Re: Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd
Hello, I wish racoon/ipsec-tools could stay for just a little longer. I'd like some time to evaluate it, against the *SWAN implementations, for GNU/kFreeBSD jessie. IPSEC has not been enabled yet in Debian default kernels, but it is a personal goal to have it in the jessie release. When I last had the chance to work on this, racoon seemed like the best available candidate due in part to a spate of security problems in openswan/strongswan, and freeswan not being maintained any more IIRC. I don't think systemd support should cause an issue for any existing package until jessie+1. And then I think systemd proponents should help you with a unit file if one is needed. And finally, it might still be useful at least as a kfreebsd-any package. When I have some time to resume work on IPSEC I hope I can then give some helpful feedback. Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/536f9e4d.2070...@pyro.eu.org
Re: Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd
]] Matt Grant NB: racoon-tool was an effort to provide basic FreeSWAN like functionality when racoon/setkey where the one true way to use the then new Linux in kernel IPSEC stack. Openswan and StrongSWAN are descended from FreeSWAN, thus racoon-tool functionality is 99% fulfilled by using Strongswan/Freeswan. Is there a migration guide anywhere? I have ipsec installations that currently use racoon, but would happily switch them to something else if that is considered better. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87fvlped8c@xoog.err.no
Re: Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd
* Noah Meyerhans no...@debian.org [140405 00:06]: On Fri, Apr 04, 2014 at 12:59:35PM +1300, Matt Grant wrote: 4) racoon/setkey are native IPSEC implementations across FreeBSD, NetBSD, Mac OSX, and Linux, and thus having it available give a 'just works' IPSEC option. I must also add that it really just works. In particular, roadwarrior server-side setups are really easy to setup nowadays and work very well. My main concern as maintainer are the security issues, with an old code base running as root. The code base may be old, but it's pretty widely used and thus should have many eyes watching it. (I'm being optimistic, I know). The ipsec-tools mailing lists don't see a lot of activity, but they're by no means dead. And there was just an upstream 0.8.2 release in February. Can't really comment on security of an maybe old code base here, but I had the feeling that at least Openswan was more dead than racoon. I am willing to co-maintain this package with other developers and maintainers. My belief is that there is likely a Debian kFreeBSD developer/maintainer out there who would like to do this, and do a lot of the work :-) I'm happy to help maintain ipsec-tools, as I make regular use of it and have done so for several years. I'd also be supportive of removing it for jessie+1 based on your arguments for doing so. If that's the path taken, it'd be really good if we could document (and at least partially automate?) the migration path from racoon to the preferred alternatives. I have no clue of kFreeBSD, but I'm using racoon on Linux. I'd offer help if the goal would be to keep racoon. -ch -- ,''`. Christian Hofstaedtler z...@debian.org : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- signature.asc Description: Digital signature
Re: Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd
On Fri, Apr 04, 2014 at 12:59:35PM +1300, Matt Grant wrote: Systemd package support is the thing that pushed me over the edge about this. There are no systemd unit files at all for ipsec-tools/racoon that I know of. Please advise me otherwise, and I will look at putting them in the current package. I've recently worked out unit files for other packages, and am happy to help come up with a suitable unit file for racoon as well. The issues are: 1) Security. The racoon daemon has to run as root, with a lot of the default GCC security flags turned off. Running as root without build-time hardening is bad, but... 4) racoon/setkey are native IPSEC implementations across FreeBSD, NetBSD, Mac OSX, and Linux, and thus having it available give a 'just works' IPSEC option. ... My main concern as maintainer are the security issues, with an old code base running as root. The code base may be old, but it's pretty widely used and thus should have many eyes watching it. (I'm being optimistic, I know). The ipsec-tools mailing lists don't see a lot of activity, but they're by no means dead. And there was just an upstream 0.8.2 release in February. I am willing to co-maintain this package with other developers and maintainers. My belief is that there is likely a Debian kFreeBSD developer/maintainer out there who would like to do this, and do a lot of the work :-) I'm happy to help maintain ipsec-tools, as I make regular use of it and have done so for several years. I'd also be supportive of removing it for jessie+1 based on your arguments for doing so. If that's the path taken, it'd be really good if we could document (and at least partially automate?) the migration path from racoon to the preferred alternatives. noah signature.asc Description: Digital signature
Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd
Hi! I am the maintainer of the raccon/ipsec-tools packages and I want to review their relevance in modern Debian. Systemd package support is the thing that pushed me over the edge about this. There are no systemd unit files at all for ipsec-tools/racoon that I know of. Please advise me otherwise, and I will look at putting them in the current package. Proposal: Deprecating/removing racoon/ipsec-tools from Debian GNU/Linux and racoon from Debian/kfreebsd. Strongswan/Openswan are maintained and have a superset of the racoon functionality, can run on Debian kFreeBSD with setkey still being available to manipulate kernel IPSEC as root - there would be no old racoon daemon running as root The issues are: 1) Security. The racoon daemon has to run as root, with a lot of the default GCC security flags turned off. 2) Maintenance and Porting. It is officially maintained as part of NetBSD, but there is always a lot of work to get the code to compile on Linux, especially if it is a later version of GCC than in Net BSD. Quite often there are obscure API/binary ABI issues that are difficult to solve due to the new code tending to be *BSD specific. 3) Linux setkey ioctl interface that ipsec-tools/racoon use is deprecated. ip xfrm encapsulates the full functionality of setkey using the new Netlink IPSEC API, and Openswan/Strongswan do so to. 4) On Debian kFreeBSD, Strongswan/Openswan support the BSD setkey ioctls, thus can be substituted for racoon, and operate more securely. 5) IPSEC protocols. racoon only does IKEv1, Strongswan/Openswan do IKEv1 and IKEv2 Against deprecation/removal: 1) racoon is what is used in MacOSX, and it is good to be compatible. 2) Keeping compatibility with old installs, not breaking IPSEC on upgrade. 3) racoon is designed from the get-go to work with IPv6 Mobile IP functionality. Strongswan/Openswan can be used for MIPv6, but there are some issues that have to be solved still. 4) racoon/setkey are native IPSEC implementations across FreeBSD, NetBSD, Mac OSX, and Linux, and thus having it available give a 'just works' IPSEC option. My main concern as maintainer are the security issues, with an old code base running as root. NB: racoon-tool was an effort to provide basic FreeSWAN like functionality when racoon/setkey where the one true way to use the then new Linux in kernel IPSEC stack. Openswan and StrongSWAN are descended from FreeSWAN, thus racoon-tool functionality is 99% fulfilled by using Strongswan/Freeswan. I am willing to co-maintain this package with other developers and maintainers. My belief is that there is likely a Debian kFreeBSD developer/maintainer out there who would like to do this, and do a lot of the work :-) Could you please supply your comments and feed back on this. Best Regards, Matt Grant, Debian Developer signature.asc Description: This is a digitally signed message part