|
|
|
IPSec part two, interview with Angelos D. KeromytisCopyright © 1998 Ejovi NuwereAn interview with Angelos D. Keromytis on IPSec. A continuation from the interview with Niels Provos on the OpenBSD IPsec and Photuris implementations. Daemon News: What are some of the things you would like to get across to the public about OpenBSD and IPSec? Angelos D. Keromytis: What it's good for, why would they care, why should they care, why we're doing a good job, or rather, are we doing a good job. That sort of thing. DN: Well, why are you even doing A job? Why even add IPSec support when no other OS did? ADK: An interesting question. This started back in mid-95 when John Ioannidis (JI) got me to do work on IPSec with him, that was a free implementation for BSDI partially funded by a company. So I did the first (and free, and international) implementation of Photuris and JI did the IPSec part. We a did successful Interop of Photuris+IPSec with the University of Arizona at the Dallas IETF (December 95) and while at the RSA Interop workshop Oliver Spatschek and Hilaris Orman from University of Arizona. Then the funding for the project went away. I was still interested in IPSec, more as a hobby of sorts. Eventually I moved to the US for graduate school, then went back to Greece for Xmas and ported the BSDI implementation to NetBSD originally and brought it up to date. DN: So OpenBSD came in the picture how? ADK: Back then I didn't know about OpenBSD. So when I did the port/update, I sent a mail to a couple of NetBSD lists but they where interested in using the NRL IPSec/IPv6 implementation. The next day I got a mail from Theo Deraadt asking me if I'd be interested in porting the code to OpenBSD. After taking a look at the networking code, I decided it was fairly easy to do so. So the rest is history as they say. DN: NRL is? ADK: Navy Research Lab DN: What's the difference between NRL and the current IPSec OpenBSD is using? ADK: They have an implementation of IPv6/IPSec. In fact we're going to use their code and merge it with our IPSec next year. DN: Which is standard? ADK: Both are. The differences are invisible to a user after all, they both "speak" the same protocols but there are design differences, and the NRL code has a better integration with IPv6 and (most importantly) they have PF_KEY support which is a user land-to-kernel interface that will probably become a standard. The OpenBSD code does support more algorithms for encryption/authentication, but that's easy to fix in most implementations. DN: And OpenBSD will support it next year? ADK: Yes, our plans are for PF_KEY support next year, along with IPv6. The main difference I suppose is that the OpenBSD IPSec was developed entirely outside the US so we're free from a number of significant restrictions (the US EIAR) and we want to keep it this way. DN: Will the restrictions which applied to NRL apply to the OpenBSD code since you're going to merge, will there be restrictions? ADK: No because we only use the IPv6 and PF_KEY code from NRL, which is not subject to export restrictions. We won't even get a copy of the IPSec code per se, since it would constitute exporting. On a side note, all the OpenBSD IPSec work occurred in Greece (me), Germany (Niels), Sweden (Niklas) and Canada (Theo and me). DN: Ok, Niels spoke a bit about interoperability with other OSs which support IPSec manual keying, You want to talk a bit more on that? ADK: We have been to a number of Interop workshops which are organized occasionally by companies. The goal for these workshops are to get the various vendors to test their systems against each other. In the process, we figure out bugs and modes of operation. So we've gone to some of those, and have also done informal Interop with other implementations for example, I was at the September '97 Interop in Ottawa. DN: Name some of the vendors I might know of. ADK: I can't possibly remember them all, the ones that come to mind are Sun Microsystems (Dan McDonald) Mentat Inc. (IPSec for Solaris), Linux FreeSWAN, IBM (AIX), the KAME project, SSH. Others have done independent test. I suppose I didn't really answer your first question, "why do A job?" all I did was give you a history. DN: Well answer this. Why would anyone consider using IPSec (OpenBSD's) and Photuris? ADK: Well to begin with Niklas finished his ISAKMP implementation and has integrated it into the OpenBSD tree recently. As far as I can tell. This is the state-of-the-art free implementation of IKE. In fact Niklas has done successful Interop test with Cisco and Linux FreeSWAN using both ISAKMP and IPSec. So to answer your question. OpenBSD has a very well tested free IPSec implementation. DN: Seems like a lot of people where involved in the process of creating this. Can you tell me some of the duties each person had? ADK: Niklas and Niels worked on ISAKMP, Niels on Photurisd, me on IPSec although there has been a considerable amount of cooperation. I did some advising when Niels was doing Photurisd and Niels did some IPSec development when I was in the US, Niklas fixed some bugs here and there. It's a bit mixed up but it's all part of the same effort to bring strong network security out as soon as possible, which is another reason why OpenBSD+IPSec is great. It's here now and the IPSec code combines well with firewall features. DN: Do you see any other OSs following OpenBSD's footsteps any time soon? ADK: Well, to begin with, nothing stops any of the other BSDs from just copying the code. In fact, I got a message the other day from someone in the Netherlands telling me they'd ported the code to FreeBSD. DN: What about import export restrictions? ADK: Well, there's that. NetBSD and FreeBSD can't officially incorporate it, at least not in all their distributions. NetBSD used to have (don't know if they still do) an export version. The problem is that the official releases are made in the US. BSDI is also providing IPSec with their latest release. They are using the NRL code but they also can't export the full implementation and the code is not free. OpenBSD has a number of advantages which when combined give it an "edge". DN: List what OpenBSD has above FreeBSD or Linux, IPSec-wise. ADK: Well, FreeBSD and Linux don't have IPSec, that's a good start... DN: ...if they decided to incorporate it? ADK: FreeBSD doesn't have a project on it. An individual ported the OpenBSD IPSec, but I doubt whether that'll make it into any sort of official distribution in the near future. OpenBSD has a number of other advantages over FreeBSD in the security arena, which make it ideal for a firewall for example, so combined with IPSec, that's really hard to beat. DN: So you're not just getting IPSec, you're getting total security? ADK: Exactly, IPSec is a very nice component, but by no means the only. OpenBSD has very good security scores. DN: Where else can OpenBSD go from here, IPSec-wise? ADK: The new IPSec Internet Drafts are about to become RFCs. At that point we'll need to go over the code and check for compliance one last time. So that's goal number one. After that, we'll merge with the NRL IPv6/PF_KEY code. In parallel, Niklas is working on the IKE implementation and is implementing more and more features, which we'll need to support from the "user" interface so there will be better support for applications to take advantage of IPSec. Also you'll see new flags (or something similar) to applications like telnet and ftp. That's as far as I can predict and that's a lot of work really. DN: Any last words for those considering using OpenBSD's IPSec? ADK: Go for it...and give us feedback! We lack in documentation, and that's where users can help. In fact, you can add "better documentation" in the plans for the future. The OpenBSD developers mentioned in this article can be contacted
at the following email address:
Ejovi Nuwere, joewee@monkeys.com
|
||
