tech-net: Re: Non-IPSec Processing Point for ipf

Subject: Re: Non-IPSec Processing Point for ipf
To: Curt Sampson <cjs@cynic.net>
From: None <itojun@iijlab.net>
List: tech-net
Date: 04/18/2003 18:17:31

>> >> >If I have two IPSec links, one to network A/24 and one to network B/24,
>> >> >I need to block all source=A/24 packets that come in via the tunnel from
>> >> >B, and all source=B/24 packets that come in via the tunnel from A, because
>> >> >those packets are forged.
>> >> 	why not filter at the other end of the tunnel (tunnel egress point)?
>>
>> 	s/egress/ingress/
>
>You mean at the interface on my router where the packets enter? Because
>at that point all I see are encrypted packets from the other end of the
>tunnel. I have no idea what inner packets are going to be extracted from
>the encapsulating packets and injected into my system.

	i meant "at the interface on their router where the packets enter".
	but as in your previous posting, you have no control over the
	other end.

itojun