[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd


I am the maintainer of the raccon/ipsec-tools packages and I want to
review their relevance in modern Debian.

Systemd package support is the thing that pushed me over the edge about
this.  There are no systemd unit files at all for ipsec-tools/racoon
that I know of. Please advise me otherwise, and I will look at putting
them in the current package.


Deprecating/removing racoon/ipsec-tools  from Debian GNU/Linux and
racoon from Debian/kfreebsd.  Strongswan/Openswan are maintained and
have a superset of the racoon functionality, can run on Debian kFreeBSD
with setkey still being available to manipulate kernel IPSEC as root -
there would be no old racoon daemon running as root 

The issues are:

1) Security.  The racoon daemon has to run as root, with a lot of the
default GCC security flags turned off. 

2) Maintenance and Porting.  It is officially maintained as part of
NetBSD, but there is always a lot of work to get the code to compile on
Linux, especially if it is a later version of GCC than in Net BSD.
Quite often there are obscure API/binary ABI issues that are difficult
to solve due to the new code tending to be *BSD specific.

3) Linux setkey ioctl interface that ipsec-tools/racoon use is
deprecated.  ip xfrm encapsulates the full functionality of setkey using
the new Netlink IPSEC API, and Openswan/Strongswan do so to.

4) On Debian kFreeBSD, Strongswan/Openswan support the BSD setkey
ioctls, thus can be substituted for racoon, and operate more securely.

5) IPSEC protocols. racoon only does IKEv1, Strongswan/Openswan do IKEv1
and IKEv2

Against deprecation/removal:

1) racoon is what is used in MacOSX, and it is good to be compatible.

2) Keeping compatibility with old installs, not breaking IPSEC on

3) racoon is designed from the get-go to work with IPv6 Mobile IP
functionality.  Strongswan/Openswan can be used for MIPv6, but there are
some issues that have to be solved still.

4) racoon/setkey are native IPSEC implementations across FreeBSD,
NetBSD, Mac OSX, and Linux, and thus having it available give a 'just
works' IPSEC option. 

My main concern as maintainer are the security issues, with an old code
base running as root.

NB: racoon-tool was an effort to provide basic FreeSWAN like
functionality when racoon/setkey where the one true way to use the then
new Linux in kernel IPSEC stack.  Openswan and StrongSWAN are descended
from FreeSWAN, thus racoon-tool functionality is 99% fulfilled by using

I am willing to co-maintain this package with other developers and
maintainers.  My belief is that there is likely a Debian kFreeBSD
developer/maintainer out there who would like to do this, and do a lot
of the work :-)

Could you please supply your comments and feed back on this.

Best Regards,

Matt Grant, Debian Developer

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: