tech-net: Re: Non-IPSec Processing Point for ipf

Subject: Re: Non-IPSec Processing Point for ipf
To: Curt Sampson <cjs@cynic.net>
From: None <itojun@iijlab.net>
List: tech-net
Date: 04/18/2003 17:45:16

>> 1) if you have IPsec, it doesn't matter what interface things arrive on.
>>    So, you can name the new "pseudo" interface, something like "ipsec"
>
>It certainly does matter what interface things arrive on!
>
>If I have two IPSec links, one to network A/24 and one to network B/24,
>I need to block all source=A/24 packets that come in via the tunnel from
>B, and all source=B/24 packets that come in via the tunnel from A, because
>those packets are forged.

	why not filter at the other end of the tunnel (tunnel egress point)?
	is it not under your control, or are you having tunnel with non-
	trustworthy peers?

itojun