
This document explains how to install the NIST Cerberus IPsec Reference
Implementation on a Slackware 7.0 or Redhat 6.2 Linux 2.2.14 kernel.  
The patches were made from a Linux 2.2.14 kernel.  Additional testing is 
needed to see if they will install correctly on any other version of the 
operating system or kernel.  Feel free to contact ipsec-dev@antd.nist.gov 
for assistance with installing in other versions.  If you don't already 
have a copy of the Linux 2.2.14 kernel source go to your favorite linux 
mirror and get a copy and untar it.

After you untar the source code distribution file, the Cerberus software 
can be found in ./nist/cerberus-0.5.  The patch files are arranged in the 
same directory hierarchy as would be found in the typical Linux 2.2.x 
kernel source tree. 

install.pl is a perl 5.x script that will do most of the work in
installing the ipsec patches to the kernel.  A detailed description of
what install.pl does is included below.  This should be used if 1) you
decide to install the patches manually, or 2) something goes wrong when
running the script and you need to make a few corrections.  The script
does try to catch errors and allow the user to back out any/all changes.
However, it is still possible that errors can occur that would make only
some changes and need manual intervention for the rest of the patches.

Once you are finished installing the patches and interface you need
to configure the kernel to use IPsec.  Run your favorite version of
make config.  In the configuration make sure EXPERIMENTAL, NETLINK, and
NETLINK_DEV are selected.  The sadb user interface uses 3 netlink sockets
to communicate with the kernel.  You then need to decide if you want to
run the IPsec code as a run-time module (strongly recommended) or part
of the base kernel.  Unlike previous versions, selecting to build IPsec 
automatically includes all of the algorithms
The IPsec code takes up approximately 172K so it is highly recommended that you
run it as a run-time module.  The Cerberus patches automatically change
the default configuration settings such that EXPERIMENTAL, NETLINK
and NETLINK_DEV are set.  These patches only works on the stock 2.2.14 kernel
and the Redhat 6.2 2.2.14-5.0 kernel.  

Then build and install the kernel (see the kernel-HOWTO document for
details).  Reboot.  If selected, build, install, and load the ipsec
run-time module.  

After the kernel is built you can run make on the sadb.  Change to
the directory where you installed the original ipsec code.  The sadb
directory contains the sadb user interface code.  cd ./sadb and run make.
Once built you can place the executable, sadb, wherever appropriate.  Keep 
in mind that this utility controls the security on the system and should be 
protected accordingly.  The sadb utility must be run by root (super-user).

To get the TCL/TK xsadb script working you need to edit the script
and set two path variables.  SADB_PATH should be set to the path
where the sadb user interface is installed 
(default: /usr/src/nist/cerberus-0.5/sadb).  SADB_TCL_PATH should
be set to the path of the ./nist/cerberus/sadb/sadb-tcl directory
(default: /usr/src/nist/cerberus-0.5/sadb/sadb-tcl).
The SADB_TCL_PATH directory contains bitmaps, utilities, and scripts 
which are necessary for xsadb to operate.


==========================================================

What the install.pl script does...

1.  Asks for the location of the kernel to be patched

2.  Checks for kernel version information.
    - must be installed in 2.2.x kernels. 
    - provides warning if not in 2.2.14.

3.  Backs up all files to be patched in a new file with a .pre-ipsec
    extension (e.g. ip.h ==> ip.h.pre-ipsec).

4.  Runs patch -s -f -u on each file,file.diff pair. 
    - In the event of a patch failure the user is asked if
      all of the files are to be restored (using the backups from
      step 3) and have the installation aborted.  If no then
      the user is asked if the current file is to be restored and
      then asked if they want to continue with the installation.

5.  Installs the net/ipsec directory in the kernel directory hierarchy.
    - Runs cp -R ./net/ipsec <patched kernel location>/net

6.  Builds a Makefile with the location of the patched kernel
     containing the relevant header files.  

7.  Creates the /dev/ipsec & /dev/ike netlink devices.
    - Runs mknod /dev/ipsec c 36 10
    - Runs mknod /dev/ike c 36 15
    - Runs mknod /dev/ike2 c 36 14

