Subject: racoon2 (IKEv2) released by KAME
To: None <tech-security@NetBSD.org>
From: Greg Troxel <gdt@ir.bbn.com>
List: tech-security
Date: 11/14/2005 14:11:57
--=-=-=
Probably pkgsrc is the appropriate place for this at first. I'm
posting here because I just noticed the announcement and didn't see
any mention on a netbsd list.
--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline
by fnord.ir.bbn.com (Postfix) with ESMTP id C4E1B5286
for <gdt@ir.bbn.com>; Tue, 1 Nov 2005 18:56:15 -0500 (EST)
id ADC2D20522; Tue, 1 Nov 2005 18:56:15 -0500 (EST)
by wolfe.bbn.com (Postfix) with ESMTP
id A402220520; Tue, 1 Nov 2005 18:56:15 -0500 (EST)
by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id jA1NuEIB020295;
Tue, 1 Nov 2005 18:56:14 -0500 (EST)
by gandalf.bbn.com (8.13.4/8.13.4) with ESMTP id jA1Nu7Zq000697;
Tue, 1 Nov 2005 18:56:07 -0500
by megatron.ietf.org with esmtp (Exim 4.32)
id 1EX5yQ-0003Th-K6; Tue, 01 Nov 2005 18:55:26 -0500
by megatron.ietf.org with esmtp (Exim 4.32) id 1EX5yO-0003TZ-Jc
for ipsec@megatron.ietf.org; Tue, 01 Nov 2005 18:55:24 -0500
by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA24810
for <ipsec@ietf.org>; Tue, 1 Nov 2005 18:55:03 -0500 (EST)
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EX6Cp-0001Ck-Hx
for ipsec@ietf.org; Tue, 01 Nov 2005 19:10:22 -0500
by papa.tanu.org (8.12.9/8.12.8) with ESMTP id jA1NgbH6042968
for <ipsec@ietf.org>; Wed, 2 Nov 2005 08:42:37 +0900 (JST)
(envelope-from sakane@kame.net)
To: ipsec@ietf.org
Message-Id: <20051102085504Q.sakane@kame.net>
Date: Wed, 02 Nov 2005 08:55:04 +0900
From: Shoichi Sakane <sakane@kame.net>
Lines: 206
Subject: [Ipsec] releasing racoon2 including IKEv2
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,
<mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,
<mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
version=3.0.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
This is from the Racoon2 project.
I am sorry for messing this mailing list. I know that this mailing list
is not suitable for using the announcement of a software. However some
people told me what the racoon2 state was when we released it before.
So this is the first and the last announcement to this list.
We are pleased to release the Racoon2, a IPsec key management system.
The Racoon2 is a system to exchange and to install security parameters
for the IPsec. It supports both the IKEv2 and the KINK.
README is attached for detail.
You can get the tarball from:
ftp://ftp.kame.net/pub/racoon2/racoon2-20051102a.tgz
Please ask to racoon2@kame.net if you have any question.
Thank you.
===
$Id: README,v 1.32 2005/11/01 03:46:29 mk Exp $
This document describes the Racoon2 and the distribution kit.
You have to read doc/INSTALL and doc/USAGE to use the Racoon2
after you read this document. Enjoy !
o Directory
README : this file explaining the Racoon2 distribution.
COPYRIGHT: contains the copyright.
doc/ : specification, usage and memo.
samples/ : configuration samples.
lib/ : source files related to the library, libracoon.a
kinkd/ : files related to the KINK daemon.
iked/ : files related to the IKE daemon.
spmd/ : files related to the SPM daemon.
pskgen/ : files related to pskgen(8)
o What is the Racoon2 ?
The Racoon2 is a system to exchange and to install security parameters
for the IPsec.
This is provided by the Racoon2 Project in the WIDE Project, Japan.
The project aims to provide the IPsec system for FreeBSD, NetBSD and
Linux. There are some projects doing like that in the Internet community.
We do not have any thought to compete with these communities.
We rather like to collaborate with them though there is a language barrier.
Currently the system supports the following specification:
Internet Key Exchange (IKEv2) Protocol
draft-ietf-ipsec-ikev2-17.txt
draft-eronen-ipsec-ikev2-clarifications-06.txt
Kerberized Internet Negotiation of Keys (KINK)
draft-ietf-kink-kink-07.txt
Note that the KINK protocol is work in progress, and
changes which are incompatible with -07 are planned.
When such changes are performed, the racoon2 KINK daemon
will track the changes and *no care* for compatibilities
with older racoon2 will taken.
PF_KEY Key Management API, Version 2
RFC2367
The following protocols will be supported soon.
The Internet Key Exchange (IKE)
RFC2409
The system provides three daemons: iked, kinkd and spmd.
Each daemon manages IKE, KINK and IPsec Policy respectively.
o What features will the Racoon2 support ?
Here is the list of features that we think to implement in a future.
This is not complete list. This may be changed with no announcing.
- English documentation.
- IKEv2: configuration payload (mode-config) in iked.
- SHISA support (WIDE MIP6 Implementation on *BSD) in iked.
- MIPL support (MIP6 Implementation on Linux) in iked.
- To follow the updates of the I-D of KINK.
- Support for tunnel mode SAs in both iked and kinkd.
- Support gracefully rekeying.
- Configuration file converter from racoon1.
- Easy configuration tool.
- IKEv1 support in iked.
o What is The Racoon2 system structure ?
There are three daemons in the Racoon2 system. The following picture
indicates the relationship between the daemons in the system.
You have to run "spmd" AND one protocol daemon to exchange IPsec SAs.
+--------+ +--------+
| iked |--(spmif)--+ +--(spmif)--| kinkd |
+--------+ | | +--------+
| +--------+ |
| | spmd | |
| +--------+ |
| | |
| | |
--(PFKEY)------------(PFKEY)-----------(PFKEY)--
| | |
| | |
+---------------------------------------------+
| Kernel |
+---------------------------------------------+
"spmd" is the IPsec policy management daemon. It has two missions.
First one is to manage IPsec policies. "spmd" will install IPsec policies
and delete them from the kernel. It uses PF_KEYv2 for this purpose.
Another is to cache the mapping table between IP addresses and FQDNs
for KINK processing.
"iked" processes the IKE protocol. It initiates the protocol, and processes
the packet from the remote system. Then it installs IPsec SAs into the
kernel by using PF_KEYv2. It also requests "spmd" to install IPsec policies
if necessary by using "spmif" which is an abbreviation of spmd interface.
Currently it only supports IKE version 2.
"kinkd" is similar to "iked" except that it processes the KINK protocol.
Current kinkd supports draft-ietf-kink-kink-06.txt, and newer revisions
of this draft is expected to be incompatible with this version.
When a newer draft (or RFC) is published, kinkd will follow it, and
the support for older version will be dropped.
o What is the difference from "previous racoon" ?
"previous racoon" only supports IKEv1 [RFC2409]. The Racoon2 supports
both IKEv2 and KINK, will also support IKEv1.
The configuration is completely different because the Racoon2 system supports
multiple key exchange protocols.
o Contact Points
If you have any question about the Racoon2, you can ask to the mailing list:
racoon2@kame.net
You should not ask them to other mailing lists like "racoon@kame.net",
"kame-snap@kame.net", or "ipsec-tools-users@lists.sourceforge.net".
If you want to help us or if you want to contribute, please contact us.
It is welcome to give us any patch, any suggestion and any help.
In particular, to check English documentations is very helpful for us.
We are planning to dedicate the web site of the Racoon2 project and
to provide the cvsweb to access the repository soon.
o Copyright
Basically this kit follows the BSD-like copyright. See the file: COPYRIGHT.
In short, the code is freely available but with no warranty.
The copyright holder is WIDE Project instead of the Racoon2 Project.
This is because the Racoon2 Project belongs to the one of the working groups
in the WIDE Project.
o IPR consideration
The Racoon2 Project takes no position regarding the validity or scope of
any intellectual property rights or other rights that might be
claimed to pertain to the implementation or use of the technology
used in the Racoon2, or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights.
The Racoon2 Project simply reproduces the intellectual property rights
statements that have been submitted to the IETF at
<https://datatracker.ietf.org/public/ipr_disclosure.cgi> concerning
the IETF protocols embodied in the Racoon2.
Certicom's Statement About IPR Claimed in RFC 3526, RFC 2409,
draft-ietf-ipsec-ikev2, and Other IETF Specifications Using MODP
Groups:
<https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=336>
Internet Key Exchange (IKEv2) Protocol:
<https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=137>
Microsoft's statement about IPR claimed in
draft-ietf-ipsec-ikev2-08.txt:
<https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=190>
If you have a concern about the possible intellectual property rights
associated with acquiring, compiling, modifying, or otherwise using
the Racoon2 software, you should consult your own attorney.
o Project Members
Core project members are:
Yutaka Yamashita Keio University
Satoshi Inoue NEC Communication Systems
Atsushi Fukumoto Toshiba Corporation
Mitsuru Kanda Toshiba Corporation
Kazunori Miyazawa Yokogawa Electric Corporation
Ken'ichi Kamada Yokogawa Electric Corporation
Shoichi Sakane Yokogawa Electric Corporation
o Acknowledgments
Thanks to Paul Hoffman. He suggested what we should think about the
intellectual property rights related the IKEv2 protocol, and helped us
to publish our IKEv2 code. Thanks to member of the WIDE project.
We could not work without the great project.
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
--=-=-=
--
Greg Troxel <gdt@ir.bbn.com>
--=-=-=--