I have need to establish cipe connection from a current rawhide box to a RH9 box. Cipe is still an option under system-config-network and cipe-1.4.5-20 is installed from the rawhide repository. However I see no signs of the cipe kernel modules anywhere and when I try to activate the connection with "ifup cipcb0" I get "Cannot find device".
Is this supposed to work?
Thanks, Steve
On Mar 31, 2004, Steve Bergman steve@rueb.com wrote:
I have need to establish cipe connection from a current rawhide box to a RH9 box. Cipe is still an option under system-config-network and cipe-1.4.5-20 is installed from the rawhide repository. However I see no signs of the cipe kernel modules anywhere and when I try to activate the connection with "ifup cipcb0" I get "Cannot find device".
Is this supposed to work?
Not any longer. cipe has never been part of upstream kernel, and, in the switch to 2.6, since we got IPSec, and given the security flaws that exist in cipe, there was a decision to not add it to the 2.6 kernel in FC. Unfortunately, IPSec is not compatible with Cipe, and doesn't offer all of the same features (the one I miss the most is the ability to establish secure channel with a network whose gateway has a dynamically-assigned IP), but AFAIK the decision has already been made.
I suppose it wouldn't hurt if people sufficiently motivated would take over the cipe package that was removed from rawhide just before FC2test2 and build programs and kernel modules as Extras for FC2. I'm told the main hurdle that had to be overcome, namely porting cipe to kernel 2.6, has already been taken care of upstream.
Alexandre Oliva wrote:
Not any longer. cipe has never been part of upstream kernel, and, in the switch to 2.6, since we got IPSec, and given the security flaws that exist in cipe, there was a decision to not add it to the 2.6 kernel in FC.
Thanks. So basically, as far as VPN's go, Fedora is not compatible with RHEL, won't be for another year or two, and is incompatible with all previous versions of RedHat Linux. That seems a shame, since Fedora desktops and RHEL servers seems a logical combo for many companies. It seems like a better way to have handled it would have been to deprecate it in FC2 and remove it in FC3 rather than pulling the rug out from under everybody without warning. RH decided to make CIPE the standard instead of ipsec. It's not as though users knew this was coming and had a choice. We were forced into this position and then abandoned.
-Steve
Steve Bergman said:
Alexandre Oliva wrote:
Not any longer. cipe has never been part of upstream kernel, and, in the switch to 2.6, since we got IPSec, and given the security flaws that exist in cipe, there was a decision to not add it to the 2.6 kernel in FC.
Thanks. So basically, as far as VPN's go, Fedora is not compatible with RHEL, won't be for another year or two, and is incompatible with all previous versions of RedHat Linux.
I must have missed the "be compatible with RHEL" on the objectives page. Could you point that out to me?
And for that matter, RHEL supports IPSec. http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-guide/s...
On Thu, 2004-04-01 at 07:30, William Hooper wrote:
Steve Bergman said:
Alexandre Oliva wrote:
I must have missed the "be compatible with RHEL" on the objectives page. Could you point that out to me?
Good point. It is not addressed directly in any way. Considering that there is clear potential for conflict of interest, perhaps the issue of compatibility with RHEL should be explicitly addressed. Please note that I am not making any accusations here. Far from it; RedHat is doing a great job of walking the line. But it is an issue that should be addressed clearly from the start. FWIW, here are the items from the objectives page that seem to at least dance around the issue a bit:
6. Emphasize usability and a "just works" philosophy in selecting default configuration and designing features.
(CIPE, the protocol that FC1 users and RHL migrators would be using doesn't "just work". I agree that users' moving to ipsec should be strongly encouraged. But I disagree that it should be sprung upon them with no warning or transition period.)
7. Promote rapid adoption of new releases by maintaining easy upgradeability, with minimal disturbances to configuration changes.
(I'd call redoing both ends of all your servers' VPN connections, without notice, more than a "minimal disturbance".)
13. Form the basis of Red Hat's commercially supported operating system products.
(I would call this a suggestion of compatibility. True, it doesn't actually say so in so many words, but it implies it. So if compatibility is not really a goal, this is all the more reason to state it clearly as a nonobjective.)
A corporate mix of RHEL servers and FC desktops seems like a very obvious and attractive combo. So FC's stance on compatibility is likely to generate either a lot of joy or a lot of tears, depending.
-Steve
On Thu, 2004-04-01 at 17:17, Steve Bergman wrote:
But I disagree that it should be sprung upon them with no warning or transition period.)
This has been talked about on the fedora lists a number of times over the past few months.
- Form the basis of Red Hat's commercially supported operating system
products.
(I would call this a suggestion of compatibility. True, it doesn't actually say so in so many words, but it implies it. So if compatibility is not really a goal, this is all the more reason to state it clearly as a nonobjective.)
A corporate mix of RHEL servers and FC desktops seems like a very obvious and attractive combo. So FC's stance on compatibility is likely to generate either a lot of joy or a lot of tears, depending.
As already stated several times today in this thread, RHEL 3 supports IPSEC.
Dave
On Thu, 2004-04-01 at 13:00, Dave Jones wrote:
This has been talked about on the fedora lists a number of times over the past few months.
A search for "cipe" in the archives does not turn up much. At any rate, I don't think that qualifies as a transition period.
A corporate mix of RHEL servers and FC desktops seems like a very obvious and attractive combo. So FC's stance on compatibility is
likely
to generate either a lot of joy or a lot of tears, depending.
As already stated several times today in this thread, RHEL 3 supports IPSEC.
Yes. I discovered that myself and corrected my original statement in a later post. However, here, I was speaking more generally. This is not the last time that a decision will have to be made to maintain RHEL compatibility or not. Can users of FC who use RHEL on the server expect ongoing breakage? This is an important point for people making decisions on Linux deployment and needs to be clearly addressed.
-Steve
Alexandre Oliva wrote:
Not any longer. cipe has never been part of upstream kernel, and, in the switch to 2.6, since we got IPSec, and given the security flaws that exist in cipe, there was a decision to not add it to the 2.6 kernel in FC. Unfortunately, IPSec is not compatible with Cipe, and doesn't offer all of the same features (the one I miss the most is the ability to establish secure channel with a network whose gateway has a dynamically-assigned IP), but AFAIK the decision has already been made.
(Sorry if this is a dup. My previous post seems to have been eaten.)
Wow. So FC2 will be completely incompatible with RHEL and FC1 and all previous versions of RH Linux. No warning. No period of deprecation. No overlap of functionality to cushion migration. If that's not a statement that Fedora is not suitable for production use, I don't know what is.
For from being a future possibility in extras, I would have thought lack of cipe support would be a showstopper bug.
-Steve
On Wed, Mar 31, 2004 at 04:21:00PM -0600, Steve Bergman wrote:
For from being a future possibility in extras, I would have thought lack of cipe support would be a showstopper bug.
See the detailed security analysis of the CIPE protocol that was linked off places like lwn.net. Switching to IPSec is strongly recommended.
You could fix CIPE, but it wouldnt be CIPE compatible if it the security design flaws were resolved.
Alan
Alan Cox wrote:
On Wed, Mar 31, 2004 at 04:21:00PM -0600, Steve Bergman wrote:
For from being a future possibility in extras, I would have thought lack of cipe support would be a showstopper bug.
See the detailed security analysis of the CIPE protocol that was linked off places like lwn.net. Switching to IPSec is strongly recommended.
So what was the story on CIPE during all the time that RH was pushing it as their vpn solution? Were these inherent deficiencies completely unknown until last September? Microsoft's "Get the Facts On Linux" site would have a field day with this if it hasn't already. :-(
Also, in the interest of accuracy, I should correct what I said about FC2 being incompatible with RHEL. RHEL 3 products do indeed support ipsec, although RH9 and FC1 do not.
-Steve
On Wed, Mar 31, 2004 at 05:18:20PM -0600, Steve Bergman wrote:
So what was the story on CIPE during all the time that RH was pushing it as their vpn solution? Were these inherent deficiencies completely unknown until last September?
Yes. Prior to that there had been other minor flaws and these had been worked on and fixed. Cryptography is a hard problem when it comes to getting it right (witness Microsoft PPTP for another example)
Alan
On Wed, 2004-03-31 at 12:38, Alexandre Oliva wrote:
On Mar 31, 2004, Steve Bergman steve@rueb.com wrote:
I suppose it wouldn't hurt if people sufficiently motivated would take over the cipe package that was removed from rawhide just before FC2test2 and build programs and kernel modules as Extras for FC2. I'm told the main hurdle that had to be overcome, namely porting cipe to kernel 2.6, has already been taken care of upstream.
So far, I seem to be the only 'motivated' participant in this thread. So I guess I have a few questions:
1. Is there anyone else here who would be interested in a cipe implementation from fedora.us? Or would I be doing it mainly for myself?
2. Would it just be a matter of maintaining the module(s) as an rpm throughout the FC2 life cycle. i.e. I would not have to mess with the rest of the kernel?
3. Would someone like me, who has never maintained an rpm package be likely to succeed at this and have it accepted at fedora.us? The 2.6 fedora kernel is not nearly so heavily patched as the old 2.4 kernel was, so if someone has already come up with a cipe kernel patch, this should mainly be a matter of packaging and maintenance on my part, right?
Thanks, Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
"Steve" == Steve Bergman steve@rueb.com writes:
Steve> On Wed, 2004-03-31 at 12:38, Alexandre Oliva wrote:
On Mar 31, 2004, Steve Bergman steve@rueb.com wrote:
I suppose it wouldn't hurt if people sufficiently motivated would take over the cipe package that was removed from rawhide just before FC2test2 and build programs and kernel modules as Extras for FC2. I'm told the main hurdle that had to be overcome, namely porting cipe to kernel 2.6, has already been taken care of upstream.
Steve> So far, I seem to be the only 'motivated' participant in this Steve> thread. So I guess I have a few questions:
Steve> 1. Is there anyone else here who would be interested in a cipe Steve> implementation from fedora.us? Or would I be doing it mainly Steve> for myself?
I've moved all CIPE links to use openvpn (see below).
Steve> 2. Would it just be a matter of maintaining the module(s) as an Steve> rpm throughout the FC2 life cycle. i.e. I would not have to Steve> mess with the rest of the kernel?
Probibly true, but keep in mind you would have to make a new module for every errata kernel that is released.
Steve> 3. Would someone like me, who has never maintained an rpm Steve> package be likely to succeed at this and have it accepted at Steve> fedora.us? The 2.6 fedora kernel is not nearly so heavily Steve> patched as the old 2.4 kernel was, so if someone has already Steve> come up with a cipe kernel patch, this should mainly be a Steve> matter of packaging and maintenance on my part, right?
I would think so.
I would like to offer another suggestion. How about transitioning all your machines to use openvpn instead?
It's secure, don't in userspace with tun or tap device, works on all the various redhat versions, there is even a windows version. Just need to compile and install the openvpn rpm on all your machines and switch the CIPE links to openvpn links.
It's way easier to mange and setup than IPSEC, and doesn't require kernel mods.
Just a suggestion.
Steve> Thanks, Steve
kevin
On Thu, 2004-04-01 at 14:18, Kevin Fenzi wrote:
I would like to offer another suggestion. How about transitioning all your machines to use openvpn instead?
It's secure, don't in userspace with tun or tap device, works on all the various redhat versions, there is even a windows version. Just need to compile and install the openvpn rpm on all your machines and switch the CIPE links to openvpn links.
It's way easier to mange and setup than IPSEC, and doesn't require kernel mods.
Just a suggestion.
An excellent suggestion. Thanks! Now *this* is something I'd love to see in Fedora, nicely integrated with system-network-config. Alexandre, I *think* it is supposed to handle dynamic IP endpoints. Never having used it before, I got it built, installed, and working in under an hour. It also supports a bridged config so that protocols which depend upon broadcast (SMB, IPP?) "just work". I just did the simpler 'routed' vpn for now though.
-Steve
On Apr 2, 2004, Steve Bergman steve@rueb.com wrote:
An excellent suggestion. Thanks! Now *this* is something I'd love to see in Fedora, nicely integrated with system-network-config. Alexandre, I *think* it is supposed to handle dynamic IP endpoints.
That's my impression as well. Thanks Kevin for the pointer!
I was looking into doing IPSec over unencrypted vtun to replace cipe, but openvpn sounds far more appealing now. The fact that Dag Wieers already maintains openvpn rpms in his rpms repository only makes it even more convenient. Yay!
On Apr 2, 2004, Steve Bergman steve@rueb.com wrote:
see in Fedora, nicely integrated with system-network-config
Yeah, also, being able to independently switch separate interfaces up or down is highly desirable to me. E.g., my laptop has (or used to have) multiple CIPE interfaces that were never supposed to be up at the same time: one to connect it to my home gateway, for when I'm not at home; one to connect it to my desktop, when my desktop is connected to the Red Hat VPN; and one to connect directly to Red Hat. Dag's /etc/init.d/openvpn is an all-or-nothing thing; I'd much rather be able to ifup or ifdown interfaces individually, as a user even. I'll try to play a little bit with it in the near future and come up with something usable for me. Hopefully openvpn supports running multiple instances, each one controlling a separate virtual interface.
On Thu, 2004-04-01 at 14:18, Kevin Fenzi wrote:
I would like to offer another suggestion. How about transitioning all your machines to use openvpn instead?
It's secure, don't in userspace with tun or tap device, works on all the various redhat versions, there is even a windows version. Just need to compile and install the openvpn rpm on all your machines and switch the CIPE links to openvpn links.
It's way easier to mange and setup than IPSEC, and doesn't require kernel mods.
Just a suggestion.
An excellent suggestion. Thanks! Now *this* is something I'd love to see in Fedora, nicely integrated with system-network-config. Alexandre, I *think* it is supposed to handle dynamic IP endpoints. Never having used it before, I got it built, installed, and working in under an hour. It also supports a bridged config so that protocols which depend upon broadcast (SMB, IPP?) "just work". I just did the simpler 'routed' vpn for now though.
-Steve
On Apr 1, 2004, Steve Bergman steve@rueb.com wrote:
- Is there anyone else here who would be interested in a cipe
implementation from fedora.us? Or would I be doing it mainly for myself?
I, for one, definitely would. There are application requirements I have for my home network set up that IPSec doesn't seem to be able to satisfy.
- Would it just be a matter of maintaining the module(s) as an rpm
throughout the FC2 life cycle. i.e. I would not have to mess with the rest of the kernel?
Maintaining kernel modules outside the kernel RPM is generally a mess, but it probably can be done with some effort.
- Would someone like me, who has never maintained an rpm package be
likely to succeed at this and have it accepted at fedora.us? The 2.6 fedora kernel is not nearly so heavily patched as the old 2.4 kernel was, so if someone has already come up with a cipe kernel patch, this should mainly be a matter of packaging and maintenance on my part, right?
One would hope :-)
-
Alan Cox -
Alexandre Oliva -
Dave Jones -
Kevin Fenzi -
Steve Bergman -
William Hooper