Hi THere! I am a new maintainer currently going through the developer application process. My interest is in migrating the work I did under LRP to Debian, and using zebra instead of gated. I notice that Debian firewall probably overlaps this project a bit, because of the nature of securing the machine, and the fact that a firewall is basically a specialised router. I have got together with a few developers, and we have a mailing list at router@fuller.melchi.edu. Some software based on potato is already done, (or almost) including a flavour of kernel (does anyone know how to get a proper changelog in, instead of having it overwritten with some garbage about getting in netwinder support?...). Here is a list of plans: ------ Dear All, I though I should write to recap on everything and to work out where we are heading. Shall I also post this into debian-devel and debian-firewall to attract more developers? Current Progress ---------------- Software -------- A 2.2.17 kernel, zebra 0.89a, and netscript have been packaged. Basic OSPF zebra test runs have been completed. Some bugs in netscript need fixing (found during testing), the kernel needs a changelog, and backport version numbers need to be assigned to zebra, and a bridgex needs repackaging with a new startup script. I will try to get this all completed this weekend. Hardware -------- Sangoma Technologies have kindly given me a couple of S508 boards so that we can do development work and software testing. Tony, once the dust settles about my new job, I will see if I can arrange remote access for you to a couple of 486 machines back to back... Apt Archive Site ---------------- There has been discussion on what should be done about this. The possibility of cryptographic VPN/admin software being made part of the project means that the master archive should reside in a crypto-friendly country. Alexander has put a site in Germany forward that sounds like it will be good for the master archive, and Christoph has offered to mirror it in the US. Tony has offered to adminster it. Could you please get something together soon as I will have software ready this week for release for potoato, and will be porting over the next 2 weeks into woody. Plans for the next few weeks ---------------------------- WWW site/pages -------------- We need a WWW page describing what we are about, and where to find things. Is it possible that we could do something on www.debian.org? We also need to mention a couple of sponsors on it - Plain Communications Ltd (http://www.plain.co.nz/) my emplyer who are currently letting me work on it full time as they need for a software upgrade to the 25 routers/firewalls they run, and Sangoma Technologies who have donated me some hardware for WAN testing and development. Get Wanpipe drivers updated this week and tested ------------------------------------------------ The configuration binaries for Wanpipe need repackaging. I will be commencing this on Monday if noone else has got around to it. Future Direction ---------------- There are number of things that need work. 2.4 kernel ---------- For the next few months I suggest we stick to 2.2.x until 2.4.x has stabilised. We already have a big lead on 2.2.x as a lot of what I currently have is built on the work I did to get LRP up and going with 2.2.x Towards the end of January I will be starting to look into 2.4. In particular, 2.4 offers a lot of promise in the area of network through put over 2.2. The things we will need to look at are porting netscript to iptables, supporting the 2.4.x /proc/sys/net/ipv4 switches, IPv6 support (not to be done on 2.2.x unless someone is crazy about it), Work on intergrating the new bridge module in 2.4.x, and VPN stuff. We want to be able to leverage most of the work we do on 2.2.x here, so don't go wasting time on fixing up the oddities in 2.2.x bridging unless it is a show stopper. Zebra ----- This needs work on the security of the administration interface. Telneting TCP ports with clear text passwords is just asking for trouble. There is an almost complete shell called vtysh that just needs a few common commands to be multiplexed among the daemons (write file for instance), and a look at where the unix sockets for this get created (NOT well known names in /tmp like as it is now). Vtysh could be sshed into via being a shell on an account on the router, and it also has the beginnings of PAM support. OSPF is looking good from what I have seen of it, but it still produces TOO many log messages (1 for every hello packet.....) The only events that should be logged by default are those found in the OSPF SNMP trap MIB. My test boxes produced 14MB of logs in a day!!!!! The latter is pretty serious. Fortunately you can turn logging completely off, but there are events that should be monitored. I will e-mail zebra about both of these, and may start working on the logging problem next week. It should only take a bit of donkey work to fix it I imagine. ifMIB support ------------- I want to add support for the ifStatus link layer Up/down field and the ifSpeed fields to the standard interfaces structures in 2.2.x and 2.4.x. From my investigative work this can be done in such a way that only drivers that choose to support it need altering. Zebra would find this very useful as it then can auto-assign costs to router interfaces based on their speed, its OSPF, BGP, and RIP state machines could run more efficiently on WANs. Umich snmpd would also find this useful. WanPipe Add ifMIB support, get FR inverse ARP working properly, help Nenad Corbic with the port to 2.4.x, sort out the new bridging stuff on it. Netscript configuration front end ---------------------------------- With netscript's basic configuration being kept in a file full of /bin/sh variables and small interface activation/deactivation functions (which have the meat of the stuff in them to start up ciped, pppd, wanconfig for the particular interface, this is just going begging for a configuration and management frontend to be written.... Volunteers? Documentation ------------- The project will need documentation, manuals, and howtos written and linked from the WWW pages if we are really going to make it popular. In particular, a guide on howto create a Debian router would be very useful. Boot Floppies set ----------------- Take the standard boot floppies, and adapat them to do the install of a Debian router. A lot of the software in the standard Debian install is just bloat. My routers are down to around 65MB including man pages. task-router package ------------------- Another way of creating a Debian router. Selecting it should pull in almost all the entire router software. Good for the above I believe as well. Install Package List -------------------- I will do a dpkg --get-selections and put this up on my WWW site this Weekend as a resource. Watch for the e-mail. Relationship to Debian Firewall ------------------------------- Netscript includes ipchains scripts to set up a router as a firewall, with support for a DMZ interface. The hardening for the use of a box as a routerexposed on the Internet is very similar to that of a firewall. The router flavour kernel I am producing has all the firewalling features turned on, including stuff like transparent proxying. IP filtering and other security features like the rp_filtering to detect spoofed source addresses are used in netscript. It is projected VPN software like CIPE, FreeS/WAN will be incorporated in Debian Router. We have a lot in common with the Firewall project in this regard, and no doubt they will be interested in a lot of our technology and packages. This is all quite a lot to digest, but I hope that it gets every body thingking and gets the ball rolling. Your feedback is encouraged, and lets get on with it, as it is all very exciting! Cheers, Matthew Grant -- =============================================================================== Matthew Grant /\ ^/\^ grantma@anathoth.gen.nz It's/~~~~\Plain where A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\I come from =============================================================================== --==_Exmh_-159457048P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Exmh version 2.2 06/23/2000 (debian 2.2-1) iD8DBQE6KHjQuk55Di7iAnARAsOfAJ9aqiffYdssQoQXOt2BcBkNwk+4wwCfTR0O HqJQftG1pQQ86sGrRUwqOWc= =1Abs -----END PGP SIGNATURE----- --==_Exmh_-159457048P Content-Type: text/plain; charset=us-ascii =============================================================================== Matthew Grant /\ ^/\^ grantma@anathoth.gen.nz It's/~~~~\Plain where A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\I come from =============================================================================== --==_Exmh_-159457048P--
Attachment:
pgpL4MEZv1YSK.pgp
Description: PGP signature