Subject: Re: Take #3 - final proposed patch for ipsec/bpf/ipfilter integration
To: Curt Sampson <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 05/15/2003 16:50:57
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Curt" == Curt Sampson <firstname.lastname@example.org> writes:
Curt> On Wed, 14 May 2003, YAMAMOTO Takashi wrote:
>> tcpdump can decode ESP by itsself and i think it should if needed.
Curt> Using tcpdump's -E option is, in the large majority of cases,
Curt> impractical. First, it can take only ASCII keys, restricting you to
No, fixed. 0x for hex.
The one in HEAD of tcpdump.org also takes /file/name for a list of SAs
Curt> using a small portion of the keyspace. Second, if you're using IKE it
Curt> can be difficult or impossible to find out the key currently in
Yes, a problem. And a feature.
Curt> Also, using tcpdump before ipsec processing doesn't help if you
Curt> want to
Curt> see if the kernel is correctly decrypting the packets.
Yes, this is why we need to have tcpdump after IPsec.
Curt> Note, for example, that tcpdump is hardly the only program that uses
Curt> BPF. What if I want to do a netflow analysis? Or use ntop?
There is another program that has a problem: dhclient.
If you encrypted your link (see www.wavesec.org), dhclient can't see the
replies to the lease renewal, because they are encrypted.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] email@example.com http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----