FRR crypto in Fedora and RHEL
Hi all, now that FRR is making its way to Fedora, perhaps it will eventually make its way to RHEL-8 as well. In both Fedora and RHEL, we are tying to make sure that every package that uses cryptographic algorithms and protocols uses these correctly. Crypto algorithms are not easy to implement and we are trying to encourage developers to use system libraries that have been certified as secure and well implemented. With every crypto algorithm that is implemented from scratch, it brings a potential security risk to the system. In FRR, md5 and sha256 are used as authentication methods for various routing daemons. These are implemented from scratch. This creates an issue for us and it could eventually result in FRR not getting in RHEL-8 at all. I would like to ask you, whether you would be willing to use system libraries to implement these algorithms. I will do all the work and provide patches and pull requests, of course. I believe that getting FRR into RHEL-8 is worth it. Regards, Michal Ruprich
Removing code and depending on system libraries are fine from my perspective as long as the new library dependencies are for commonly available libraries available across all the systems we care about. This includes the *bsd's. My assumption is that this is probably true, correct? If you are willing to do the work, please feel free to reach out to me if you have any specific questions. We've tried to document our workflow as best as possible in doc/developer/workflow.rst. donald On Tue, Jun 25, 2019 at 11:00 AM Michal Ruprich <michalruprich@gmail.com> wrote:
Hi all,
now that FRR is making its way to Fedora, perhaps it will eventually make its way to RHEL-8 as well. In both Fedora and RHEL, we are tying to make sure that every package that uses cryptographic algorithms and protocols uses these correctly. Crypto algorithms are not easy to implement and we are trying to encourage developers to use system libraries that have been certified as secure and well implemented. With every crypto algorithm that is implemented from scratch, it brings a potential security risk to the system.
In FRR, md5 and sha256 are used as authentication methods for various routing daemons. These are implemented from scratch. This creates an issue for us and it could eventually result in FRR not getting in RHEL-8 at all. I would like to ask you, whether you would be willing to use system libraries to implement these algorithms. I will do all the work and provide patches and pull requests, of course. I believe that getting FRR into RHEL-8 is worth it.
Regards,
Michal Ruprich
_______________________________________________ dev mailing list dev@lists.frrouting.org https://lists.frrouting.org/listinfo/dev
Hi Donald, On 6/25/19 10:03 PM, Donald Sharp wrote:
Removing code and depending on system libraries are fine from my perspective as long as the new library dependencies are for commonly available libraries available across all the systems we care about. This includes the *bsd's. My assumption is that this is probably true, correct?
Of course, I am planning to use openssl or gnutls. Ideally I would like to make the build optional so that other distributions may choose if they prefer something else. Is there a specific list of systems that you care about? I would like to make sure that they all support these libraries. Thanks. Michal
If you are willing to do the work, please feel free to reach out to me if you have any specific questions. We've tried to document our workflow as best as possible in doc/developer/workflow.rst.
donald
On Tue, Jun 25, 2019 at 11:00 AM Michal Ruprich <michalruprich@gmail.com> wrote:
Hi all,
now that FRR is making its way to Fedora, perhaps it will eventually make its way to RHEL-8 as well. In both Fedora and RHEL, we are tying to make sure that every package that uses cryptographic algorithms and protocols uses these correctly. Crypto algorithms are not easy to implement and we are trying to encourage developers to use system libraries that have been certified as secure and well implemented. With every crypto algorithm that is implemented from scratch, it brings a potential security risk to the system.
In FRR, md5 and sha256 are used as authentication methods for various routing daemons. These are implemented from scratch. This creates an issue for us and it could eventually result in FRR not getting in RHEL-8 at all. I would like to ask you, whether you would be willing to use system libraries to implement these algorithms. I will do all the work and provide patches and pull requests, of course. I believe that getting FRR into RHEL-8 is worth it.
Regards,
Michal Ruprich
_______________________________________________ dev mailing list dev@lists.frrouting.org https://lists.frrouting.org/listinfo/dev
Linux, FreeBSD, OpenBSD and NetBSD. Solaris(Omnios) is `at your own risk` and OSX is `assembly required with an advanced toolset and a blowtorch` thanks! donald On Mon, Jul 1, 2019 at 2:42 AM Michal Ruprich <michalruprich@gmail.com> wrote:
Hi Donald,
On 6/25/19 10:03 PM, Donald Sharp wrote:
Removing code and depending on system libraries are fine from my perspective as long as the new library dependencies are for commonly available libraries available across all the systems we care about. This includes the *bsd's. My assumption is that this is probably true, correct?
Of course, I am planning to use openssl or gnutls. Ideally I would like to make the build optional so that other distributions may choose if they prefer something else. Is there a specific list of systems that you care about? I would like to make sure that they all support these libraries.
Thanks.
Michal
If you are willing to do the work, please feel free to reach out to me if you have any specific questions. We've tried to document our workflow as best as possible in doc/developer/workflow.rst.
donald
On Tue, Jun 25, 2019 at 11:00 AM Michal Ruprich <michalruprich@gmail.com> wrote:
Hi all,
now that FRR is making its way to Fedora, perhaps it will eventually make its way to RHEL-8 as well. In both Fedora and RHEL, we are tying to make sure that every package that uses cryptographic algorithms and protocols uses these correctly. Crypto algorithms are not easy to implement and we are trying to encourage developers to use system libraries that have been certified as secure and well implemented. With every crypto algorithm that is implemented from scratch, it brings a potential security risk to the system.
In FRR, md5 and sha256 are used as authentication methods for various routing daemons. These are implemented from scratch. This creates an issue for us and it could eventually result in FRR not getting in RHEL-8 at all. I would like to ask you, whether you would be willing to use system libraries to implement these algorithms. I will do all the work and provide patches and pull requests, of course. I believe that getting FRR into RHEL-8 is worth it.
Regards,
Michal Ruprich
_______________________________________________ dev mailing list dev@lists.frrouting.org https://lists.frrouting.org/listinfo/dev
participants (2)
-
Donald Sharp -
Michal Ruprich