Subject: Re: Non-IPSec Processing Point for ipf
To: None <itojun@iijlab.net>
From: Curt Sampson <cjs@cynic.net>
List: tech-net
Date: 04/17/2003 18:09:05
On Thu, 17 Apr 2003 itojun@iijlab.net wrote:
> additional interface breaks IPv6 scoping. please don't do that.
If these are only "taps" to which you cannot assign an address and you
can't send a packet, does it still break scoping?
But there are other issues that come up as I start to look at the input
code. It looks to me as if you can do multiple levels of encapsulation,
so if a user specifies "esp/tunnel/X-Y/require ah/tunnel/X-Y/require" as
his SPD, were going to get a packet that looks like:
+-----+----+-----+-----+-----+---------+
| IP1 | AH | IP2 | ESP | IP3 | payload |
+-----+----+-----+-----+-----+---------+
In this case, most people are going to want to see IP1 at the "real"
interface and IP3 at the "decrypted" interface. So I guess once you strip
off an IPSec header, you don't pass it on to the packet filter if there's
another IPSec header afterwards with tunnel mode turned on.
cjs
--
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC