FreeS/WAN Project Bows Out 221
V. Mole writes "After five years, the FreeS/WAN project has decided to end development. The main reason seems to be that although the project was technically successful, it was not making much progress with its political goals of encrypting a significant portion of all Internet communications, although one might guess that the selection of KAME for the standard Linux IPSEC implementation might also have influenced this decision. And don't panic, the software will remain available, and of course some other group is free to continue development."
corporation (Score:2, Interesting)
Ouch. This is going to hurt. (Score:5, Interesting)
Opportunistic encryption (Score:5, Interesting)
Also, aren't there other problems inherant with OE? IE: the need to have secure DNS before this can really happen, or a PKI infrastructure or public key escrow or something? I'd love to just install freeswan on my firewall and have encrypted connections happen, but a) would it really help things and b) would it be like being the first one on the block to have a videophone?
slashdotted (Score:0, Interesting)
Re:OSS advocate (Score:0, Interesting)
Does Windows 98 have a large install base?
Yes.
Are Microsoft still supporting Windows 98?
No.
No, so what exactly was your point?
Re:OSS advocate (Score:5, Interesting)
Not if they go out of business, change business models, or decide that a particular product is no longer profitable.
In all of these cases, if you depended on access to and updates for their software, you would be SOL.
With OSS, you get the source code and have the freedom to recompile it to new targets and make whatever small patches are neccessary to keep it running. If it's important enough to your company (or to you as a personal user) you can take over the maintainence yourself.
The parent is alluding to this fact.
pgp.net (Score:3, Interesting)
PGP.net (oh, where have you gone) provided opportunistic encryption with no infrastructure requirements other than the two machines communicating use the PGP.net software.
Controlling the two endpoints seems a lot easier than trying to control them plus the DNS servers to exchange info.
Anyone know what happened to PGP.net?
Re:The letter (Score:2, Interesting)
Talk about two goals that are just plain swimming uphill.
Getting the Internet to change what's not broken is very hard. The fact that our default mode of communications is plaintext doesn't quite scare most pointy haired bosses. They want their stuff secured, but there's no sense in switching protocols when we can just secure on top of the existing protocols with things like VPNs, SSH, PGP, SSL, etc.
Meanwhile, getting the government to lift the crypto-export bans just isn't going to happen either. September 11th, 2001 will always be brought up anytime anybody wants to loosen crypto rules. Being able to talk in a way that the US Government can't intercept and understand is something that truely scares the military and the CIA... because if they can't intercept communications, they lose one of their strongest tools in battle. Maybe the crypto-export rules are weak and aren't going to stop much, but at least it stops everything we can stop using a law, and that's better than zero.
So, another open source project with great ideas but not quite enough resources to get the job done packs it in. Oh, well. So it goes.
Re:OSS advocate (Score:1, Interesting)
alternatives (Score:4, Interesting)
Would it really be that difficult for somebody to take over the development? Maybe their role could be more to administer the operation rather than code a lot of it.
Also, this (google's cache) [216.239.37.104] or the PDF version of the above [sosresearch.org] claims that FreeS/WAN does not support PKI.
who cares? (Score:3, Interesting)
No I'm not trolling I'm asking a question here. Outside of admins, how many people really care whether their connection is secure or not. I always reference this out regarding IPSec and the likes, so I'll point out eBay as an example. Now a company such as eBay in my opinion should have SSL based log on by default, period. It's optional. Why? Because most users outside of the geekrealm, and system admin realm don't understand the escape key from their space bar. So when it comes to things like... "Will you accept this certificate?" and the likes, they don't know, and they certainly don't care. Same goes for VPN's. Why should the people care if Freeswan "was not making much progress with its political goals of encrypting a significant portion of all Internet communications" when the typical user doesn't know about Freeswan, and more than likely wouldn't care.
Re:OSS advocate (Score:3, Interesting)
In our lab here, there are plots created with stuff like WingZ (NeXT based spreadsheet/plotting program) and AppsoftDraw (a visio like program) -- both type of plots from about 1995.... The programs no longer exist. We don't even bother to make changes to them.
On the other hand, we also have plots created with gnuplot, xfig, and much older documents created with latex. They all work as if they are created just now...
In this particular case, people behind latex and xfig have incentive to keep working on them -- and it wouldn't really matter that much even if all the development with latex and xfig stop. Just like the core components of emacs, the development occurs at galactic time scales, but that is not a big deal...
S
Re:Politics Trumping Development (Score:2, Interesting)
The failure of the Hurd was a bad gamble. Possibly encouraged by the fact that they had written almost an entire operating system (using tried-and-true designs), the GNU projecteers decided to try a latest-and-greatest (fad) design for the GNU kernel - it didn't work out as it was meant to, but luckily Linus had worked on this same project from the conventional angle, so we still ended up with a completely free software OS.
Re:mod me flamebait but... (Score:5, Interesting)
That being said, I did believe (from reading the docs) that the development team was far more interested in making a (pointless, IMHO) political statement than in creating a useable piece of software. For most small / medium businesses, Oportunistic Encryption is the last thing you want - typically these companies have one interface to the Internet, and having trusted and untrusted-from-random-IP-subnets coming in on the same connection creates a firewall design nightmare. I'm sure there's a way to make it work, but frankly if information is worth securing, we can and do secure it. If it isn't, then we just don't care - I'd rather just Keep It Simple, Stupid.
FreeS/WAN was a bad codebase to start with (Score:2, Interesting)
FreeS/WAN is an unfortunate example of a project too focused on a far out goal (OE) to make the simple foundations work.
Re:Politics Trumping Development (Score:3, Interesting)
Most people don't give a flying fuck what political goals your project has. Only the code, and the software matter. All else is gravy.
You can add this to the graveyard of noble goals brought down by zealotry.
I find this particular outlook sad and disturbing, especially when that outlook is probably more than a little true. It's the nature of the human animal to push boulders up hills, and then become resigned, cynical, and despairing when the effort seems to be overshadowed by the results (or lack thereof.) It's also part of the human animal that a room full of us passionately engaged (or for that matter enraged), will just as likely pull in twenty different directions as a single useful or meaningful one. That said, we can be certain that nothing lasting or important will ever get done if we can't put our own egos, and personal agendas aside for the greater good.
In any project that seems to be as much social engineering as software generation, the two arms must be separate, distinct, and managed tightly by a group of wise men that can be trusted to steer that project. The code heads must be safe, and cozy, whacking away at the bits, while the political engineers are busy spreading memes and building coalition in legistative circles. All the while, cool heads, men and women selected for their integrity and sanity, must guide and nuture the process with patience and forebearance.
Protecting the security, and anonymity of people, is an important endeavor. It deserves bringing to bear, people with moral distinction and the skills needed to manage the long haul, because we live in a world that doesn't do the logical thing, and this will certainly be a long haul. I hope that the software finds a new home, and people with the fortitude to take it to it's logical conclusion. As well, I hope that OSS projects like this can begin to create operational structures that insure the realization of their goals, even in the face of great political/social resistance, and internal conflict. In the end, being a part of an OSS project is ultimately about making a contribution to the human condition... when it becomes something else, projects fail and we all lose.
Genda
"A business man can pull a phone out of his pocket and talk at length to someone halfway around the world. The same man, will sit in a dark room with his wife and childen all evening and never say a word.. clearly something isn't working." -- Dave Cunningham
Comment removed (Score:3, Interesting)
I use FreeSWAN (Score:4, Interesting)
There was absolutely no way that 'normal' users were ever going to be able to make use of this product for the 'opportunistic encryption' the project aimed for, I honestly don't think you could design a more opaque and confusing piece of software if you were actually trying.
That being said, once you get over the configuration hurdles and realise you will have to employ script-based kludges to do simple things e.g. get it to route packets though multiple tunnels terminating on the same local IP address, it mostly works quite well.
Re:corporation (Score:4, Interesting)
Support from a guy with a slashdot ID that is a 1024 bit RSA encryption key?
I have been doing crypto for a long time now. One of the points that Eric Rescorla raised with me when we were speaking at the RSA show was that more email has been secured with SSL in the first year of deployment than has ever been encrypted with S/MIME and PGP combined.
We all screwed up, Bruce said so in secrets and lies, but he still only half gets it. Almost all the crypto 'truth' turned out to be bogus. End to end crypto is a crock for a start, especially when you try to retrofit to a legacy protocol.
We spent years deplying S/MIME in almost every email reader, but we never made it easy to distribute certs. We also wasted time getting people to implement S/MIME when it would have been better to get them to start by simply not doing harm - if someone gets a multipart/signed message that they don't understand the mail reader should present the signed text without any complaint, just the same as any other unauthenticated content. Same with a message from a person with an invalid or expired cert.
The big screw was messing up the policy aspect. We need an infrastructure to tell people the security that an Internet server supports. DNS is fine for this, as folk point out DNS is secure enough unless there is a pretty difficult active attack.
My criticism of the inanities of the IETF wrt DNSSEC still stand. They just do not understand security there. it would have been better to have deployed DNSSEC with OPTIN two years ago than to continue to wait for all parties to agree on perfection.
Ecco Pro (Score:5, Interesting)
That was a very long time ago and today there is still a vibrant community of ecco users who swear up and down that no other product even comes close. They beg Netmanage to sell the code to them or to open up the source code but Netmanage just ignores their requests. Oddly enough Netmanage does let people download the binary.
To me what netmanage is doing is just cruel. They are not making money off of it, they don't support it and yet they refuse to sell it or open it up. Why did they buy this program for so much money just to mothball it?
Companies are like that. They sometimes suck.
Re:Opportunistic encryption (Score:3, Interesting)
Hence the emergence of the OpenVPN project. It allows a variety of authentication and encryption methods to connect two hosts that can both have dynamic addresses with forward-only DNS service (such as DynDNS).
2.6 IPsec not ready (Score:3, Interesting)
No, it doesn't. 2.6 IPsec has all sorts of problems with MTU, and 2.4 with 2.6 backport doesn't even understand it's own behaviour. You'll end up with situations like this:
valentijn:~# ping -s 1435 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
The 2.6 native IPsec does have some MTU issues as well, but I haven't had time to research them well enough. However, from what I've seen, I think that having a 2.6 machine routing between two tunnels will most likely give you a headache, as larger IP fragments will not come through and 2.6 doesn't cut them to adjust to the new 1442 MTU. Besides, the 2.6 IPsec implementation doesn't handle IPsec in combination with iptables too well as there's no well defined way the packets travel through the tables. Encryption is handled somewhere between OUTPUT and POSTROUTING, which, for example, eliminates the possibility to use NAT. IPsec 2.6 works, but only in theory, so to say.