Subject: Re: Take #3 - final proposed patch for ipsec/bpf/ipfilter integration
To: Curt Sampson <>
From: Michael Richardson <>
List: tech-net
Date: 05/15/2003 16:50:57

>>>>> "Curt" == Curt Sampson <> writes:
    Curt> On Wed, 14 May 2003, YAMAMOTO Takashi wrote:

    >> tcpdump can decode ESP by itsself and i think it should if needed.

    Curt> Using tcpdump's -E option is, in the large majority of cases,
    Curt> impractical. First, it can take only ASCII keys, restricting you to
  No, fixed. 0x for hex.
  The one in HEAD of also takes /file/name for a list of SAs
    Curt> using a small portion of the keyspace. Second, if you're using IKE it
    Curt> can be difficult or impossible to find out the key currently in
    Curt> use.

  Yes, a problem. And a feature.

    Curt> Also, using tcpdump before ipsec processing doesn't help if you
    Curt> want to 
    Curt> see if the kernel is correctly decrypting the packets.

  Yes, this is why we need to have tcpdump after IPsec.

    Curt> Note, for example, that tcpdump is hardly the only program that uses
    Curt> BPF. What if I want to do a netflow analysis? Or use ntop?

  There is another program that has a problem: dhclient.
  If you encrypted your link (see, dhclient can't see the
replies to the lease renewal, because they are encrypted.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys