tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: running PFIL_HOOKS on decapsulated IPsec packets, too [was: Re: reverse processing order: NAT, IPsec ?]
>>>>> "Darren" == Darren Reed <darrenr%netbsd.org@localhost> writes:
Darren> A long time ago, my idea for this was to have decapsulated
Darren> IPsec packets appear (to pfil) to be on a different network
Darren> interface to the encapsulated ones. Thus while your ESP
It's really the only sane thing to do.
it's what Linux *SWAN has always done.
Darren> The above would be used for *both* tunnel mode and transport
Darren> mode decapsulated packets.
I think this might be something to thing carefully about.
After a packet comes out of a transport mode SA, it does not really
have an IP header on it anymore. I suggest that if you just want a
tcpdump interface for this, that:
a) you use a new DLT value, which says, "layer-4".
b) you permit attachment somehow to individual sockets.
also c.f:
draft-ietf-btns-channel-binding and draft-ietf-btns-connection-latching.
--
] Y'avait une poule de jammé dans l'muffler!!!!!!!!! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr%sandelman.ottawa.on.ca@localhost http://www.sandelman.ottawa.on.ca/
|device driver[
] h("Just another Debian GNU/Linux using, kernel hacking, ruby guy"); [
- References:
- reverse processing order: NAT, IPsec ?
- Re: reverse processing order: NAT, IPsec ?
- Re: reverse processing order: NAT, IPsec ?
- Re: reverse processing order: NAT, IPsec ?
- running PFIL_HOOKS on decapsulated IPsec packets, too [was: Re: reverse processing order: NAT, IPsec ?]
- Re: running PFIL_HOOKS on decapsulated IPsec packets, too [was: Re: reverse processing order: NAT, IPsec ?]
- Re: running PFIL_HOOKS on decapsulated IPsec packets, too [was: Re: reverse processing order: NAT, IPsec ?]
Home |
Main Index |
Thread Index |
Old Index