Hi! I am the maintainer of the raccon/ipsec-tools packages and I want to review their relevance in modern Debian. Systemd package support is the thing that pushed me over the edge about this. There are no systemd unit files at all for ipsec-tools/racoon that I know of. Please advise me otherwise, and I will look at putting them in the current package. Proposal: Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd. Strongswan/Openswan are maintained and have a superset of the racoon functionality, can run on Debian kFreeBSD with setkey still being available to manipulate kernel IPSEC as root - there would be no old racoon daemon running as root The issues are: 1) Security. The racoon daemon has to run as root, with a lot of the default GCC security flags turned off. 2) Maintenance and Porting. It is officially maintained as part of NetBSD, but there is always a lot of work to get the code to compile on Linux, especially if it is a later version of GCC than in Net BSD. Quite often there are obscure API/binary ABI issues that are difficult to solve due to the new code tending to be *BSD specific. 3) Linux setkey ioctl interface that ipsec-tools/racoon use is deprecated. ip xfrm encapsulates the full functionality of setkey using the new Netlink IPSEC API, and Openswan/Strongswan do so to. 4) On Debian kFreeBSD, Strongswan/Openswan support the BSD setkey ioctls, thus can be substituted for racoon, and operate more securely. 5) IPSEC protocols. racoon only does IKEv1, Strongswan/Openswan do IKEv1 and IKEv2 Against deprecation/removal: 1) racoon is what is used in MacOSX, and it is good to be compatible. 2) Keeping compatibility with old installs, not breaking IPSEC on upgrade. 3) racoon is designed from the get-go to work with IPv6 Mobile IP functionality. Strongswan/Openswan can be used for MIPv6, but there are some issues that have to be solved still. 4) racoon/setkey are native IPSEC implementations across FreeBSD, NetBSD, Mac OSX, and Linux, and thus having it available give a 'just works' IPSEC option. My main concern as maintainer are the security issues, with an old code base running as root. NB: racoon-tool was an effort to provide basic FreeSWAN like functionality when racoon/setkey where the one true way to use the then new Linux in kernel IPSEC stack. Openswan and StrongSWAN are descended from FreeSWAN, thus racoon-tool functionality is 99% fulfilled by using Strongswan/Freeswan. I am willing to co-maintain this package with other developers and maintainers. My belief is that there is likely a Debian kFreeBSD developer/maintainer out there who would like to do this, and do a lot of the work :-) Could you please supply your comments and feed back on this. Best Regards, Matt Grant, Debian Developer
Attachment:
signature.asc
Description: This is a digitally signed message part