FreeSWAN: Difference between revisions
imported>Sandy Harris No edit summary |
imported>Sandy Harris (subpages) |
||
Line 1: | Line 1: | ||
{{subpages}} | |||
FreeS/WAN [http://www.freeswan.org] was the original [[Linux]] implementation of the [[IPsec]] protocols. | FreeS/WAN [http://www.freeswan.org] was the original [[Linux]] implementation of the [[IPsec]] protocols. | ||
Revision as of 00:55, 1 November 2008
FreeS/WAN [1] was the original Linux implementation of the IPsec protocols.
It was was very much a politically-motivated cypherpunk project. The overall goal was to deploy IPsec-based Opportunistic encryption, as defined in RFC 4322 "Opportunistic Encryption using the Internet Key Exchange (IKE)", very widely in order to frustrate widespread Internet monitoring by organisations such as the NSA, the Chinese government, and others. For details, see their goals and politics sections.
Project leader was activist and Electronic Frontier Foundation [2] co-founder John Gilmore [3]. Technical lead was Canadian Unix guru Henry Spencer [4].
The project refused to implement weak cryptography, even where the RFCs required it. Their position was that the RFCs had unfortunately been subverted into including weak methods, but there was still no excuse for actually implementing those. Among the things rejected were null encryption, single DES, and Oakley Group 1. This did not generally lead to interoperation problems, even though those were the only required algorithms in the RFCs. Almost everyone implemented the more secure Triple DES and groups two and five, so almost everyone could talk to FreeS/WAN. Some users wanted single DES; the project explicitly refused to provide any assistance for that.
The project also refused to expend effort on adding features that did not lead toward the main goal, wide deployment of Opportunistic encryption. Building a general-purpose IPsec implementation for Linux was always seen as a byproduct of work toward that main goal — perhaps an interesting and important byproduct, but still a byproduct. Adding things like IPv6 support or authentication using X.509 certificates was seen as a distraction from the main work. Users did add these and some of their work was incorporated into the main FreeS/WAN distribution.
All work was done in Canada by Canadians to avoid US export laws. To ensure that it remained free of those laws, the project would not accept even a one-line bug fix from an American resident or citizen.
Later the Linux kernel team included a different IPsec implementation — one that Americans could contribute to and that was more amenable to adding features — in the kernel, and added KAME-based tools at the user level. Most current Linux distributions include those.
The FreeS/WAN project shut down in 2002, without havng acieved the goal of making Opportunistic encryption widespread.
Two descendants exist, StrongSWAN and OpenSWAN.
FreeS/WAN's main technical writer is now a Citizendium author, and has permission to reuse FreeS/WAN material here.