-----BEGIN PGP SIGNED MESSAGE-----
lists.freeswan.org Email Summary for Tuesday March 12, 2002
===============================================================================
by Claudia Schmeing listress_at_freeswan.org
This week, there's been an addition to Pluto: asynchoronous DNS. See item
1. Also news: we have a new mirror of the FreeS/WAN ftp site. That's item 2.
Enjoy.
This Week in Brief....
1. New in Pluto: asynchronous DNS
2. New mirror site
3. Elliptic curve work in progress
4. AES with X.509 - it works
5. zlib bug damage mimimal for Linux FreeS/WAN
6. Bug with "fake" ipv6 headers
7. Tips and tools: dq calculator, assigning addresses, remote admin tips
------------------------------------------------------------------------------
1. New in Pluto: asynchronous DNS
==============================
1 post Mar 9
http://lists.freeswan.org/pipermail/design/2002-March/002026.html
1 post Mar 13
http://lists.freeswan.org/pipermail/users/2002-March/008443.html
Pluto can now do asynchronous DNS queries; that is, make a query without
a delay in its other work. This has required a substantial design change.
As D. Hugh Redelmeier described,
Pluto is no longer a single process. It fires off a bounded number
of other processes to perform the actual DNS queries. This required
because the resolver API is synchronous: each query blocks until the
answer is ready. There is a thread-safe interface in recent
resolvers, but Pluto isn't threaded.
While he noted that this would temporarily break X.509 interaction with
the snaps, Andreas Steffen posted March 13 that he'd caught up with that
round of changes.
2. New mirror site
===============
1 post Mar 11
http://lists.freeswan.org/pipermail/design/2002-March/002040.html
There is a new UK mirror of the Linux FreeS/WAN FTP site, thanks to Nigel
Methering and friends. Here's his announcement:
I'd like to announce the availability of a FreeS/WAN mirror on the
linux.org.uk distribution server boxes.
FreeS/WAN mirror URL is:-
ftp://zeniii.linux.org.uk/pub/linux/crypto/freeswan/
Additionally JuanJo's modular algorithm patches are available nearby
at:-
ftp://zeniii.linux.org.uk/pub/linux/crypto/ipsec/
Please feel free to add these URLs to FreeS/WAN documentation, release
announcements etc as appropriate.
See that post for additional details about the site hosting.
3. Elliptic curve work in progress
===============================
7 posts Mar 6-8
http://lists.freeswan.org/pipermail/design/2002-March/002003.html
Those of you who like to keep an eye on work in progress, please note that
British student Si Parker is developing Elliptic Curve Diffie Hellman for
Linux FreeS/WAN. His goal in this final-year university project is to create
a software client to interoperate with Cisco VPN hardware. More information
is available in the thread, particularly in this post:
http://lists.freeswan.org/pipermail/design/2002-March/002014.html
4. AES with X.509 - it works
=========================
1 post Feb 27
http://lists.freeswan.org/pipermail/design/2002-February/007946.html
While in some cases, applying two separate patches to a piece of software
can be hazardous to its health, that's not the case with this combination,
which Andreas Steffen tested. Andreas reported:
Today I have applied JuanJo Ciarlante's crypto patches to
freeswan-1.95 with X.509 version 0.9.8 and up to now it works
like a charm. I have one connection to another FreeS/WAN
gateway using 3DES and a second connection to an SSH Sentinel
client using AES128.
He added this Sentinel interop hint:
Don't forget to apply "patch-ssh-sentinel-IKE.diff" from the extras
folder, since otherwise an SSH Sentinel roadwarrior will not be
able to establish AES as the initiator due to some proprietary
algorithm ids proposed during main mode.
Also in the same thread, Rene Mayrhofer is adding the AES patches to the
Linux FreeS/WAN that will appear in Debian 3.0. See
http://lists.freeswan.org/pipermail/design/2002-February/007946.html
5. zlib bug damage minimal for Linux FreeS/WAN
===========================================
3 posts Mar 11
http://lists.freeswan.org/pipermail/design/2002-March/002045.html
Last week, a fairly serious bug was discovered in the widely used library
zlib, and the question was raised: how does it affect Linux FreeS/WAN?
Sandy Harris forwarded this synopsis of the bug:
This one's nasty -- a bug in "zlib", which is used all over the place.
Worse, some apps include their own statically-linked version of zlib,
so fixing the system library won't help (rsync, anyone?) Worst of
all, the same bug appears in the kernel -- if you use PPP compression,
you could be vulnerable.
The bug is summarized at
http://www.linuxsecurity.com/articles/security_sources_article-4582.html
where the author remarks "No known exploit is available for this vulnerability
at this time, but the implications of this vulnerability are significant, and
have the potential for remote compromise leading to root privileges on the
server."
Here's Henry's analysis of its potential effect on Linux FreeS/WAN:
Impact relatively minor for VPNs -- the packet has to decrypt and pass
authentication before it gets fed to zlib -- but serious for OE, where
the existence of the tunnel doesn't imply a trust relationship....
...Not so serious for OE with our current experimental setup, mind you,
because the ipsec.conf entry for it doesn't specify compression (and
thus OE negotiation won't propose or accept it).
Svenning Soerenson contributed a patch, which upgrades Linux FreeS/WAN to
use zlib-1.1.4. His patch "applies cleanly to both current snapshot and all
1.9x releases." Thanks, Svenning.
6. Bug with "fake" ipv6 headers
============================
2 posts March 12, 13
http://lists.freeswan.org/pipermail/design/2002-March/002073.html
This one's a Linux FreeS/WAN bug that manifests on SUSE and Slackware
when the proto-ipv6 code in kernel versions 2.0.x and 2.2.x is enabled.
Henry posted:
Over in the Users list, we've now got people running into problems with
the fake-IPv6 stuff in freeswan.h with 2.2.xx, on SuSE boxes. So it's
not just a 2.0.xx issue, i.e. it has become much more serious.
Michael Richardson had made changes to that code, aiming to:
1) get rid of all #ifdef __KERNEL__
2) get rid of anything that depends upon kernel version numbers
in userspace compiles. Userspace compiles can not depend upon
kernel version stuff, but rather must depend upon glibc/etc. kernel
stuff (except for FreeSWAN things)
3) still work for both kernel and userspace compiles.
The two are working on a diagnosis and fix.
See also:
* this problem report on 2.0.39/Slackware
http://lists.freeswan.org/pipermail/users/2002-March/008006.html
http://lists.freeswan.org/pipermail/users/2002-March/008086.html
* this problem report on 2.2.20/SUSE
http://lists.freeswan.org/pipermail/users/2002-March/008415.html
7. Tips and tools: dq calculator, assigning addresses, remote admin tips
=====================================================================
Three recent posts gave tips and tools of interest to Linux FreeS/WAN users.
John Denker recommended the dq calculator for IP addresses and subnet masks.
The calculator was written using bison/flex on Linux, and JSD claimed that
it should work on any Unix. Download is http://www.monmouth.com/~jsd/dq/dq.tgz .
JSD's post is http://lists.freeswan.org/pipermail/users/2002-March/008361.html
Another tip, also from JSD, was about an effective way of assigning
a road warrior an address on a subnet using iproute2. See
http://www.quintillion.com/moat/ipsec+routing/iproute2.html#sec-wild-vs-private
Third, Henry Spencer compiled a list of pointers for safe remote
administration of Linux FreeS/WAN using SSH Secure Shell. These are at
http://lists.freeswan.org/pipermail/users/2002-March/008361.html
------------------------------------------------------------------------------
lists.freeswan.org Email Summary Tuesday, Mar 12, 2002
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPI707XDIYXPDEHodAQGNEgP/YQx0irIWfvBAVTP4Kt/eaFSlbi0723eJ
bSvd22RQbwZ4dyzH0/0hjJ9xMsueOlJhTAZSzKlTjCqq6gWMCF1aFTscI14ndeVn
JxLoT8Rj6ipsY/QVJ4A82iqQff7boFnlZ8nnifKEgKM/326p9d85NXRXRoT/6ksV
WHJsceO14KU=
=805G
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST