|
Zillabit Projects
Geeky Tidbits
The purpose of this project is to build an
IPSec
implementation for all variants of Windows (95, 98, ME, NT, 2K, XP, and even
CE) based on the
KAME/Racoon IPSec codebase
from the BSD world.
Consider the state of IPSec in Windows:
- Some versions of Windows (2K and XP) ship with IPSec components (developed
by Cisco, actually)
- For other Windows platforms (95/98/ME, CE) there are only third-party
commercial IPSec implementations of varying quality.
- Each of these implementations is notoriously difficult to learn how to
configure, and annoyingly, for each the configuration interface is different.
Proper creation and management of configurations is one of the most
difficult parts of using IPSec.
- In all cases these
are closed-source so there are no outside expert reviews of the security.
- Security fixes can only be done by the respective vendors at the speed
that they can handle it.
By contrast, the advantages of this project are:
- KAME IPSec is the gold standard for IPSec
and, as open source, has gone through much public security review
- and will continue to be reviewed.
- Security fixes to the KAME codebase, done by the KAME developers in
response to any flaws found in BSD implementations, can be immediately
applied to the Windows implementations.
- With a KAME-based implementation, by using a single established
configuration interface across multiple platforms it becomes far easier to
administer a network of IPSec-connected machines.
- KAME's IPSec even comes with a test suite so conformance can be verified.
This implementation contains the following components:
- NDIS component to provide a virtual network interface to handle the IPSec
tunnels, containing part of the KAME code.
- Userspace service (in Windows version that support services)
or equivalent (in those that don't) to handle IKE (includes KAME's Racoon code)
and user configuration (includes relevant parts of KAME's codebase)
A minimal emulation layer provides only what is required of the missing
(or altered)
BSD-style system funtionality to the KAME code where needed. Many of the
relevant calls are adequately supported or almost supported natively by
the Win32 interface. The design goal is to be able to "just drop in" the KAME
source files so that there are no patches to maintain, making it
trivial to track the development of KAME.
Development is being done in the
mingw environment so that the gcc
compiler may be used yet code will be linked natively into Windows.
Status
This project was begun in 2001. Work on the Win32 emulation layer is
partially done - built code exists but is not expected to
be fully functional. NDIS work has started.
Currently this project is not a top priority but if you are interested
please contact us.
|