </LI>
276 <LI>According to a report on our mailing list, <A href="http://www.watchguard.com/">
277 Watchguard</A> use Linux in their Firebox product.</LI>
278 <LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
279 toolkit for using their <A href="glossary.html#PKI">PKI</A> for IPSEC
281 <LI>According to a report on our mailing list, <A href="www.axent.com">
282 Axent</A> have a Linux version of their product. </LI>
284 <H3><A name="router">IPSEC in router products</A></H3>
285 <P> All the major router vendors support IPSEC, at least in some models.</P>
287 <LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
288 IPSEC information</LI>
289 <LI><A href="http://www.ascend.com/">Ascend</A>, now part of Lucent,
290 have some IPSEC-based products</LI>
291 <LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
292 of Nortel, use IPSEC in their Contivity switch product line</LI>
293 <LI><A href="http://www.3com.com/products/enterprise.html">3Com</A>
294 have a number of VPN products, some using IPSEC</LI>
296 <H3><A name="fw.web">IPSEC in firewall products</A></H3>
297 Many firewall vendors offer IPSEC, either as a standard part of their
298 product, or an optional extra. A few we know about are:
300 <LI><A href="http://www.borderware.com/">Borderware</A></LI>
301 <LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
303 <LI><A href="http://www.watchguard.com">Watchguard</A></LI>
304 <LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2 </LI>
306 <P> Vendors using FreeS/WAN in turnkey firewall products are listed in
307 our <A href="turnkey">introduction</A>.</P>
308 <H3><A name="ipsecos">Operating systems with IPSEC support</A></H3>
309 <P>All the major open source operating systems support IPSEC. See below
310 for details on <A href="#BSD">BSD-derived</A> Unix variants.</P>
311 <P>Among commercial OS vendors, IPSEC players include:</P>
313 <LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
314 Microsoft</A> have put IPSEC in their Windows 2000 products</LI>
315 <LI>Apple's <A href="http://www.appleinsider.com/macosx.shtml">Mac OS X</A>
316 has IPSEC support built in</LI>
317 <LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
318 announce a release of OS390 with IPSEC support via a crypto
320 <LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
321 Sun</A> include IPSEC in Solaris 8</LI>
322 <LI><A href="http://www.hp.com/security/products/extranet-security.html">
323 Hewlett Packard</A> offer IPSEC for their Unix machines</LI>
325 <H3><A name="opensource">Open source IPSEC implementations</A></H3>
326 <H4><A name="linuxIPSEC">Other Linux IPSEC implementations</A></H4>
327 <P>We like to think of FreeS/WAN as <EM>the</EM> Linux IPSEC
328 implementation, but it is not the only one. Others we know of are:</P>
330 <LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
331 lightweight implementation of IPSEC for Linux. Does not require kernel
333 <LI>Petr Novak's <A href="ftp://ftp.eunet.cz/icz/ipnsec/">ipnsec</A>,
334 based on the OpenBSD IPSEC code and using <A href="glossary.html#photuris">
335 Photuris</A> for key management</LI>
336 <LI>A now defunct project at <A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
337 U of Arizona</A> (export controlled)</LI>
338 <LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
339 (export controlled)</LI>
341 <H4><A name="BSD">IPSEC for BSD Unix</A></H4>
343 <LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
344 several large Japanese companies co-operating on IPv6 and IPSEC</LI>
345 <LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
346 implementation of IPv6 and of IPSEC for IPv4 (export controlled)</LI>
347 <LI><A href="http://www.openbsd.org/crypto">OpenBSD</A> includes IPSEC
348 as a standard part of the distribution</LI>
349 <LI><A href="http://www.r4k.net/ipsec">IPSEC for FreeBSD</A></LI>
350 <LI>a <A href="http://www.netbsd.org/Documentation/network/ipsec/">FAQ</A>
351 on NetBSD's IPSEC implementation</LI>
353 <H4><A name="misc">IPSEC for other systems</A></H4>
355 <LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
356 Technolgy</A> have implemented IPSEC for Solaris, Java and Macintosh</LI>
358 <H3><A name="interop">Interoperability</A></H3>
359 <P> The IPSEC protocols are designed so that different implementations
360 should be able to work together. As they say "the devil is in the
361 details". IPSEC has a lot of details, but considerable success has been
363 <H4><A name="result">Interoperability results</A></H4>
364 <P> Linux FreeS/WAN has been tested for interoperability with many
365 other IPSEC implementations. Results to date are in our <A href="interop.html">
366 interoperability</A> section.</P>
367 <P>Various other sites have information on interoperability between
368 various IPSEC implementations:</P>
370 <LI><A href="http://www.opus1.com/vpn/atl99display.html">interop
371 results</A> from a bakeoff in Atlanta, September 1999.</LI>
372 <LI>a French company, HSC's, <A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
373 interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
374 pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
375 <LI><A href="http://www.icsa.net/">ICSA</A> offer certification
376 programs for various security-related products. See their list of <A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
377 certified IPSEC</A> products. Linux FreeS/WAN is not currently on that
378 list, but several products with which we interoperate are.</LI>
379 <LI>VPNC have a page on why they are not yet doing <A href="http://www.vpnc.org/interop.html">
380 interoperability</A> testing and a page on the <A href="http://www.vpnc.org/conformance.html">
381 spec conformance</A> testing that they are doning</LI>
382 <LI>a <A href="http://www.commweb.com/article/COM20000912S0009">review</A>
383 comparing a dozen commercial IPSEC implemetations. Unfortunately, the
384 reviewers did not look at Open Source implementations such as
385 FreeS/WAN or OpenBSD.</LI>
386 <LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
387 results</A> from interoperability tests at a conference. FreeS/WAN was
388 not tested there.</LI>
389 <LI>test results from the <A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
390 IPSEC 2000</A> conference </LI>
392 <H4><A name="test1">Interoperability test sites</A></H4>
394 <LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
395 project with free IPSEC validation software </LI>
396 <LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
397 Standards and Technology</A></LI>
398 <LI><A href="http://www.rsa.com/rsa/SWAN/swan_test1.html">RSA Data
400 <LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A>
402 <LI><A href="http://www2.internetdevices.com/arch-lab/interop-testing">
403 Internet Devices</A></LI>
405 <H2><A name="linux.link">Linux links</A></H2>
406 <H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
408 <LI>Linux <A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
409 Getting Started</A> HOWTO document</LI>
410 <LI>A getting started guide from the <A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
412 <LI>A large <A href="http://www.herring.org/techie.html">link
413 collection</A> which includes a lot of introductory and tutorial
414 material on Unix, Linux, the net, . . .</LI>
416 <H3><A name="general">General Linux sites</A></H3>
418 <LI><A href="http://members.aa.net/~swear/pedia/index.html">Gary's
419 Encyclopedia</A>, several thousand Linux links, over 100 categories</LI>
420 <LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
421 <LI><A href="http://slashdot.org">Slashdot</A> "News for Nerds"</LI>
422 <LI><A href="http://www.linux.org">Linux Online</A></LI>
423 <LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
424 <LI><A href="http://www.tux.org">tux.org</A></LI>
426 <H3><A name="docs1">Documentation</A></H3>
428 <LI><A href="http://metalab.unc.edu/LDP">Linux Documentation Project</A>
430 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
431 guide to Linux information sources</LI>
432 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/HOWTO-INDEX-3.html">Index
433 of HOWTO documents</A></LI>
434 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
436 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
437 Security HOWTO</A></LI>
438 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
439 Networking Overview HOWTO</A></LI>
440 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/NET-3-HOWTO.html">Net 3
442 <LI><A href="http://metalab.unc.edu/LDP/LDP/sag/node1.html">System
443 Administrator's Guide</A></LI>
444 <LI><A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">Network
445 Adminstrator's Guide</A></LI>
448 <LI><A href="www.oswg.org">Open Source Writers' Group</A>, cover the
449 BSD derivatives as well as Linux
451 <LI><A href="http://www.oswg.org/oswg/query/osdi">document index</A></LI>
452 <LI>some good <A href="">essays</A> on open source ideas</LI>
455 <LI>Tucows <A href="">Linux HowTo collection</A>, mostly a mirror of
458 <H3><A name="advroute.web">Advanced routing</A></H3>
459 <P>The Linux IP stack is getting some new features in 2.4 kernels. Most
460 are already available as experimental code in 2.3 kernels. Some HowTos
461 have been written:</P>
463 <LI>several HowTos for the <A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
464 netfilter</A> firewall code in newer kernels</LI>
465 <LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
466 2.4 networking</A> HowTo</LI>
467 <LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
468 2.4 routing</A> HowTo</LI>
470 <H3><A name="linsec">Security for Linux</A></H3>
472 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
473 Security HOWTO</A></LI>
474 <LI>Linux Security <A href="http://www.securityportal.com/lskb/kben00000001.html">
475 Knowledge Base</A></LI>
476 <LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
477 Trinity OS guide to setting up Linux</A></LI>
478 <LI><A href="https://www.seifried.org/lasg/">Linux Administrator's
479 Security Guide</A></LI>
480 <LI><A href="http://www.ecst.csuchico.edu/~jtmurphy/">Linux security</A>
482 <LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
483 <LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
485 <LI><A href="http://fachschaft.physik.uni-bielefeld.de/leute/marc/Encryption-HOWTO/">
486 Linux Encryption HowTo</A> This does not cover FreeS/WAN (or didn't
487 when I last checked, April 2000), only gives a pointer to our web
488 site, but does have some good information on other things.</LI>
490 <H3><A name="firewall.linux">Linux firewalls</A></H3>
492 <LI><A href="http://rlz.ne.mediaone.net/linux">Linux Firewall page</A></LI>
493 <LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
494 <LI><A href="http://www.rustcorp.com/linux/ipchains">IP chains</A>, the
495 firewall code in 2.2 kernels.</LI>
496 <LI><A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
497 netfilter</A> firewall code in kernels from 2.3.15 on</LI>
498 <LI>Our list of general <A href="firewall.html#firewall">firewall
499 references</A> on the web</LI>
500 <LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool
501 for automatically configuring Linux firewalls</LI>
502 <LI><A href="http://seawall.sourceforge.net/">Seattle Firewall</A>
503 tools for building a firewall using ipchains and FreeS?WAN </LI>
504 <LI>the web cache software <A href="http://www.squid-cache.org/">squid</A>
505 and <A href="http://www.squidguard.org/">squidguard</A> which turns
506 Squid into a filtering web proxy</LI>
508 <H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
510 <LI><A href="http://lwn.net/current/dists.php3">List of Linux
511 distribution vendors</A></LI>
512 <LI>FAQ for the <A href="http://www.miscellaneous.net/linux/linux-admin-FAQ/linux-admin-FAQ-1.html">
513 Linux adminstration</A> mailing list</LI>
514 <LI>A web page about PPTP for Linux with a list of other <A href="http://www.moretonbay.com/vpn/pptp.html">
515 Linux VPN</A> software</LI>
517 <H2><A name="crypto.link">Crypto and security links</A></H2>
518 <H3><A name="security">Crypto and security resources</A></H3>
519 <H4><A name="std.links">The standard link collections</A></H4>
520 <P>Two enormous collections of links, each the standard reference in
523 <DT>Gene Spafford's <A href="http://www.cerias.purdue.edu/coast/hotlist/">
524 COAST hotlist</A></DT>
525 <DD>Computer and network security.</DD>
526 <DT>Peter Gutmann's <A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
527 Encryption and Security-related Resources</A></DT>
528 <DD>Cryptography.</DD>
530 <H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
532 <LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
534 <LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
535 <LI>A FAQ listing computer security <A href="">mailing lists</A></LI>
536 <LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
537 Programming FAQ</A></LI>
538 <LI>FAQs for specific programs are listed in the <A href="#tools">tools</A>
541 <H4><A name="cryptover">Tutorials</A></H4>
543 <LI>Gary Kessler's <A href="http://www.garykessler.net/library/crypto.html">
544 Overview of Cryptography</A></LI>
545 <LI>Terry Ritter's <A href="http://www.io.com/~ritter/LEARNING.HTM">
546 introduction</A></LI>
547 <LI>Kurt Seifried's online <A href="http://www.securityportal.com/research/cryptodocs/basic-book/">
548 introductory book</A></LI>
549 <LI>Peter Gutman's <A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
550 cryptography</A> tutorial (500 slides in PDF format)</LI>
551 <LI>Amir Herzberg of IBM's sildes for his course <A href="http://www.hrl.il.ibm.com/mpay/course.html">
552 Introduction to Cryptography and Electronic Commerce</A></LI>
553 <LI>the <A href="http://www.gnupg.org/gph/en/manual/c173.html">concepts
554 section</A> of the <A href="glossary.html#GPG">GNU Privacy Guard</A>
556 <LI>Bruce Schneier's self-study <A href="http://www.counterpane.com/self-study.html">
557 cryptanalysis</A> course</LI>
559 <P>See also the <A href="#interesting">interesting papers</A> section
561 <H4><A name="standards">Crypto and security standards</A></H4>
563 <LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
564 international computer and network security standards to replace the
565 "Rainbow" series</LI>
566 <LI>AES <A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
567 Advanced Encryption Standard </A> which will replace DES</LI>
568 <LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public
569 key standard</A></LI>
570 <LI>our collection of links for the <A href="#ipsec.link">IPSEC</A>
572 <LI>history of <A href="http://www.visi.com/crypto/evalhist/index.html">
573 formal evaluation</A> of security policies and implementation</LI>
575 <H3><A name="policy">Cryptography law and policy</A></H3>
576 <H4><A name="legal">Surveys of crypto law</A></H4>
578 <LI>International survey of <A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
580 <LI>International survey of <A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
581 digital signature law</A></LI>
583 <H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
585 <LI>The <A href="glossary.html#EFF">EFF</A>'s archives on <A href="http://www.eff.org/pub/Privacy/">
586 privacy</A> and <A href="http://www.eff.org/pub/Privacy/ITAR_export/">
587 export control</A>.</LI>
588 <LI><A href="www.gilc.org">Global Internet Liberty Campaign</A></LI>
589 <LI><A href="http://www.cdt.org/crypto">Center for Democracy and
591 <LI><A href="http://www.privacyinternational.org/">Privacy
592 International</A>, who give out <A href="http://www.bigbrotherawards.org/">
593 Big Brother Awards</A> to snoopy organisations</LI>
595 <H4><A name="other.policy">Other information on crypto policy</A></H4>
597 <LI><A href="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1984.txt">
598 RFC 1984</A>, the <A href="glossary.html#IAB">IAB</A> and <A href="glossary.html#IESG">
599 IESG</A> Statement on Cryptographic Technology and the Internet.</LI>
600 <LI>John Young's collection of <A href="http://jya.com/crypto.htm">
601 documents</A> of interest to the cryptography, open government and
602 privacy movements, organized chronologically</LI>
603 <LI>Encryption, Privacy and Security <A href="http://www.crypto.com">
604 Resource Page</A> with a mainly US focus</LI>
605 <LI><A href="ftp://ftp.cygnus.com/pub/export/export.html">Cryptography
606 Export Control Archive</A>, mainly links to court and govenment
607 documents on various challenges to US law</LI>
608 <LI>A good <A href="http://cryptome.org/crypto97-ne.htm">overview</A>
609 of the issues from Australia.</LI>
611 <P>See also our documentation section on the <A href="politics.html">
612 history and politics</A> of cryptography.</P>
613 <H3><A name="crypto.tech">Cryptography technical information</A></H3>
614 <H4><A name="cryptolinks">Collections of crypto links</A></H4>
616 <LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
617 <LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
618 Gutman's links</A></LI>
619 <LI><A href="http://home.cyber.ee/helger/crypto/">Helger Lipmaa's links</A>
621 <LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
623 <LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
625 <H4><A name="papers">Lists of online cryptography papers</A></H4>
627 <LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
628 <LI><A href="http://www.cryptography.com/resources/papers">
629 cryptography.com</A></LI>
630 <LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
632 <H4><A name="interesting">Particularly interesting papers</A></H4>
633 <P>These papers emphasize important issues around the use of
634 cryptography, and the design and management of secure systems.</P>
636 <LI><A href="http://www.counterpane.com/keylength.html">Key length
637 requirements for security</A></LI>
638 <LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
639 Cryptosystems Fail</A></LI>
640 <LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
642 <LI><A href="http://www.counterpane.com/pitfalls.html">Security
643 pitfalls in cryptography</A></LI>
644 <LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
645 Trust</A>, Ken Thompson on Trojan horse design</LI>
646 <LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
647 Compelled Disclosure</A>, how to maintain privacy in the face of legal
648 or other coersion </LI>
650 <H3><A name="compsec">Computer and network security</A></H3>
651 <H4><A name="seclink">Security links</A></H4>
653 <LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
654 <LI>DMOZ open directory project <A href="http://dmoz.org/Computers/Security/">
655 computer security</A> links</LI>
656 <LI><A href="http://www.telstra.com.au/info/security.html">Telstra</A></LI>
657 <LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
658 <LI><A href="http://www.excelmail.com">Email Security and PKI Documents</A>
660 <LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of
661 links to freely available security tools</LI>
662 <LI>Mike Fuhr's <A href="http://www.fuhr.org/~mfuhr/computers/security.html">
663 link collection</A></LI>
664 <LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
665 emphasis on intrusion detection </LI>
667 <H4><A name="firewall3">Firewall links</A></H4>
669 <LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
671 <LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
672 <LI><A href="http://www.digital.de/~jmh/fw-stuff.html">Firewall info
674 <LI><A href="http://www.idx.com.au/~amilev/Firewalls1.htm">Ami
677 <H4><A name="vpn">VPN links</A></H4>
679 <LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
680 <LI>First VPN's <A href="http://www.firstvpn.com/research/rhome.html">
681 white paper</A> collection</LI>
682 <LI>oddsites.com <A href="http://www.oddsites.com/vpn/">VPN links</A></LI>
684 <H4><A name="tools">Security tools</A></H4>
686 <LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of
687 links to freely available security tools</LI>
688 <LI>PGP -- mail encryption
690 <LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
691 commercial versions</LI>
692 <LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
693 the NAI product for non-commercial use</LI>
694 <LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
695 <LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
696 <LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
698 A message in our mailing list archive has considerable detail on <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
699 available versions</A> of PGP and on IPSEC support in them. </LI>
700 <P><STRONG> Note:</STRONG> A fairly nasty bug exists in all commercial
701 PGP versions from 5.5 through 6.5.3. If you have one of those, read
702 the <A href="http://www.pgp.com/other/advisories/adk.asp"> security
703 advisory</A> and <STRONG>upgrade now</STRONG>. </P>
704 <LI>SSH -- secure remote login
706 <LI><A href="www.ssh.fi">SSH Communications Security</A>, for the
707 original software. It is free for trial, academic and non-commercial
709 <LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD
710 team's free replacement</LI>
711 <LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
712 implementations for many systems</LI>
713 <LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
714 <LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
715 , an SSH client for Windows </LI>
718 <LI><A name="ssmail">ssmail -- sendmail patched to do <A href="carpediem">
719 opportunistic encryption</A>
721 <LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
722 links to code and to a Usenix paper describing it, in PDF</LI>
725 <LI><A href="ftp://ftp.cert.org/pub/tools/cops">COPS</A> Computer
726 Oracle and Password System; tests a system for various weaknesses</LI>
727 <LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A>
728 System Administrators Tool for Analysing Networks</LI>
729 <LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
730 <LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
731 , various tools to analyze network traffic, mostly scripts to organise
732 and format tcpdump(8) output for specific purposes</LI>
733 <LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
734 Venema's page</A> with various tools</LI>
735 <LI><A href="ftp://ftp.cert.org/pub/tools/crack">Crack</A> password
737 <LI><A href="ftp://coast.cs.purdue.edu/pub/COAST/Tripwire">Tripwire</A>
738 saves message digests of your system files. Re-calculate the digests
739 and compare to saved values to detect any file changes.</LI>
740 <LI><A href="http://all.net/dtk.html">Deception Toolkit</A>, a
741 collection of "honeypot" servers which emulate widely exploited
742 weaknesses while logging the attacks.</LI>
743 <LI><A href="http://www.openca.org/">Open CA</A> project to develop a
744 freely distributed <A href="glossary.html#CA">Certification Authority</A>
745 for building a open <A href="glossary.html#PKI">Public Key
746 Infrastructure</A>.</LI>
747 <LI><A href="http://expert.cc.purdue.edu/~frantzen/">ISIC</A>, <STRONG>
748 IP</STRONG><STRONG> s</STRONG>tack <STRONG>i</STRONG>ntegrity <STRONG>
749 c</STRONG>hecker, generates legitmate and bogus packets "to test the
750 stability of an IP Stack and its component stacks (TCP, UDP, ICMP et.
753 <H3><A name="people">Links to home pages</A></H3>
754 <P> David Wagner at Berkeley provides a set of links to <A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
755 home pages</A> of cryptographers, cypherpunks and computer security
758 <A HREF="toc.html">Contents</a>
759 <A HREF="mail.html">Previous</a>
760 <A HREF="glossary.html">Next</a>