Linux IPSEC Release


ANNOUNCEMENT
------------

The University of Arizona, is releasing its first version of Linux
IPSEC.  Complete information about this software can be found at




OVERVIEW
--------

This software is based on the x-kernel and runs as a user space
process with access to network traffic.  A single Linux kernel
loadable module is used to divert all incoming and outgoing Ethernet
frames to an x-kernel process.

Throughput for DES/MD5 traffic, measured on a 120Mhz Pentium, is
approximately 220kb/s.

Keys must be managed manually, or with Photuris.  There is currently
no support for ISAKMP/Oakley, and it does not support anti-replay
counters.


REQUIREMENTS
------------

- Linux Kernel V 2.0.x (Intel only)
- Proven's Pthreads (available from webpage)


BACKGROUND
----------

Over the course of this project, our research has focused on
developing highly modular protocols for network security.  We
attempted to demonstrate that security enhancements could be added to
a well-constructed protocol architecture in a manner that is easy,
clean, and without unnecessary performance impact.

We felt we demonstrated this with our x-kernel implementation, and
chose a more standard platform for distributing our software.  We then
developed the idea of a dual-stack architecture based on Linux kernel
loadable modules.  This architecture allowed us to use all our
previous work, without modification, and allows Unix applications to
take advantage of a platform with stronger security mechanisms.

Although we are not currently tracking the IPSEC architecture, we
believe that the released version can be brought up to date and
extended to allow for more services.  

It is being released as a reference architecture for adding advanced
network capabilities to Linux and for experimenting with security
policies.


SURVEY
------

Name of Implementation  : x-kernel IPSEC
Version Described       : 1.0
Organization            : Univ. of Arizona, Dept of CS
Which IP versions are
 supported              : IPv4
Implements RFC-1828
 AH MD5                 : YES
Implements RFC-1829
 ESP DES-CBC            : YES
Implements AH HMAC MD5  : NO
Implements AH HMAC SHA-1: NO
Implements Combined ESP
 (DES+MD5+Replay, etc)  : NO

Other AH Implemented
 Transforms             : NO
Other ESP Implemented
 Transforms             : ESP-3DES
Transport mode          : YES
Tunnel mode             : YES
Key Management          : Manual, Photuris (draft 8, Elliptical curves),
Platforms               : x-kernel, Linux
Lineage of IPsec Code   : University of Arizona
Lineage of Key Mgmt Code: University of Arizona
Location of Source Code : http://www.cs.arizona.edu/security/hpcc-blue/
				linux.html
			  ftp://ftp.cs.arizona.edu/xkernel/
				xkernel.v3.2.security.tar.Z
POINTS of Contact       : Mason Katz 
Claimed Interoperability: