Forgot your password?
typodupeerror
Encryption Security

The Free S/WAN Project:secure TCP/IP 63

Posted by CmdrTaco
from the for-the-paranoid dept.
Several folks have wrote in to send us the wired story on S/WAN which strives to allow secure TCP connections between any 2 points on the internet. Written in Canada so it isn't affected by Uncle Sam's braindead encryption export policies. The article refers to the software as freeware, dunno what the license is. You can also just go straight to the software if you like. Update: 04/15 08:01 by CT : Johnathan Nightingale that it is apparently under the GPL where it can be. Just read it.
This discussion has been archived. No new comments can be posted.

The Free S/WAN Project:secure TCP/IP

Comments Filter:
  • Actually, Entrust's headquarters are in Canada. The US office is just a "branch" but for US laws, it looks like the Head Office, and it is, of the US division. Entrust was a Nortel Spin-off, and a friend of mine works for them. So I know abit of what I speak of.

    ttyl
    Farrell
  • I think what it means is that any freely distributable program is ok, regardless of its copyright restrictions. For example, Microsoft Internet Explorer is freely distributable (though not Free Software or Open Source), so it would (I assume) be ok under the treaty (though not under US export law).
  • by gavinhall (33)
    Posted by FascDot Killed My Previous Use:

    Doesn't IPv6 incorporate security? What's the diff?
  • What's the difference? Besides the availability of source for SSH, that is.

  • How does this differ from SSH, SSL, IPsec and the other TCP crypto thingies I've heard of? Does any one have a URL that would help me out?

    - doug
  • A few points:

    1) IPSec is effectively IP-over-IP. My understanding is that the base IP packets used to transport the encyrpted packets are not compressed, so layer 4 switching should be fine.

    2) SSL and IPSec are really quite different. IPSec allows you to bridge two LANs securely. So, you can having routing rules like "all packets to subnet B get encrypted and sent out over this ethernet host".

    3) If you are in the US you can use S/WAN. You just can't export it out of the US.
  • VPN's are based on point-to-point secured communications. If two firewalls are running IPSec they will typically be capable of "briding" the two networks they guard over a VPN.
    Check out the number of VPN solutions that use IPSec. ;-)
  • Yes, IPv6 includes security but who's actually using IPv6 at this point in time? (very few people). IPsec is the generic approach, originally for use in IPv6 but now also (hopefully) to be included in IPv4 stacks as well. It's good to see Linux leading the way in these new areas - is anyone aware of other OS's that have implementations of IPsec?
  • That's great Linux to Linux, but this SHOULD work with any IPSec software.. In addition, this will allow you to verify the identity of the sender of the packet's themselves, not merely encryption of the data..
  • I hate to pop all your balloons, but Canada is subject to _ALL_ the US export controls. Canada has agreed to be bound by all the US rules and becuase of it receives special status. i.e. there is no export restriction for any US crypto tech to Canada.

    This is incorrect. Canada has agreed to be bound by all the US export rules for material that has been imported from the US. That's why the US allow crypto export to Canada. Material written in Canada is subject to the much more lenient Canada export rules, which allow export of freely distributable crypto without the need for a permit.

    --

  • This may sound like a stupid question, but what if a US citizen was to be logged into a Canadian server while working on code? If the code is always on the canadian server, is it considered "exported" (the data is typed in the US, but is written in Canada)?. What implications does this have, if any?
  • When did this happen?

    I was under the presumption that the maximum penalty for (possession|traffiking, I don't know which) in pot was LIFE imprisonment. Someone in Ontario was facing this very bleak future for selling hemp seeds.
  • US law prohibits the export of strong(over 56 bits) encryption technology to anywhere outside of the US AND CANADA(but not Mexico, cause we don't like 'em).

    Joe
  • MD+F Synapse is a collection of tools that give you port mapping, high-speed file transfers, and encrypted communication. For instance, you can telnet to another machine with Synapse, and your communications will be encrypted. The URL is http://www.marauder3.com/synapse.html [marauder3.com]. It's available for Windows, Solaris, Linux, and (most importanly) OS/2. Source code is not available, but it's free for home use.

    --
    Timur Tabi
    Remove "nospam_" from email address
  • Heh... It needs to be ported to other OS's ASAP... I'd love to use it, but I don't run Linux. I don't know if this is something that could run under linux emulation or not (FreeBSD, that is).
  • Yes, as an American citizen, I may be able to import this, but I have no rights or freedom to contribute or share this to others on the net. Any effort I could contribute to cryptography would be squashed by my flag waving government. So much for "The Land of the Free!"

    All this because terrorists and pedophiles could use cryptography. Why not ban cars too, since they could transport evil terrorists and pedos to do their deeds? The US has some backwards politics, I tell you.
  • The S/Wan code only works with the 2.0.x kernels. This means that if you use the other crypto hacks from ftp.kerneli.org, you are SOL.

    The FreeS/Wan code needs to be ported to the 2.2.x tree as soon as possible.
  • Doesn't the Linux IP tunnel software allow you to run an IP tunnel over SSL? That would let you do a secure VPN, and of course SSL is useful for other forms of secure networking.

    I haven't had time to read up on this topic in depth, so be gentle with me :-)

    Thanks

    Bruce

  • As stated on the docs page, this code is GPL'd.

    Yay!
  • Some interesting things:

    1) US companies can *import* strong crypto all day long

    2) US companies can own (at least part of, maybe more) foreign companies that do strong crypto, and then distribute that software (Sun owns a Russsian strong crypto company that does this).

    3) US citizens are barred from working for a foreign employer while working on strong crypto.

    4) Strong crypto code, in printed form, falls under free speech laws, and can be exported from the US.

    5) Code, in software form, falls under munitions laws, and cannot be exported from the US.

    6) American citizens cannot even program in features that allow others to (easily) put in strong crypto. You can't write a mail client that includes a call to a .dll or .so, and then publish that others can replace the .dll or .so with one that encrypts messages on send, for instance. I don't know how sendmail gets around this--maybe noone at the US Bureau of Tobacco & Firearms has taken a close enough look.

    7) Most of the (US owned) patents covering strong cryptography have either already expired, or will expire this year and next year. Meanwhile the US government prevents the US-based owners of the patents from making money outside the US.
  • Wow, I like his attitude:
    Why? Because I can. I have made enough money from several successful startup companies, that for a while I don't have to work to support myself. I spend my energies and money creating the kind of world that I'd like to live in and that I'd like my (future) kids to live in. Keeping and improving on the civil rights we have in the United States, as we move more of our lives into cyberspace, is a particular goal of mine.
  • As an aside: first post? cool =)

    This looks like a good thing. Especially since we have several employees working from home and connecting via the Internet with linux boxes. I was considering setting up a VPN using ssh and port forwarding, but this looks better.

  • To quote Akbar and Jeff, "Damn the law!" Write it, export it, use it. Fsck Tha Man, and all that. Stop saying "yes massa" and meekly taking your seat in the back of the bus.
  • Canada has restrictions on exporting Cryptography, but they are not as severe as the American restrictions (except when the software originated in the US). Actually, does anybody know WHAT the restrictions are for 'proxy' US exports? I get the impression that for cryptography software originating in the US, we have identical requirements for getting permission, but we might be able to get that permission from the Canadian government and not the US. That seems to be a bit of an improvement, in practice...
    For software which does not originate in the US, Canada appears to follow the requirements of the Wasegnaar (sp?) Accord. Luckily for us, that means any software which is freely distributable is okay. It mentions that Copyright restrictions do not affect the definition of freely distributable, as well. Actually, I am more than a bit curious as to what this REALLY means... It seems to mean that if I take some commercial software and distribute it freely (in violation of copyright and license agreements) I am in violation of copyright law but not in violation of Export Control law. Very odd...
  • Re: "dunno what the license is." - The Wired article says that the Free S/WAN project was run by Henry Spencer and John Gilmore, both long-time first-rate UNIX hackers and free software advocates. I wouldn't worry about any licensing funny business from them.
  • I always snicker when I find a program that I can use in Canada that can't be used in the US without violating what I feel is a stupid law that makes crypto a munition in the US.

    Of course, I expect the Canadian government to pass some sort of law mimicing our Big Bully Brother to the south of us making it illegal to export strong crypto. But for now, it looks like Canada's got some of the strongest crypto iron available internationally.
  • And, it will autoconfigure itself to send encrypted packets to encryption capable sites. No admin intevention is needed. As more and more people use the encryption software, the more useful it becomes. Kind of like everything else.
  • The current US law makes sense if you look at it from the NSA's point of view. The NSA intercepts and scans a huge amount of unencrypted data. The small amount of encrypted traffic can be flagged for special treatment.

    The NSA's worst nightmare would be widespread use of strong cryptography. Just think if Microsoft released a new version of Windows that automatically and transparently encrypted all TCP connections, without any action on the part of the user. Even if the NSA could crack the encryption algorithm, the effort would quickly overwhelm their resources. The NSA would lose a major source of intelligence.

    If SWAN is integrated into popular Linux distributions, and Linux becomes very popular, the NSA has another problem. The NSA can call Bill Gates and ask Microsoft to cripple or exclude features that make the NSA's job more difficult. They can hint that life might become difficult for Microsoft if various federal agencies are told to be uncooperative with Microsoft. This has already happened with other companies. Who does the NSA call about Linux?

  • ... but SSL already fits the bill nicely. One serious problem with IPSEC is that it compresses the entire IP payload, including TCP headers. (At least the IPSEC RFCs I read a while ago did this, back in '96.) This is good if you really want your window size acknowledgments private, but when we move into a world of layer 4 switching it's not going to help at all (e.g. running TCP over ATM as opposed the current inefficient IP over ATM).

    That said, the more protocols on NET4, the better--so best of wishes to the S/WAN people. I can't work on it at all because I'm entrapped in the U.S. (not that I mind =).

  • Yeah, Henry Spencer is way cool. Even if you don't count his work on stuff like the regexp package, there's his postings on usenet, notably in the C newsgroups and the sci.space newsgroups. In a landscape dominated by ignorant flamers, Henry Spencer has always been out there very calmly posting corrections. I've had Henry Spencer autoselected in nn for years.

    And man, John Gilmore was one of the founders of Cygnus...

    Kids these days, they don't know anything...

  • When guns are outlawed, only outlaws will have guns.

    US legislators need to learn two things:
    1. Making something illegal does not prevent people from doing it. This only stops law-abiding citizens from doing it.
    2. The US is not an island upon which the world's intelligentsia has been shipwrecked. Foreigners ain't dumb.

    It's a very Microsoftesque mentality of closed source, closed standards. "If no one else knows how we do it, then no one else can duplicate it." In the end, this sort of policy only hurts oneself.

    Hopefully, projects like this will help enlighten the boys in Washington. But I'm not holding my breath.
  • Anyone have a mirror set up?
  • Red Hat's in the US, right? And you can't export strong encryption from the US. So is it possible for Red Hat to include this with a release, or could the gov't come down on them for it..?
  • On their documentation page [xs4all.nl], they claim that except the Libdes they adopted used different license, everything else is LGPLed.
  • SSH using port forwarding is nice, except the connection drops all the time and you have to reinitiate it. Kind of annoying, especially if you are streaming mp3's or something.

  • I hate to pop all your balloons, but Canada is subject to _ALL_ the US export controls. Canada has agreed to be bound by all the US rules and becuase of it receives special status. i.e. there is no export restriction for any US crypto tech to Canada.
  • Yeah, thats the only thing holding me up from using it at this point. I'm in the US or I would help them port it over ASAP. Let's hope they get something up quick.
  • I say, it's about time we got something like this. And the government doesn't realize that lack of strong encryption encourages other kinds of terrorists. And it's not like they have to carry out their evil plots online. Good old snail mail is still reliable. (Sort of.)
    --
    Matthew Walker
    My DNA is Y2K compliant
  • Every time someone strikes a blow like this against the "national security apparatus" we should all cheer. And that this is GPL'd software developed in a foreign country makes this news about as good as it gets. Frankly I'm a hell of a lot more afraid of the FBI than of any potential terrorist threat from encryption! You know, I am wondering if we are going to start seeing some official interference in the OSS movement - this article mentioned that VPN software can cost a ton of money - so this OSS project could to really eat into revenue for quite a few firms. The financial community makes such a big deal about high tech being a huge industry - what happens when OSS does everything you need, and there isn't any way to make money on big-volume proprietary software anymore? I for one think it would rock, but I imagine big-money disagrees, and we all know the golden rule . . .
  • Actually, last I heard the Government was preparing a bill that would not only encourage strong encryption, but also make digital signatures (a la PGP sig) just as legally binding as a physical signature on a piece of paper... 'bout time if you ask me...

    In fact, the trend in legal reform seems to be to do away with signature requirements altogether, or to water them down down so much that they are effectively eliminated. For example, in Revised Article 8 of the Uniform Commercial Code, the previous requirement of a signature to effectuate a securities transaction has been replaced by a provision expressly stating that no signature is required. Similarly, SEC electronic filing regulations (if I understand correctly) generally provide that an ASCII "X" will suffice in place of a signature.

    The upshot is that there is nothing magical about a handwritten signature. What matters is whether the identity of the parties to the transactions you are worried about can meaningfully be verified.

    (Whether signatures are necessary in any specific instance, however, is a question you can ask your attorney.)

  • Yes, our cryptography laws here in America are idiotic in the extreme. I am personally embarassed by it. Several years ago I developed an SSL capable web server for Netware and we had a bitch of time getting export approval for it.

    And this excuse that we need to make strong crypto illegal or terrorist will use it... what a crock of shit! As if our LAWS are going to stop CRIMINALS from using technology that is freely and legally donwloaded from other countries and even available in textbooks. Yah, right. The result will be that only the terrorists will be using strong crypto (in America anyway) and the law abiding citizens will be vulnerable.

    Besides, the really savy criminals will be burying their encrypted messages in what looks like white noise in sound and image files so know one will even know there is a message to decode.

    And you wondered why MP3 is so popular. ;-)

    Thad
    --
    Make guns illegal and only criminals will have them.

  • The team decided that since we'd never had a "1.0"-quality release, it was more important to polish the working code we had, and ship it so people can use it, than to destabilize it for months by porting it to 2.2.x. The 2.0.x code interfaces to the IP layers through the routing code, which produces a number of user-visible problems. In 2.2.x we'll use "ipchains" which I've never looked at personally. But I hear it will make the integration much smoother, allow us to catch and reject cleartext packets that oughta be encrypted, notice packets going out and try to negotiate a tunnel to put 'em in, eliminate screwiness about whether packets created ON the gateway will go through the tunnels, etc. We're guessing it's about 2-3 months of work for our kernel guy (Richard Guy Briggs). We'd be very glad if some folks (outside the US) who understand ipchains would guide us through the design phase and through the usual few inscrutable bugs and such. Volunteers can send mail to linux-ipsec@clinet.fi (anyone can post; it's a majordomo list if you want to join).
  • by Crysgem (25789) on Thursday April 15, 1999 @03:09PM (#1931576) Homepage
    Oh, come now, anonymous Canadian coward, and any who may unnecessarily note the origin of this project... be nice. We all of us know that Canada benefits from our MANY contrasts with that, er, big freakin' Southern Elephant. (Here noting that even the Michigan boy, Malda, couldn't bring himself to refer to Ryerson in a previous post as being in Toronto, but rather "in Canada". Along with a typically parochial, clueless American gibe about "lots of snow"... but this movement is about RMS' arrogant patriotism and ESR's gun-nut "American free speech", I suppose >:+} )
    That surprises *them* but it shouldnae surprise us... I mean to say, look only at our poor disenfranchised people in Ontario *snicker* alone - lessee now, what recent projects of ours might I name? Unreal? The various Corel incursions? Do none of you realize the benefits the people of New Brunswick invite by heavily investing their future in telecom? Did I not recently read that Nortel runs Linux en masse? Sift the Linux credits for ".ca" addresses - and remember that most Canadians don't advertise their national origin in Net tags, as that has the colonial sound and seeming of "AOL Canada", *feh*, and the like.
    Hang fast, kids, for I'll wager that matters of Canadian, um - influence (read: authorship) - shall wax, not wane. But be vewy quiet of this. Else, the Americans shall notice us and become annoyed at the piping-up of those damned marginals.
    *Cough* Unless they've already noticed the heavy European participation *cough* and SuSE's superiority over Red Hat *cough* we'll get them to use ".us" addresses yet *cough*
    But, verily, the contrasts do exist, the laws not least among them. The *cryptography* laws not least among them, if one observes how Ottawa fawns over Corel...
    Despite the much-bemoaned taxes, the lack of respect for research, and the infamous inferiority complex, I behold a population of GPL-believing, culturally neutral, purist enthusiasts for Linux and open coding here (well, in TO) that none of my American comrades can report... and I expect that when a foundation free-software tradition is established here, them Americans will employ our modest lands as their great haven, home away from home... the proximity, cultural similarities, monetary advantage to migrating Americans, and the precedent of "unAmerican" software possibilities may permit an interesting variant enclave to become entrenched... unbeknownst to the homelanders, just as we took in draft-dodgers, heh... might you say, "Miguel MacKenzie" or "Linus Toquevals"? : )
    (In passing - speaking of Torontonian Net.celebrities - meeting Henry Spencer - as my Californian comrades say, "what a trip")
    Or perhaps a software-equivalent Mulroney will follow our free-software glory Trudeau days... *sigh*
    And, perhaps, one day, I'll observe those pretty girl coders (here's lookin' at'choo, Amiga chick!) choose to attend Waterloo as 'posed to MIT. Well, it matters not - MS waylays both student populations...

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Working...