tech-net: Re: Non-IPSec Processing Point for ipf

Subject: Re: Non-IPSec Processing Point for ipf
To: None <tech-net@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 04/17/2003 11:33:18

-----BEGIN PGP SIGNED MESSAGE-----


I suggest two things:

1) if you have IPsec, it doesn't matter what interface things arrive on.
   So, you can name the new "pseudo" interface, something like "ipsec"

2) you really want a persistent value to designate the SA that you can
   put into the SPD, and use in the IPF. This is more work, clearly.

(In any case, "noipsec" confuses me. I think you meant
"after-ipsec-processing"?) 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPp7JPYqHRg3pndX9AQEuEAP5AfwPNXTjIdwMXViaU11z9QBIhy5V/8iv
6pCjcbFYIsk++CACO4bBDzTd6wIW7ExfK5DrNS5hZweZd5EDdTbtvNnqJT71NqIO
TUAOXFNc44sIhvIAyBPkZckV1hzs/GLgPFiVNGv1/VtSHFivL1kkCbgzDE3PZf+2
Dq+nrnlK6Zo=
=oKMj
-----END PGP SIGNATURE-----