Re: [linux-security] Re: IP Security for Linux (IPSec)
> On Fri, Aug 07, 1998 at 11:39:12PM -0400, Raul Miller wrote:
> > Does Debian have enough volunteers/resources outside the US to fully
> > integrate an IPSEC implementation?
>
> I thought IPSEC was mostly a kernel-level issue?
>
> But yes, when it becomes available, I at least
> will work on it. I would love throwing ssh
> away, and expect to find clients who need VPNs
> using IPSEC.
>
> (Yes, ssh is good. But it still sucks in many ways)
> --
> tv-nospam-sig-1@hq.yok.utu.fi - it's a valid address w/o spam
>
We've been running IPSEC network wide for nearly two years now
I'd guess. We are upgrading kernels from 2.0.* to 2.1 and
there were no appropriate patches last time I looked
(several months). It was even a hack getting it into later
2.0.3* kernels. Given the whole glibc, gcc to egcs, etc...
I doubt it will slip in cleanly now. I expect that for other
than the particular machines that need it on day-to-day basis
we will have to drop it from our system; those machines will
have to remain without upgrades.
Alan Cox points out that given US encryption laws, building IPSEC
into kernel is unlikely to be widely `acceptable'. He recommends
CIPE drivers instead and I expect we will be switching to those.
Drivers might even address one of the shortcomings of IPSEC,
that it only worked on gateway boxen ( and except in that
configuration would not replace ssh.)
The real beauty of IPSEC ( IMHO ) was that keys would be
integrated into DNS and that it could then spread with `fax effect'
eg "1 is worthless, 2 are worth something, millions worth a lot".
cfm
--
Christopher F. Miller, Publisher cfm@maine.com
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 (MTRF 3-5pm) http://www.maine.com/
Reply to: