tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: running PFIL_HOOKS on decapsulated IPsec packets, too [was: Re: reverse processing order: NAT, IPsec ?]



>>>>> "Darren" == Darren Reed <darrenr%netbsd.org@localhost> writes:
    Darren> A long time ago, my idea for this was to have decapsulated
    Darren> IPsec packets appear (to pfil) to be on a different network
    Darren> interface to the encapsulated ones. Thus while your ESP

  It's really the only sane thing to do.
  it's what Linux *SWAN has always done.

    Darren> The above would be used for *both* tunnel mode and transport
    Darren> mode decapsulated packets.

  I think this might be something to thing carefully about.
  After a packet comes out of a transport mode SA, it does not really
have an IP header on it anymore.  I suggest that if you just want a
tcpdump interface for this, that:
  a) you use a new DLT value, which says, "layer-4".
  b) you permit attachment somehow to individual sockets.

also c.f:
  draft-ietf-btns-channel-binding and draft-ietf-btns-connection-latching.

-- 
]     Y'avait une poule de jammé dans l'muffler!!!!!!!!!        |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr%sandelman.ottawa.on.ca@localhost http://www.sandelman.ottawa.on.ca/ 
|device driver[
]    h("Just another Debian GNU/Linux using, kernel hacking,    ruby  guy");  [



Home | Main Index | Thread Index | Old Index