Accelerated Updates IPsec Stack

Digi International Digi International
August 12, 2015
Accelerated is a long time contributor to the open source community. We have ongoing work in Linux kernel development and kernel patches, and extensive work in a wide range of applications especially in the security arena. The company is committed to its ongoing support of open source and we frequently conduct code reviews.

One such review was our integration of IPsec for which we have contributed many patches over the years to Openswan and Freeswan.  Over the second quarter of 2015 numerous additional IPsec solutions were investigated, trialled and compared.  The goal for the review was to determine the optimal IPsec solution to deploy on all Accelerated security based products.  At the completion of the assessment a new solution emerged and is ready to be rolled out in firmware updates from Q3/2015.

Accelerated compared four of the primary open source IPsec solutions based on the following criteria:

  • Security

    • The solution must support current best practice security settings

  • Interoperability

    • Modern standards support

  • Software Health

    • Actively maintained
    • Responsive to security issues
    • Moderated software changes

  • Portability / Deployment

    • Multiple architectures
    • Small footprint

The four IPsec solutions chosen for review were:  racoon/ipsec-tools, Openswan, Libreswan and strongSwan.

Racoon/IPsec-tools

Racoon/IPsec-tools is on the list due to its previous use in end-of-life Accelerated products.  It fails to meet all but one of the criteria listed above.  As part of its evaluation, Racoon2 was also considered, however it also came up short due to it not being a superset of racoon functionality.

  • Security

    • CVE-2015-4047 showed that even this stable well used IPsec solution is vulnerable to attack.  This exploit was investigated by Accelerated engineering at the time and, due to disabling the GSSAPI support, our legacy products were deemed not vulnerable. CVE-2015-4047 did however highlight a lack of leadership in the project and the general confusion as to who or what was responsible for dealing with the vulnerability and ensuring the updates were propagated appropriately.

  • Interoperability

    • Racoon is an IKEv1 solution.  It supports most IKEv1 use cases well enough.  It does not support IKEv2 (racoon2 is needed for that) and combinations of MODECFG and XAuth were not well supported.

  • Software Health

    • The racoon/IPsec-tools package is largely unmaintained without any clear leadership or oversight.  While CVE-2015-4047 provoked a flurry of activity to resolve the situation it is yet to be completely resolved to a suitable level.

  • Portability / Deployment

    • On this criteria racoon/IPsec-tools rates acceptable. Accelerated has utilised this software in the past and its portability and resource footprint make it acceptable on all our devices.

Openswan

Openswan is the IPsec solution currently deployed in current Accelerated products.  It is a well-known and relatively popular opensource IPsec solution that has seen heavy contributions from Accelerated Engineers over its lifetime.

  • Security

    • Openswan at its peak was very responsive to issues and considered one of the best choices for IPsec deployment.  Unfortunately it has seen a significant loss of developers and appears to be relatively inactive.  The code base is aging and there is little evidence that it is being seriously improved.  There is however activity within the project and it definitely rates better than racoon on this front.

  • Interoperability

    • Openswan is most certainly interoperable and there is a wealth of information available for connecting an Openswan based system to other equipment.  The IKEv2 has been a little bit slow to    mature but that has not been a significant deterrent to its use in active deployments.  Some of its MODECFG and XAUTH support could be improved but overall Openswan is considered suitably interoperable.

  • Software Health

    • Once the “top-dog” of opensource IPsec solutions, Openswans health has been declining since 2012 when a large number of active developers split from the project to start Libreswan. While still receiving updates the health of Openswan in general is not ideal and enough to raise questions about furthering its use.

  • Portability / Deployment

    • Openswan has proved, through use at Accelerated that it is portable and has resource requirements that do not prevent its deployment across all of Accelerated security products.

Libreswan

Libreswan was a strong contender meeting most of the requirements but came up short in portability and deployment.

  • Security

    • Libreswan inherits most of its redeeming features from its Openswan lineage.  It was a direct fork of the Openswan project and since the split has gone on to focus on fixing many of the issues plaguing Openswan.  Significant code reviews, active development and focus on improvement have seen it leave its Openswan roots well behind. Security issues are rapidly and appropriately dealt with.  There is little doubt that Libreswan should be considered secure.

  • Interoperability

    • Again its Openswan roots have ensured Libreswan is focused on interoperability.  Many of the improvements since its fork from Openswan have only helped to improve its interoperability, especially in the IKEv2 and configuration space.  Extensive work on automated testing has also moved to ensure that there is less chance of interoperability support rotting or regressing.

  • Software Health

    • A good number of active developers, clear goals, active mailing list and fast response to issues shows Libreswan to be in excellent health.

  • Portability / Deployment

    • Libreswan is very portable, however, the only chink in its armour came at the cost of universal deployment.  After its fork from Openswan, Libreswan looked to consolidate its code base and remove lesser used code paths.  This helped immensely in the simplification and maintenance of the source code while also improving its security. The focus on this improvement was the use of NSS (Network Security Services) package. Use of NSS resulted in two potential issues, a new significant security architecture to include on all devices (in addition to existing SSL requirements) and portability.  For Accelerated concepts these two issues meant that due to flash footprint restrictions, or lacking CPU architecture, not all devices could utilise Libreswan for IPsec use without significant investment. So while this caused an issue for Accelerated’s specific requirements, the use of NSS is a great improvement to the Libreswan project and is a selling point for most solution providers.

strongSwan

strongSwan ended up being our first choice for replacement of OpenSwan meeting all requirements.

  • Security

    • Like libreswan, strongSwan inherits much from the same heritage.  It forked from FreeS/WAN (an earlier version of Openswan) and as such, has diverged to a much greater extent.  strongSwan has always had a strong security focus and been at the forefront of standards support.  As of the 5.X versions, it has converged its IKEv1 and IKEv2 support and is now providing a truly consistent unified approach to IPsec management. With fast response to issues and active development, strongSwan is considered secure by all measures.

  • Interoperability

    • strongSwan is focused on interoperability and its plugin architecture make it possible to extend the functionality quickly and reliably to support even more options.

  • Software Health

    • With multiple active developers, active mailing lists, a clean source tree and unique plugin architecture, strongSwan is a very healthy project suitable for current and foreseeable future use.

  • Portability / Deployment

    • strongSwan is portable and easily used on any of the Accelerated security devices.  Its use of libraries already in use on Accelerated device reduced its resource footprint and allowed it to be a viable solution for even the most resource constrained devices.

Summary

Throughout this evaluation it became increasingly apparent that it was only a two horse race.  Libreswan was the early favourite but the universal deployment requirement and some of strongSwans dynamic deployment options finally tipped the scale in favour of strongSwan.

To be fair, the race is never over.  Accelerated Engineering is maintaining the support it developed for Libreswan as part of this evaluation in parallel to the strongSwan support as both a backup option and to provide the flexibility for rapid changes to suit customer requirements.

IPsec was under significant review throughout this process, however, all software in use at Accelerated Concepts is under constant review and updated to address vulnerabilities, improvements and standards compliance.  The majority of these fall into the category mundane and boring.  Reviewing IPsec from a fresh viewpoint, given the uncertain future of the existing solution, provided the opportunity to share something a little less mundane with a greater audience.

We look forward to continuing our open source journey and contributing back to the community.

Accelerated DevKit - Linux for the Internet of Things (IoT):

https://Accelerated.com/devkit