PFIL for IPsec tunneled packets (was: reverse processing order: NAT, IPsec?)

To: NetBSD Networking Technical Discussion List <tech-net%NetBSD.org@localhost>
Subject: PFIL for IPsec tunneled packets (was: reverse processing order: NAT, IPsec?)
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Thu, 25 Jun 2009 22:09:52 +0200

> After seeing the ultimately simple fix Hubert posted to re-enable PFIL
> hooks for IPsec de-encapsulated packets I had a deja vu moment and I
> think I can say this silliness has caused problems in other contexts as
> well.
Applying this "fix"  would break my installation. At least as long as those 
packets are indistinguishable from non-IPsec traffic arriving on the same 
interface.
Currently, packets arriving on the gateway's external interface but appearing 
to come from an internal network are dropped by anti-spoofing filter rules. ESP 
traffic passes, and the de-encapsulated packets are never seen again by the 
packet filter. If they were, they should be somehow marked as being 
de-encapsulated---otherwise they would be dropped by the anti-spoof rules.

Follow-Ups:
- Re: PFIL for IPsec tunneled packets (was: reverse processing order: NAT, IPsec?)
  - From: Hubert Feyrer

References:
- reverse processing order: NAT, IPsec ?
  - From: Hubert Feyrer
- Re: reverse processing order: NAT, IPsec ?
  - From: David Young
- Re: reverse processing order: NAT, IPsec ?
  - From: Hubert Feyrer
- Re: reverse processing order: NAT, IPsec ?
  - From: Greg A. Woods

Prev by Date: Re: reverse processing order: NAT, IPsec ?
Next by Date: Re: PFIL for IPsec tunneled packets (was: reverse processing order: NAT, IPsec?)
Previous by Thread: Re: reverse processing order: NAT, IPsec ?
Next by Thread: Re: PFIL for IPsec tunneled packets (was: reverse processing order: NAT, IPsec?)
Indexes:

Home | Main Index | Thread Index | Old Index