Export code for Netfilter/iptables

Export code for Netfilter/iptables

[Lotte Mygind (AH/LMD)]

Hello,

We are going to use Netfilter/iptables in a product. In order to obtain an export code, I need to document whether these components implement any kind of encryption - so my questions are:

* Is there any kind of encryption algorithms in Netfilter or Iptables?
* If so, what are the key lenghts used? 
* If so, which are the algorithms?

We are using Iptables 1.3.1 and Netfilter from patch-o-matic-ng 20050626

I am well aware of the encryption in the Linux kernel - but even though this imposes export restrictions we have to document the encryption in Netfilter/Iptables.

Anyway, if anyone can help me here, I will (as a small contribution) write an entry for the FAQ on the issue :-)

Thanks,
Lotte

Re: Export code for Netfilter/iptables

[curby .]

On 8/8/05, Lotte Mygind (AH/LMD) <lotte.mygind@ericsson.com> wrote:
> We are going to use Netfilter/iptables in a product. In order to obtain an export code, I need to document whether these components implement any kind of encryption - so my questions are:

I hope that as part of the process of considering ANY third party code
in your products, a code review would be done to explore security
risks as well as possible gotchas with respect to licensing and
government regulations.  Such a review would certainly reveal if
cryptography was employed.  If someone on this list said that there
was or was not crypto code in netfilter, your company would not be
wise to trust them without independent verification anyway.

http://netfilter.org/licensing.html is unrelated but probably important as well.

RE: Export code for Netfilter/iptables

[Lotte Mygind (AH/LMD)]

Of course we review the licensing, bugs, IPR issues etc - but if we cannot get a little help from the project/documentation, it does become a tremendous task to make thorough reviews for all open source components.

My offer to add an entry to the FAQ had two purposes:
1) Offer a bit of help to the project (I will not be the last person to ask that question)
2) If I could get such a text into the FAQ that would mean that I would feel more confident that the text was truthful and just a random answer from some random person on this list...

/Lotte

-----Original Message-----
From: curby . [mailto:curby.public@gmail.com]
Sent: 8. august 2005 21:02
To: Lotte Mygind (AH/LMD)
Cc: netfilter@lists.netfilter.org
Subject: Re: Export code for Netfilter/iptables


On 8/8/05, Lotte Mygind (AH/LMD) <lotte.mygind@ericsson.com> wrote:
> We are going to use Netfilter/iptables in a product. In order to obtain an export code, I need to document whether these components implement any kind of encryption - so my questions are:

I hope that as part of the process of considering ANY third party code
in your products, a code review would be done to explore security
risks as well as possible gotchas with respect to licensing and
government regulations.  Such a review would certainly reveal if
cryptography was employed.  If someone on this list said that there
was or was not crypto code in netfilter, your company would not be
wise to trust them without independent verification anyway.

http://netfilter.org/licensing.html is unrelated but probably important as well.

Re: Export code for Netfilter/iptables

[Jan Engelhardt]

>> We are going to use Netfilter/iptables in a product. In order to obtain an export code, I need to document whether these components implement any kind of encryption - so my questions are:
>
>I hope that as part of the process of considering ANY third party code
>in your products, a code review would be done to explore security[...]

And to answer the question: If there was cryptography, then netfilter would 
use the Linux CryptoAPI so we do not have two crypto engines all over the 
place in the kernel.

POMng also has a XOR target - dunno if you can consider this encryption in 
the sense of the US laws.



Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/