[Openswan Users] Where for heaven's sake is FreeS/WAN heading?

Gernot W. Schmied gernot.schmied at chello.at
Sun Feb 22 11:44:17 CET 2004

Hello FreeS/WAN architects,

For quite some time I've got the strong impression that FreeS/WAN is 
heading an architectural direction that is quite concerning, even 
annoying. Since I cannot judge what's going on behind the curtains I 
judge based on symptoms and development. The recent Openswan code fork 
...started by a few of the developers who were growing frustrated with 
the politics surrounding the FreeS/WAN project
nicely fits the picture.
I got the strong impression that instead of the usual IETF process of
standard evolution FreeS/WAN doesn't care anymore (did you ever?) about 
compliance with the IPSec suite of standards and protocols but rather 
chose to ignore the existing standards and head a questionable and hasty 
plug & play road. Contrasting that was the strong reluctance to 
integrate important features of SuperFreeS/WAN.
The first decision of consequence was founding the entire architecture 
on opportunistic encryption, which is regarded as "inviting troubles" in 
the security community (you didn't bother to quote Schneier that time). 
The second and even more disturbing move was the removal of AH which 
clearly indicates that the FreeS/WAN architects simply do not care about 
breaking compatibility with other IPsec implementations. You refer to 
Bruce Schneier's paper for somehow justifying this *sorry for the harsh 
wording* stupid and shortsighted move. Yes, Schneier is a respected and 
acccomplished expert but also has raised his voice in ways you certainly 
would not like. There is a reason fot the existence of AH and if you 
don't like it go and convince the IETF to change it the way you propose, 
this is the way how a consensus is reached that is accepted and carried 
on by the networking community. You should ask yourself why FreeS/WAN 
never made it into the 2.4 Linux kernel and (thank God!) the Usagi 
IPv6/IPsec stack was chosen for 2.6. I suggest you take a serious look 
at KAME and Usagi how things are done there and can evolve in a less 
erradic and personally biased fashion. Hence if you do not want to steer 
into complete insignificance regarding the evolution of Linux IPsec you 
better stop ignoring the concerns and opposition of those who are 
worried. Otherwise FreeS/WAN will be *just another* semi-proprietary 
kernel space tunnel solution, arguably an excellent one though. Besides, 
it appears that FreeS/WAN strategists sacrifice everything for the sake 
of questionable plug & play improvements. May I remind you that seldom 
people have the choice not to have two different IPsec implementations 
on both tunnel endpoints. You rarely have the luxury to talk 
FreeS/WAN<-->FreeS/WAN. What you achive is that in a few month 
especially non-IPsec specialists will be unable to talk to Checkpoint, 
BSD or Cisco *at all*. I know, people's first reaction most likely will 
be "you don't like it, so don't use it, stop whining and go somewhere 
else". Certainly true but won't help your cause.

These are my 5c for what it's worth. I'll happily use Usagi and KAME in 
the future. Interoperability, standard compliance and a sound evolution 
roadmap are important.

Gernot Schmied

More information about the Users mailing list