Hello Fedora hackers, Since CIPE's removal from Fedora Core, there is a noticeable void that still needs to be filled. I'd like to raise the issue here and spark a discussion in the hope that we can find consensus on one or more pieces of VPN software to include in Fedora Core 3. There seem to be two general approaches to VPNs, each with their own advantages and disadvantages: kernel space, and user space. I feel the only kernel solutions worth considering are those which implement IPsec. There exist several packages implementing VPN solutions in userspace, such as vtun, tinc, and OpenVPN. I have been using and reading about OpenVPN (http://openvpn.sf.net). It is intuitive, well designed [1], and has excellent documentation. It is released under the GPL, with a special exception clause to allow linking with OpenSSL. OpenVPN is quality software, and we would be remiss not to consider it for inclusion in FC3. CIPE, vtun, and tinc, at least, have known and published flaws. Last year Peter Gutmann wrote a paper detailing a number of problems with these packages [2]. While Gutmann did not review OpenVPN in depth, he did have this to say about it: The key management step (that is, how to get from the SSL control channel to the data channel) is documented only in the source code, which I don't feel like reverse-engineering, but a quick look through it indicates that the author knows what he's doing. I've done some googling and unfortunately I can't find a thorough, independent audit of OpenVPN's design. However, I've also not been able to find much in way of vulnerabilities, so it appears to have a good track record. This, in combination with Gutmann's remarks in his paper, as well as my own understanding of its design, gives me a reasonable amount of confidence in OpenVPN. (Vastly more than CIPE, at least, which was included in RHL in the past.) OpenVPN is released for most unices (including OS X), as well as Windows 2000/XP. It relies on the kernel only for the tun/tap device. I have toyed with other VPN software (notable CIPE, vtun, and freeswan), and OpenVPN was the only one that Just Worked, and worked intuitively. I think the other main contender for VPN software in Fedora Core would be Openswan. OpenVPN is portable, comfortable (being in userspace), flexible, and easy, but Openswan implements IPsec which is (mostly) standardized across vendors, and that's certainly a strong selling point, in spite of its complexity. I don't know much about Openswan, but I do feel that there is room for both an IPsec and user space VPN solution in FC. So, let the discussions begin! Cheers, Jason. [1] I am not a cryptographer, and so my opinion of OpenVPN's design is meaningless in practice. [2] http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
Attachment:
signature.asc
Description: This is a digitally signed message part
