-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Curt" == Curt Sampson <cjs@cynic.net> writes:
    >> 1) if you have IPsec, it doesn't matter what interface things arrive on.
    >> So, you can name the new "pseudo" interface, something like "ipsec"

    Curt> It certainly does matter what interface things arrive on!

  Nope. If it (the ESP packet) arrives, decrypts and authenticates properly,
you can be pretty sure that it came from the real sender. It doesn't matter
how it got to you. The ESP packet is the one with IPsec on it. The inner
packet does not have IPsec.

    Curt> If I have two IPSec links, one to network A/24 and one to network
    Curt> B/24, 
    Curt> I need to block all source=A/24 packets that come in via the tunnel
    Curt> from 
    Curt> B, and all source=B/24 packets that come in via the tunnel from A,
    Curt> because 
    Curt> those packets are forged.

  Yes, that's true.
  But, that's not what I said.

  I said that it doesn't matter which interface the *ESP* packet comes in on.

    >> (In any case, "noipsec" confuses me. I think you meant
    >> "after-ipsec-processing"?)

    Curt> But "after-ipsec-processing" is *with* ipsec on the outbound
    Curt> direction 
    Curt> of an interface.

  True. 
  So, the term is wrong.

  We need a term that says "above" ipsec.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPqAbTYqHRg3pndX9AQE0HwQAv8KxDvqvOTogFoGzvKIKendOf2H28Gwd
ANTFjJ+qkXvxTm6sXfTkY04rtAOdNhR2cGabwQhil7+tVmcfQ0E3oPXexQhxHOgZ
zCpsyM6njUgY4avyi5Nb57cHPIf0mi181MIavShVQm6MXNDnaLdeFu4FKxw7jVu2
Gkd1a2j8o5Q=
=jNmQ
-----END PGP SIGNATURE-----