While the IETF was still busy designing the IPsec protocols, entrepreneur John Gilmore founded the FreeS/WAN Project. S/WAN stands for Secure Wide Area Network. The ultimate goal of the project was to make IPsec the default mode of operation for the entire Internet. Version 1.0 was released for Linux in April of 1999 under the GPL license and worked on the Linux 2.0.36 kernel.
In effect, the Presidential decrees on crypto export meant that should an American touch the Free/SWAN code, the US government could legally restrict its use to whomever they wanted. For this reason, Gilmore barred any American from ever coding for the project, running it entirely outside of the US from Canada and Europe. No patches from Americans were ever accepted.
This became a major problem when end users really wanted the kernel code of FreeS/WAN (KLIPS) to be merged into the mainstream Linux kernel. First of all, Linus Torvalds, the original programmer and current maintainer of the Linux kernel as a whole, has a policy of keeping politics from entering into the kernel, so code with such restrictions would never be permitted. On top of this problem, the maintainer of the network subsystem of the Linux kernel, Dave Miller, was an American. Thus, KLIPS never made it into the mainstream kernel, and FreeS/WAN never got included in the popular Red Hat Linux distributions. This situation lasted for a few years during which users had to patch their kernel manually to add IPsec support, and compile their own FreeS/WAN software. Later on the project shipped binary packages for Red Hat (RPMs) to make IPsec deployment relatively easy.
Meanwhile, although Gilmore's project was widely used as a VPN solution, the intention to encrypt the entire Internet was failing. It seemed that the project was not succeeding in its political goal, even though FreeS/WAN was widely deployed to increase the privacy and security of military organizations and Fortune500 companies.
To encrypt the entire Internet using IPsec, through a method dubbed Opportunistic Encryption (OE), it was necessary that a certain DNS record be added for FreeS/WAN support. Purists at the IETF did not want applications to use DNS, and worse, DNS itself was long overdue for an overhaul to add cryptographic security to it, but the process of drawing up this new DNSSEC protocol has been one of the slowest projects coming out of the IETF and was only released as RFC 4034 and RFC 4035 in March 2005. On top of these DNS issues, OE faced more and more problems due to the wide deployment of NAT, a method for connecting multiple computers using 'internal-only' IP addresses behind a single computer with a single real Internet-connected IP address. IPsec however, was more and more necessary after wireless networking took off, and the WiFi encryption standards were broken one after the other.
The rigorous views of the FreeS/WAN project were extremely problematic. Its political leanings drew it away from the real-world demands for certain VPN features and IETF standards implementation. Most notably, the refusal for inclusion of the X.509 patch, written by Andreas Steffen, a computer science research professor at the University of Applied Sciences Rapperswil in Switzerland, and the NAT-Traversal patch written by the French security company Arkoon, made a "stock FreeS/WAN" release next to useless for most real-world VPN usage, something the FreeS/WAN Project was not too concerned about since X.509 was deemed inferior compared its own DNS-based OE. This was because it was only really offering privacy to businesses rather than everyone on the Internet.
The non-DNS-based authentication method in IPsec using X.509 Certificates was becoming further entrenched because of Windows support. If someone wanted IPsec to support their Windows users, they would now need to download FreeS/WAN, download a few patches, patch the FreeS/WAN code, patch the kernel, compile the kernel IPsec module, and then compile the rest of the non-IPsec kernel modules and install all of the compiled components. And since there was no coordination between the patch maintainers and the FreeS/WAN maintainers, the patches were breaking continuously when new versions of FreeS/WAN or the Linux kernel were released. It was a very difficult process for someone not familiar with FreeS/WAN. This resulted in the creation of Super FreeS/WAN by one of the authors of this book (Ken Bantoft) to provide an easy‑to-use patched version of FreeS/WAN that had all of the features people needed for VPNs and interoperability. However, maintaining Super FreeS/WAN was becoming harder and harder.
The lack of out-of-the-box IPsec code for the Linux kernel was becoming a big problem for users setting up VPNs, and there were members of the FreeS/WAN project who wanted to work on a solution. In the summer of 2003, European volunteers and some members of the FreeS/WAN project—led by Paul Wouters, one of the authors of this book—met and talked to Gilmore at the Chaos Computer Club summer camp near Berlin. The foundation of the fork was laid, and in November of that year, Openswan was released by Xelerance, a newly founded company for the continued development of a free IPsec implementation for Linux.
Openswan's main mission was to cater more to the commercial world, while still keeping the FreeS/WAN ideals alive. This new code-fork also released the FreeS/WAN Project to stick even more strongly to its philosophies, and the next FreeS/WAN version removed support for AH and Transport Mode, two hardly used modes of IPsec, even though that completely broke interoperability with Microsoft Windows 2000 and XP. In April 2003, the end of the FreeS/WAN Project was announced and the last version of FreeS/WAN, with KLIPS support for the Linux 2.6 kernel, was released. In the next year, Openswan expanded and became the de facto IPsec implementation for Linux in practically all Linux distributions.
While this was happening, the lack of native IPsec support in Red Hat was a big problem for Linux distributions aimed at the enterprise market. They decided to code their way out of this problem by porting the IPsec code from another free operating system, FreeBSD. At this point, many kernel hackers also worked for Red Hat, so inclusion in the kernel would come naturally. Their adaptation of the KAME IPsec code from the BSD resulted in the Linux kernel NETKEY code.
Red Hat initially used the somewhat limited Racoon userland IPsec software in combination with the NETKEY code, but Openswan was added in version 3 of the Fedora Core distribution when Red Hat realized the political constraints of the FreeS/WAN Project did not apply to Openswan.
This book is not about politics. Software should not be about politics. If you are interested in these historical and political matters, we can recommend some excellent books that deal with these subjects.
Firstly, the following table lists some very useful non-fiction guides:
|
Crypto: how the Code Rebels Beat the Government—Saving Privacy in the Digital Age Steven Levy, Diane Pub Co, ISBN 0-7567-5774-6. |
This book gives an excellent overview of the history and politics surrounding modern cryptography and software. (Another book by Levy, 'Hackers', gives a similar overview for computer technology in general.) |
|
Secrets and Lies: Digital Security in a Networked World Bruce Schneier, Hungry Minds Inc, ISBN 0-471-45380-3. |
This book talks about the true and false claims and thoughts behind using cryptography. |
|
Database Nation : The Death of Privacy in the 21st Century Simpson Garfinkel, O'Reilly, ISBN 0-596-00105-3. |
This book shows the danger of the information age and the massive collecting of the digital bits of our lives and the mistakes made with this data. |
|
Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design Electronic Frontier Foundation, O'Reilly, ISBN 1-56592-520-3. |
The story behind the building of the DES Cracker machine. |
And if you want some engaging bedtime reading, try the books on the following list:
|
1984 George Orwell, Penguin Books Ltd, ISBN 0-14-012671-6. |
A classic you should have read by now. |
|
True Names Vernor Vinge, Tor Books, ISBN 0-312-86207-5. |
A story about anonymity written before the Internet was invented. |
|
Fahrenheit 451 Ray Bradbury, Voyager, ISBN 0-00-718170-1. |
The classic about information restriction. |
|
Cryptonomicon Neal Stephenson, Arrow, ISBN 0-09-941067-2. |
A story about information 'havens' and the use of crypto. (Another recommended book by Stephenson is The Diamond Age.) |