Re: Big VPN

[Dariush Pietrzak]

> FreeS/WAN is "orphaned" upstream. OpenSWAN is based on FreeS/WAN and as
> such it does not work with 2.6.
 That is untrue. 
1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x
-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Dariush Pietrzak]

> think an acceptable user-land alternative might be openvpn.  I would
 I don't think openvpn would easily handle such large number of connections,
it would be also a configuration nightmare.
tinc was designed to handle such scenario, but I wouldn't use anything
user-land for ~100 lans, no metter how maintainable the configuration is.
 I guess best bet is kernel 2.6.x and racoon-based key management. 

Oh, and btw, if you're going to use FreeS/WAN, better look at 
http://www.openswan.org, they've got the good code. ( and backwards
compatbile, if you've got frees/wan based network and want to upgrade to
2.4.25 you're out of luck with free s/wan - they migrated to 2.x with never
kernel, and it means you need to upgrade your userland tools, and probably
tune configuration a bit. Openswan works nicely with upgrades ).

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[J.H.M. Dassen (Ray)]

On Wed, Mar 03, 2004 at 01:25:46 +0100, Milan P. Stanic wrote:
> FreeS/WAN is "orphaned" upstream. OpenSWAN is based on FreeS/WAN and as
> such it does not work with 2.6.

"For Kernel's 2.6.0 and higher, Openswan uses the built in IPsec support.
Only the userland component of Openswan is required to use Openswan with a
2.6 series kernel. 
[...] 
Note: you will need setkey from the ipsec-tools package, available from
http://ipsec-tools.sourceforge.net";
(From http://www.openswan.org/code/openswan-2.1.0rc1.tar.gz's README)

The way I read it is that the userland part of Openswan works fine with 2.6,
it's just that with a 2.6 kernel its IPSec kernel part is used rather than
an Openswan or FreeS/WAN one as was the case with 2.4 (which didn't have an
IPSec kernel part by default).

Ray
-- 
Those who are willing to trade their liberty for security deserve neither.
Benjamin Franklin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Jan Minar]

On Wed, Mar 03, 2004 at 01:33:17AM +0100, I.R. van Dongen wrote:
> Jan Minar wrote:
> 
> >IMHO, the key words in Richard's posting are ``[not] enough expertise'',
> >and ``a track record''.  The idea that the [conceptual] flaws will be
> >fixed in The Next Release [TM], although quite common amongst the
> >people, is a mere instance of a proof by wishful thinking.  Clueless
> >authors will always produce crappy software, regardless of how long
> >they've been in the business.
> > 
> >
> It's not about releases, it's about auditing a product before the 
> authors accually have made their minds up about where the product is 
> going.

They made the minds quite early.  They just had not enough expertise to
implement it.  Now are the supposed auditors going to handhold the tinc
people every time they will add some more code?  If not, have the tinc
people enough expertise to do it right, now?

>Tinc started out as a idea on using the tap device for something 
> useful. It migrated to a pretty nice vpn solution.

One thing is a fast prototyping, when I implement a phony MIC, for
example, and I comment it as such, and another thing is a hotch-potch
coding, when I get pieces together just to look like a valid MIC.
AFAICT, the tinc people did the latter.  I tend to presume this coding
practice is still present with them.

Note that we are not talking feature completeness, but that the actual
implementation of (alleged) general features, e.g. confidentiality, and
authenticity, was flawed.

> Even linus made some pretty bad coding errors when he started out with 
> linux, if you want to imply that when  software, or a part of it was 
> once flawed, you shouldn't trust the author ever, you shouldn't use 
> linux at all.

The same goes for Linux.  Although it might have been a major leap from
2.2 to 2.4 and to 2.6, the overall experience is still the same: some
things work, some have problems that have to be tracked down and
repaired manually, some won't even compile. And I have to reboot time to
time.  I presume this will be the case with 3.0, 3.2, 3.4, too.

The rule of thumb is the things just don't change.  Because great amount
of the code doesn't change after initial testing, because the authors'
attitude seldom changes, because it would require incompatible changes
to the underlaying protocols, etc.

FWIW, J.

-- 
``You know those mail clients:  MS Outlook, mail(1), or even telnet(1).
  All of them suck.  This one just sucks less.''


pgpMLE2TzTXrf.pgp
Description: PGP signature

Re: Big VPN

[Jan Minar]

On Wed, Mar 03, 2004 at 01:33:17AM +0100, I.R. van Dongen wrote:
> Jan Minar wrote:
> 
> >IMHO, the key words in Richard's posting are ``[not] enough expertise'',
> >and ``a track record''.  The idea that the [conceptual] flaws will be
> >fixed in The Next Release [TM], although quite common amongst the
> >people, is a mere instance of a proof by wishful thinking.  Clueless
> >authors will always produce crappy software, regardless of how long
> >they've been in the business.
> > 
> >
> It's not about releases, it's about auditing a product before the 
> authors accually have made their minds up about where the product is 
> going.

They made the minds quite early.  They just had not enough expertise to
implement it.  Now are the supposed auditors going to handhold the tinc
people every time they will add some more code?  If not, have the tinc
people enough expertise to do it right, now?

>Tinc started out as a idea on using the tap device for something 
> useful. It migrated to a pretty nice vpn solution.

One thing is a fast prototyping, when I implement a phony MIC, for
example, and I comment it as such, and another thing is a hotch-potch
coding, when I get pieces together just to look like a valid MIC.
AFAICT, the tinc people did the latter.  I tend to presume this coding
practice is still present with them.

Note that we are not talking feature completeness, but that the actual
implementation of (alleged) general features, e.g. confidentiality, and
authenticity, was flawed.

> Even linus made some pretty bad coding errors when he started out with 
> linux, if you want to imply that when  software, or a part of it was 
> once flawed, you shouldn't trust the author ever, you shouldn't use 
> linux at all.

The same goes for Linux.  Although it might have been a major leap from
2.2 to 2.4 and to 2.6, the overall experience is still the same: some
things work, some have problems that have to be tracked down and
repaired manually, some won't even compile. And I have to reboot time to
time.  I presume this will be the case with 3.0, 3.2, 3.4, too.

The rule of thumb is the things just don't change.  Because great amount
of the code doesn't change after initial testing, because the authors'
attitude seldom changes, because it would require incompatible changes
to the underlaying protocols, etc.

FWIW, J.

-- 
``You know those mail clients:  MS Outlook, mail(1), or even telnet(1).
  All of them suck.  This one just sucks less.''


pgp0.pgp
Description: PGP signature

Re: Big VPN

[Bernd Eckenfels]

In article <[EMAIL PROTECTED]> you wrote:
> I'm personally in favour of an IPsec VPN using openbsd or linux 2.6.

For a distributed Installation with up to 100 sites, I strongly recommend to go
with a small SOHO Router appliance. Because they are easy to replace with
UPS delivery, they are more robust than PC Hardware, and have less
mechanical parts.

Depending on your topology, a simple commercial concentrator in the main
office, may also be much better than implementing a Linux solution, as long
as you do not have reasonable experiences. I tink the OP made himself clear,
he has none.

There might be good reasons to go with an OpenBD or Linux 2.6 IPSec 
Installation,
in that case go for it. If you do not need the programmable features, and you 
do not have experiences in Linux Networking and IPSec, safe the money for 
endless
work hours to get it up, running.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: Big VPN

[I.R. van Dongen]

Jan Minar wrote:


IMHO, the key words in Richard's posting are ``[not] enough expertise'',
and ``a track record''.  The idea that the [conceptual] flaws will be
fixed in The Next Release [TM], although quite common amongst the
people, is a mere instance of a proof by wishful thinking.  Clueless
authors will always produce crappy software, regardless of how long
they've been in the business.
 

It's not about releases, it's about auditing a product before the 
authors accually have made their minds up about where the product is 
going. Tinc started out as a idea on using the tap device for something 
useful. It migrated to a pretty nice vpn solution.
Even linus made some pretty bad coding errors when he started out with 
linux, if you want to imply that when  software, or a part of it was 
once flawed, you shouldn't trust the author ever, you shouldn't use 
linux at all.

Re: Big VPN

[Milan P. Stanic]

On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote:
> On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote:
> > If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
> > likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
> > of security you're looking for in a VPN.
> 
> And what about the ipsec system in the 2.6 kernel (KAME) and the racoon
> daemon for initial key exchange? It does the same work as freeswan but
> it is still developped..

FreeS/WAN is "orphaned" upstream. OpenSWAN is based on FreeS/WAN and as
such it does not work with 2.6.
I'm not sure but I think that Herbert Xu (Debian kernel maintainer)
added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in
the kernel 2.6.x

Racoon is in FreeBSD for few years and is actively developed.

Re: Big VPN

[Luca Filipozzi]

On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote:
> Richard Atterer wrote:
> >On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
> > >You might want to check tinc (http://tinc.nl.linux.org)
> > >   
> > >
> >
> >I strongly recommend *not* to use tinc. 
> > illustrates that the
> >authors didn't have enough expertise to build a secure tool 2 years ago.
> >The problems were still present last autumn, see
> >. What a track record!
> >
> >With VPN software, IPSec is the only real option if you want to be certain
> >it is secure.
> >
> Nice, the first article is based on a alpha version (pre-beta) of tinc, 
> you didn't include the official answer.
> 
> This sounds alot like FUD, are you the author of a compeditive product?

What about the second link?  Perhaps you could have pointed us to TINC's
reply to Gutmann's (the second link) criticisms rather than simply
claiming this is FUD.

Unfortunately, I can only point to the google cache of the TINC's
response since the machine (nl.linux.org) that hosts TINC's website has
been rooted.  Anyway, here's the google cache of the response:

http://www.google.ca/search?q=cache:tinc.nl.linux.org/security

Gutmann's criticisms, slightly expanded over his original posting, can
be found here:

http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt

I'm personally in favour of an IPsec VPN using openbsd or linux 2.6.  I
think an acceptable user-land alternative might be openvpn.  I would
have to do more investigation of Gutmann's claims before feeling
comfortable with the other user-land alternatives: tinc, cipe or vtun.

Yours,

Luca

-- 
Luca Filipozzi
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D

Re: Big VPN

[Jan Minar]

On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote:
> Richard Atterer wrote:
> 
> >On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
> > 
> >
> >>You might want to check tinc (http://tinc.nl.linux.org)
> >>   
> >>
> >
> >I strongly recommend *not* to use tinc. 
> > illustrates that the
> >authors didn't have enough expertise to build a secure tool 2 years ago.
> >The problems were still present last autumn, see
> >. What a track record!
> >
> >With VPN software, IPSec is the only real option if you want to be certain
> >it is secure.
> > 
> >
> Nice, the first article is based on a alpha version (pre-beta) of tinc, 
> you didn't include the official answer.

IMHO, the key words in Richard's posting are ``[not] enough expertise'',
and ``a track record''.  The idea that the [conceptual] flaws will be
fixed in The Next Release [TM], although quite common amongst the
people, is a mere instance of a proof by wishful thinking.  Clueless
authors will always produce crappy software, regardless of how long
they've been in the business.

> This sounds alot like FUD, are you the author of a compeditive product?

Occasionally, I author thoughts and speeches that require the audience to
use their brain.  Does it count?

HAND.
Jan.

-- 
``You know those mail clients:  MS Outlook, mail(1), or even telnet(1).
  All of them suck.  This one just sucks less.''


pgppSQ3etPmVh.pgp
Description: PGP signature

Re: Big VPN

[Bernd Eckenfels]

In article <[EMAIL PROTECTED]> you wrote:
> I'm personally in favour of an IPsec VPN using openbsd or linux 2.6.

For a distributed Installation with up to 100 sites, I strongly recommend to go
with a small SOHO Router appliance. Because they are easy to replace with
UPS delivery, they are more robust than PC Hardware, and have less
mechanical parts.

Depending on your topology, a simple commercial concentrator in the main
office, may also be much better than implementing a Linux solution, as long
as you do not have reasonable experiences. I tink the OP made himself clear,
he has none.

There might be good reasons to go with an OpenBD or Linux 2.6 IPSec Installation,
in that case go for it. If you do not need the programmable features, and you 
do not have experiences in Linux Networking and IPSec, safe the money for endless
work hours to get it up, running.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[I.R. van Dongen]

Richard Atterer wrote:


On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
 


You might want to check tinc (http://tinc.nl.linux.org)
   



I strongly recommend *not* to use tinc. 
 illustrates that the

authors didn't have enough expertise to build a secure tool 2 years ago.
The problems were still present last autumn, see
. What a track record!

With VPN software, IPSec is the only real option if you want to be certain
it is secure.
 

Nice, the first article is based on a alpha version (pre-beta) of tinc, 
you didn't include the official answer.


This sounds alot like FUD, are you the author of a compeditive product?

Gr,

Ivo

PS. cc: to tinc mailinglist

Re: Big VPN

[I.R. van Dongen]

Jan Minar wrote:

IMHO, the key words in Richard's posting are ``[not] enough expertise'',
and ``a track record''.  The idea that the [conceptual] flaws will be
fixed in The Next Release [TM], although quite common amongst the
people, is a mere instance of a proof by wishful thinking.  Clueless
authors will always produce crappy software, regardless of how long
they've been in the business.
 

It's not about releases, it's about auditing a product before the 
authors accually have made their minds up about where the product is 
going. Tinc started out as a idea on using the tap device for something 
useful. It migrated to a pretty nice vpn solution.
Even linus made some pretty bad coding errors when he started out with 
linux, if you want to imply that when  software, or a part of it was 
once flawed, you shouldn't trust the author ever, you shouldn't use 
linux at all.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Milan P. Stanic]

On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote:
> On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote:
> > If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
> > likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
> > of security you're looking for in a VPN.
> 
> And what about the ipsec system in the 2.6 kernel (KAME) and the racoon
> daemon for initial key exchange? It does the same work as freeswan but
> it is still developped..

FreeS/WAN is "orphaned" upstream. OpenSWAN is based on FreeS/WAN and as
such it does not work with 2.6.
I'm not sure but I think that Herbert Xu (Debian kernel maintainer)
added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in
the kernel 2.6.x

Racoon is in FreeBSD for few years and is actively developed.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Luca Filipozzi]

On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote:
> Richard Atterer wrote:
> >On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
> > >You might want to check tinc (http://tinc.nl.linux.org)
> > >   
> > >
> >
> >I strongly recommend *not* to use tinc. 
> > illustrates that the
> >authors didn't have enough expertise to build a secure tool 2 years ago.
> >The problems were still present last autumn, see
> >. What a track record!
> >
> >With VPN software, IPSec is the only real option if you want to be certain
> >it is secure.
> >
> Nice, the first article is based on a alpha version (pre-beta) of tinc, 
> you didn't include the official answer.
> 
> This sounds alot like FUD, are you the author of a compeditive product?

What about the second link?  Perhaps you could have pointed us to TINC's
reply to Gutmann's (the second link) criticisms rather than simply
claiming this is FUD.

Unfortunately, I can only point to the google cache of the TINC's
response since the machine (nl.linux.org) that hosts TINC's website has
been rooted.  Anyway, here's the google cache of the response:

http://www.google.ca/search?q=cache:tinc.nl.linux.org/security

Gutmann's criticisms, slightly expanded over his original posting, can
be found here:

http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt

I'm personally in favour of an IPsec VPN using openbsd or linux 2.6.  I
think an acceptable user-land alternative might be openvpn.  I would
have to do more investigation of Gutmann's claims before feeling
comfortable with the other user-land alternatives: tinc, cipe or vtun.

Yours,

Luca

-- 
Luca Filipozzi
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Richard Atterer]

On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
> You might want to check tinc (http://tinc.nl.linux.org)

I strongly recommend *not* to use tinc. 
 illustrates that the
authors didn't have enough expertise to build a secure tool 2 years ago.
The problems were still present last autumn, see
. What a track record!

With VPN software, IPSec is the only real option if you want to be certain
it is secure.

> Jaroslaw Tabor wrote:
> >I'm looking for good linux (debian of course) based solution for VPN
> >connecting about 100 LANs. The solution should be stable, easy for
> >implementation and easy for management. I've some expirience with VPNs
> >based on PPTPd, but not so big.

PPTP is also believed not to be quite insecure, see
 (NB old!). A small number of people
believe it's OK these days due to some improvements made by Microsoft
, but I still wouldn't recommend
it.

Does each of these 100 LANs need to connect to *any* other LAN, or just to 
"your" LAN? Are the LANs real LANs or do you only want to connect single 
"road warrior" machines to "your" LAN?

> >I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid
> >about security. If I understand this solution right there is no
> >authentication at all. So every one can connect to the LANs if he will
> >spoof IP.

I don't think it is the right thing for you, yes. Its main objective (in my 
eyes) is to protect "general" internet traffic from people who are not 
willing/able to do man-in-the-middle attacks, i.e. from people who just 
sniff on the wire. At least that's what it boils down to as long as no 
"secure DNS" is available...

> >I need something better, because I cannot trust to LAN users. To avoid
> >that, I have idea, to use some kind of secure DNS, which will answer
> >only to authorized peers, but I don't know how to do it.

What's wrong with IPSec with X.509 certificates? You can give out a signed
certificate to all people who should get access to your network, and remove 
individual people from the "allowed" list if necessary. IPSec works with 
all OSes as clients. The only downside (IMHO) is that the server can be 
fairly complex to set up for this kind of scenario.

Secure DNS doesn't exist today, does it?

> >Finally, the questions:
> >Did someone sucessfully build such network ? If yes, how?

Well, since I'm in the mood of handing out URLs today ;-), here are some
useful pages I found about IPSec setups involving both Linux and Windows
clients.

 - you've seen this already I guess :)

 - new kernel 2.6.0 IPSec




> >Is there any solution to easily manage keys in so big network, if I will
> >choice freeswan (or other) without OE ?

100 VPN connections isn't /that/ much, I think FreeS/WAN or the 2.6.0 IPSec 
should be able to handle it. (Maybe ask the developers to ensure it does.)

> >PS: Sorry, for my poor english, I'm not a native speaker.
> me neither :)
Ditto. :-)

ü,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯

Re: Big VPN

[Jan Minar]

On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote:
> Richard Atterer wrote:
> 
> >On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
> > 
> >
> >>You might want to check tinc (http://tinc.nl.linux.org)
> >>   
> >>
> >
> >I strongly recommend *not* to use tinc. 
> > illustrates that the
> >authors didn't have enough expertise to build a secure tool 2 years ago.
> >The problems were still present last autumn, see
> >. What a track record!
> >
> >With VPN software, IPSec is the only real option if you want to be certain
> >it is secure.
> > 
> >
> Nice, the first article is based on a alpha version (pre-beta) of tinc, 
> you didn't include the official answer.

IMHO, the key words in Richard's posting are ``[not] enough expertise'',
and ``a track record''.  The idea that the [conceptual] flaws will be
fixed in The Next Release [TM], although quite common amongst the
people, is a mere instance of a proof by wishful thinking.  Clueless
authors will always produce crappy software, regardless of how long
they've been in the business.

> This sounds alot like FUD, are you the author of a compeditive product?

Occasionally, I author thoughts and speeches that require the audience to
use their brain.  Does it count?

HAND.
Jan.

-- 
``You know those mail clients:  MS Outlook, mail(1), or even telnet(1).
  All of them suck.  This one just sucks less.''


pgp0.pgp
Description: PGP signature

Re: Big VPN

[Jacques Normand]

On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote:
> On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote:
> > I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid
> > about security.
> 
> If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
> likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
> of security you're looking for in a VPN.

And what about the ipsec system in the 2.6 kernel (KAME) and the racoon
daemon for initial key exchange? It does the same work as freeswan but
it is still developped..

jacques

Re: Big VPN

[I.R. van Dongen]

Richard Atterer wrote:

On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
 

You might want to check tinc (http://tinc.nl.linux.org)
   

I strongly recommend *not* to use tinc. 
 illustrates that the
authors didn't have enough expertise to build a secure tool 2 years ago.
The problems were still present last autumn, see
. What a track record!

With VPN software, IPSec is the only real option if you want to be certain
it is secure.
 

Nice, the first article is based on a alpha version (pre-beta) of tinc, 
you didn't include the official answer.

This sounds alot like FUD, are you the author of a compeditive product?

Gr,

Ivo

PS. cc: to tinc mailinglist



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[J.H.M. Dassen (Ray)]

On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote:
> I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid
> about security.

If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
of security you're looking for in a VPN.

> If I understand this solution right there is no authentication at all.

With OE that may be true. For a VPN you shouldn't configure OE, but use one
of the authentication methods in IPSec, like RSA digital signatures, or a
shared secret.

http://en.wikipedia.org/wiki/IPSEC provides a nice overview of IPSec.

HTH,
Ray
-- 
AJ: Geeez, Erwin. He wasn't even ARMED.
Erwin: I don't care. I have lots of ammo and he was wearing a TIE.
http://ars.userfriendly.org/cartoons/?id=20010209

Re: Big VPN

[I.R. van Dongen]

Jaroslaw Tabor wrote:


Hi all!

I know that this list isn't the best place to ask, but I'm reding this
list for years. I hope You will forgive me :)

I'm looking for good linux (debian of course) based solution for VPN
connecting about 100 LANs. The solution should be stable, easy for
implementation and easy for management. I've some expirience with VPNs
based on PPTPd, but not so big. I've reviewed freeswan and OE feauture.
This looks nice, but I'm afraid about security. If I understand this
solution right there is no authentication at all. So every one can
connect to the LANs if he will spoof IP. I need something better,
because I cannot trust to LAN users. To avoid that, I have idea, to use
some kind of secure DNS, which will answer only to authorized peers, but
I don't know how to do it.
Finally, the questions:
Did someone sucessfully build such network ? If yes, how?
Do You know any other VPN solution for this problem?
If my idea isn't so bad, how to add secure authentication for OE
solution.
Is there any solution to easily manage keys in so big network, if I will
choice freeswan (or other) without OE ?

 



You might want to check tinc (http://tinc.nl.linux.org)


best regards
Jarek
PS: Sorry, for my poor english, I'm not a native speaker.
 


me neither :)

Gr,

Ivo

Big VPN

[Jaroslaw Tabor]

Hi all!

I know that this list isn't the best place to ask, but I'm reding this
list for years. I hope You will forgive me :)

I'm looking for good linux (debian of course) based solution for VPN
connecting about 100 LANs. The solution should be stable, easy for
implementation and easy for management. I've some expirience with VPNs
based on PPTPd, but not so big. I've reviewed freeswan and OE feauture.
This looks nice, but I'm afraid about security. If I understand this
solution right there is no authentication at all. So every one can
connect to the LANs if he will spoof IP. I need something better,
because I cannot trust to LAN users. To avoid that, I have idea, to use
some kind of secure DNS, which will answer only to authorized peers, but
I don't know how to do it.
Finally, the questions:
Did someone sucessfully build such network ? If yes, how?
Do You know any other VPN solution for this problem?
If my idea isn't so bad, how to add secure authentication for OE
solution.
Is there any solution to easily manage keys in so big network, if I will
choice freeswan (or other) without OE ?

best regards
Jarek
PS: Sorry, for my poor english, I'm not a native speaker.

Re: Big VPN

[Richard Atterer]

On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote:
> You might want to check tinc (http://tinc.nl.linux.org)

I strongly recommend *not* to use tinc. 
 illustrates that the
authors didn't have enough expertise to build a secure tool 2 years ago.
The problems were still present last autumn, see
. What a track record!

With VPN software, IPSec is the only real option if you want to be certain
it is secure.

> Jaroslaw Tabor wrote:
> >I'm looking for good linux (debian of course) based solution for VPN
> >connecting about 100 LANs. The solution should be stable, easy for
> >implementation and easy for management. I've some expirience with VPNs
> >based on PPTPd, but not so big.

PPTP is also believed not to be quite insecure, see
 (NB old!). A small number of people
believe it's OK these days due to some improvements made by Microsoft
, but I still wouldn't recommend
it.

Does each of these 100 LANs need to connect to *any* other LAN, or just to 
"your" LAN? Are the LANs real LANs or do you only want to connect single 
"road warrior" machines to "your" LAN?

> >I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid
> >about security. If I understand this solution right there is no
> >authentication at all. So every one can connect to the LANs if he will
> >spoof IP.

I don't think it is the right thing for you, yes. Its main objective (in my 
eyes) is to protect "general" internet traffic from people who are not 
willing/able to do man-in-the-middle attacks, i.e. from people who just 
sniff on the wire. At least that's what it boils down to as long as no 
"secure DNS" is available...

> >I need something better, because I cannot trust to LAN users. To avoid
> >that, I have idea, to use some kind of secure DNS, which will answer
> >only to authorized peers, but I don't know how to do it.

What's wrong with IPSec with X.509 certificates? You can give out a signed
certificate to all people who should get access to your network, and remove 
individual people from the "allowed" list if necessary. IPSec works with 
all OSes as clients. The only downside (IMHO) is that the server can be 
fairly complex to set up for this kind of scenario.

Secure DNS doesn't exist today, does it?

> >Finally, the questions:
> >Did someone sucessfully build such network ? If yes, how?

Well, since I'm in the mood of handing out URLs today ;-), here are some
useful pages I found about IPSec setups involving both Linux and Windows
clients.

 - you've seen this already I guess :)

 - new kernel 2.6.0 IPSec




> >Is there any solution to easily manage keys in so big network, if I will
> >choice freeswan (or other) without OE ?

100 VPN connections isn't /that/ much, I think FreeS/WAN or the 2.6.0 IPSec 
should be able to handle it. (Maybe ask the developers to ensure it does.)

> >PS: Sorry, for my poor english, I'm not a native speaker.
> me neither :)
Ditto. :-)

ü,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Jacques Normand]

On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote:
> On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote:
> > I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid
> > about security.
> 
> If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
> likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
> of security you're looking for in a VPN.

And what about the ipsec system in the 2.6 kernel (KAME) and the racoon
daemon for initial key exchange? It does the same work as freeswan but
it is still developped..

jacques


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[J.H.M. Dassen (Ray)]

On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote:
> I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid
> about security.

If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
of security you're looking for in a VPN.

> If I understand this solution right there is no authentication at all.

With OE that may be true. For a VPN you shouldn't configure OE, but use one
of the authentication methods in IPSec, like RSA digital signatures, or a
shared secret.

http://en.wikipedia.org/wiki/IPSEC provides a nice overview of IPSec.

HTH,
Ray
-- 
AJ: Geeez, Erwin. He wasn't even ARMED.
Erwin: I don't care. I have lots of ammo and he was wearing a TIE.
http://ars.userfriendly.org/cartoons/?id=20010209


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[I.R. van Dongen]

Jaroslaw Tabor wrote:

Hi all!

I know that this list isn't the best place to ask, but I'm reding this
list for years. I hope You will forgive me :)
I'm looking for good linux (debian of course) based solution for VPN
connecting about 100 LANs. The solution should be stable, easy for
implementation and easy for management. I've some expirience with VPNs
based on PPTPd, but not so big. I've reviewed freeswan and OE feauture.
This looks nice, but I'm afraid about security. If I understand this
solution right there is no authentication at all. So every one can
connect to the LANs if he will spoof IP. I need something better,
because I cannot trust to LAN users. To avoid that, I have idea, to use
some kind of secure DNS, which will answer only to authorized peers, but
I don't know how to do it.
Finally, the questions:
Did someone sucessfully build such network ? If yes, how?
Do You know any other VPN solution for this problem?
If my idea isn't so bad, how to add secure authentication for OE
solution.
Is there any solution to easily manage keys in so big network, if I will
choice freeswan (or other) without OE ?
 

You might want to check tinc (http://tinc.nl.linux.org)

best regards
Jarek
PS: Sorry, for my poor english, I'm not a native speaker.
 

me neither :)

Gr,

Ivo

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Big VPN

[Jaroslaw Tabor]

Hi all!

I know that this list isn't the best place to ask, but I'm reding this
list for years. I hope You will forgive me :)

I'm looking for good linux (debian of course) based solution for VPN
connecting about 100 LANs. The solution should be stable, easy for
implementation and easy for management. I've some expirience with VPNs
based on PPTPd, but not so big. I've reviewed freeswan and OE feauture.
This looks nice, but I'm afraid about security. If I understand this
solution right there is no authentication at all. So every one can
connect to the LANs if he will spoof IP. I need something better,
because I cannot trust to LAN users. To avoid that, I have idea, to use
some kind of secure DNS, which will answer only to authorized peers, but
I don't know how to do it.
Finally, the questions:
Did someone sucessfully build such network ? If yes, how?
Do You know any other VPN solution for this problem?
If my idea isn't so bad, how to add secure authentication for OE
solution.
Is there any solution to easily manage keys in so big network, if I will
choice freeswan (or other) without OE ?

best regards
Jarek
PS: Sorry, for my poor english, I'm not a native speaker.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apt-get upgrade and kernel images

[Matt Zimmerman]

On Tue, Mar 02, 2004 at 10:18:15AM +0200, Riku Valli wrote:

> Yes, but for me was quite confusing that at first installation kernel isnot
> a package. So if you install your Debian with boot floppies 2.4.18-bf2.4 you
> never get update for this kernel. You must
> apt-get install kernel-image-2.4.18-bf2.4 or whatever you prefer and after
> that update/upgrade work right way.

Yes, that is confusing.  My understanding is that it is no longer done this
way with debian-installer, and the kernel is always installed from a
package.

-- 
 - mdz

Re: apt-get upgrade and kernel images

[Matt Zimmerman]

On Tue, Mar 02, 2004 at 10:28:44AM +0100, Mattias Eriksson wrote:

> I think I recall something about debian not upgrading kernel-images
> except if the user asks for it explicitly. 

Not unless you explicitly put them on hold (which you are of course free to
do).

> I have been using debian for many years and I can't recall that I ever
> have gotten an kernel upgrade if I haven't asked for it. Sometimes I had
> installed a kernel-2.4-386 kernel that was a metapackage that would
> always depend on the latest kernel, to always have a fresh kernel on
> some testsystems. And if debian doesn't have a restrictive
> kernel-upgrade policy I don't see why those meta packages would exist.

In general, different _upstream_ versions of the kernel are shipped in
packages with different names (the version number is in the package name),
so you won't be upgraded to 2.4.25 after installing 2.4.24 unless you've
installed a metapackage.  But you will be upgraded from 2.4.24-1 to
2.4.24-2, which is what you just saw.

-- 
 - mdz

Re: apt-get upgrade and kernel images

[Marcin Owsiany]

On Tue, Mar 02, 2004 at 10:18:15AM +0200, Riku Valli wrote:
> Yes, but for me was quite confusing that at first installation kernel isnot
> a package.

AFAIK it will be, starting with sarge.

Marcin
-- 
Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Re: apt-get upgrade and kernel images

[Matt Zimmerman]

On Tue, Mar 02, 2004 at 10:18:15AM +0200, Riku Valli wrote:

> Yes, but for me was quite confusing that at first installation kernel isnot
> a package. So if you install your Debian with boot floppies 2.4.18-bf2.4 you
> never get update for this kernel. You must
> apt-get install kernel-image-2.4.18-bf2.4 or whatever you prefer and after
> that update/upgrade work right way.

Yes, that is confusing.  My understanding is that it is no longer done this
way with debian-installer, and the kernel is always installed from a
package.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apt-get upgrade and kernel images

[Matt Zimmerman]

On Tue, Mar 02, 2004 at 10:28:44AM +0100, Mattias Eriksson wrote:

> I think I recall something about debian not upgrading kernel-images
> except if the user asks for it explicitly. 

Not unless you explicitly put them on hold (which you are of course free to
do).

> I have been using debian for many years and I can't recall that I ever
> have gotten an kernel upgrade if I haven't asked for it. Sometimes I had
> installed a kernel-2.4-386 kernel that was a metapackage that would
> always depend on the latest kernel, to always have a fresh kernel on
> some testsystems. And if debian doesn't have a restrictive
> kernel-upgrade policy I don't see why those meta packages would exist.

In general, different _upstream_ versions of the kernel are shipped in
packages with different names (the version number is in the package name),
so you won't be upgraded to 2.4.25 after installing 2.4.24 unless you've
installed a metapackage.  But you will be upgraded from 2.4.24-1 to
2.4.24-2, which is what you just saw.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apt-get upgrade and kernel images

[Marcin Owsiany]

On Tue, Mar 02, 2004 at 10:18:15AM +0200, Riku Valli wrote:
> Yes, but for me was quite confusing that at first installation kernel isnot
> a package.

AFAIK it will be, starting with sarge.

Marcin
-- 
Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apt-get upgrade and kernel images

[Mattias Eriksson]

I think I recall something about debian not upgrading kernel-images
except if the user asks for it explicitly. 
I have been using debian for many years and I can't recall that I ever
have gotten an kernel upgrade if I haven't asked for it. Sometimes I had
installed a kernel-2.4-386 kernel that was a metapackage that would
always depend on the latest kernel, to always have a fresh kernel on
some testsystems. And if debian doesn't have a restrictive
kernel-upgrade policy I don't see why those meta packages would exist.
So it seems that even if there are no written policy to not do automatic
upgrades, there seems to have been some unwritten policy about it. 

And since a kernelupgrade cause your computer useless, I think that a
restrictive kernel upgrade policy should be adopted if it doesn't exist.

//Mattias Eriksson

mån 2004-03-01 klockan 19.33 skrev Matt Zimmerman:
> On Fri, Feb 27, 2004 at 12:42:16AM -0800, Andris Kalnozols wrote:
> 
> > I am running Debian testing and seem to recall that it was the policy of
> > apt-get to never bring in a kernel image package when doing an upgrade
> > after an update.
> 
> apt has no such policy, and to my knowledge, never has.
> 
> > Why is apt-get now bringing in kernel-image packages and needlessly so
> > since I already have the indicated version installed?
> 
> You asked apt to upgrade installed packages to the latest version, and since
> a newer version is available, it is doing so.
> 
> -- 
>  - mdz
> 

Re: apt-get upgrade and kernel images

[Riku Valli]

- Original Message - 
From: "Matt Zimmerman" <[EMAIL PROTECTED]>
To: 
Sent: Monday, March 01, 2004 8:33 PM
Subject: Re: apt-get upgrade and kernel images


> On Fri, Feb 27, 2004 at 12:42:16AM -0800, Andris Kalnozols wrote:
>
> > I am running Debian testing and seem to recall that it was the policy of
> > apt-get to never bring in a kernel image package when doing an upgrade
> > after an update.
>
> apt has no such policy, and to my knowledge, never has.
>
> > Why is apt-get now bringing in kernel-image packages and needlessly so
> > since I already have the indicated version installed?
>
> You asked apt to upgrade installed packages to the latest version, and
since
> a newer version is available, it is doing so.
>
> -- 
>  - mdz
>
>
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Yes, but for me was quite confusing that at first installation kernel isnot
a package. So if you install your Debian with boot floppies 2.4.18-bf2.4 you
never get update for this kernel. You must
apt-get install kernel-image-2.4.18-bf2.4 or whatever you prefer and after
that update/upgrade work right way.

-- Riku

Re: apt-get upgrade and kernel images

[Mattias Eriksson]

I think I recall something about debian not upgrading kernel-images
except if the user asks for it explicitly. 
I have been using debian for many years and I can't recall that I ever
have gotten an kernel upgrade if I haven't asked for it. Sometimes I had
installed a kernel-2.4-386 kernel that was a metapackage that would
always depend on the latest kernel, to always have a fresh kernel on
some testsystems. And if debian doesn't have a restrictive
kernel-upgrade policy I don't see why those meta packages would exist.
So it seems that even if there are no written policy to not do automatic
upgrades, there seems to have been some unwritten policy about it. 

And since a kernelupgrade cause your computer useless, I think that a
restrictive kernel upgrade policy should be adopted if it doesn't exist.

//Mattias Eriksson

mån 2004-03-01 klockan 19.33 skrev Matt Zimmerman:
> On Fri, Feb 27, 2004 at 12:42:16AM -0800, Andris Kalnozols wrote:
> 
> > I am running Debian testing and seem to recall that it was the policy of
> > apt-get to never bring in a kernel image package when doing an upgrade
> > after an update.
> 
> apt has no such policy, and to my knowledge, never has.
> 
> > Why is apt-get now bringing in kernel-image packages and needlessly so
> > since I already have the indicated version installed?
> 
> You asked apt to upgrade installed packages to the latest version, and since
> a newer version is available, it is doing so.
> 
> -- 
>  - mdz
> 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apt-get upgrade and kernel images

[Riku Valli]

- Original Message - 
From: "Matt Zimmerman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 01, 2004 8:33 PM
Subject: Re: apt-get upgrade and kernel images


> On Fri, Feb 27, 2004 at 12:42:16AM -0800, Andris Kalnozols wrote:
>
> > I am running Debian testing and seem to recall that it was the policy of
> > apt-get to never bring in a kernel image package when doing an upgrade
> > after an update.
>
> apt has no such policy, and to my knowledge, never has.
>
> > Why is apt-get now bringing in kernel-image packages and needlessly so
> > since I already have the indicated version installed?
>
> You asked apt to upgrade installed packages to the latest version, and
since
> a newer version is available, it is doing so.
>
> -- 
>  - mdz
>
>
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Yes, but for me was quite confusing that at first installation kernel isnot
a package. So if you install your Debian with boot floppies 2.4.18-bf2.4 you
never get update for this kernel. You must
apt-get install kernel-image-2.4.18-bf2.4 or whatever you prefer and after
that update/upgrade work right way.

-- Riku



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]