[prev in list] [next in list] [prev in thread] [next in thread]
List: netbsd-tech-net
Subject: Re: PFIL for IPsec tunneled packets
From: Hubert Feyrer <hubert () feyrer ! de>
Date: 2009-06-29 10:51:47
Message-ID: alpine.DEB.1.10.0906291248350.13770 () calanda ! fehu ! org
[Download RAW message or body]
On Fri, 26 Jun 2009, Edgar Fuß wrote:
>> Or do you have those anti-spoofing rules in your packet filter
>> (PF/IPfilter) config?
> Yes, but I don't understand what you mean by "or".
I was under the impression that you were referring to some in-kernel code
that filters certain packets, instead of your own filter rules. Hence the
"or".
>> Also, if you don't run the PFIL_HOOKS on the decapsulated package, how do
>> you prevent someone from sending "internal" packets via IPSEC - plain
>> trust?
> Yes. I trust the IPsec peer (because it's run by me).
>
> Not that I'm against running de-encapsulated trough the filter again (to
> the contrary, I would like that idea). Only, those packets must be
> distinguishable from packets arriving in the clear.
Yes. FWIW, our two IPsec implementations behave different in that regard,
see the two functions that my last patch disabled: One checks if there's a
tag that indicates an ESP header, the other indicates whether a packet was
processed by IPsec or not. I think the latter would be what we'd need
here, and then an interface would be needed for IPfilter / PF to refer to
that flag.
The bad news is that I don't have the time to work on that, and that I'll
just life with my patch for now. Sorry! :)
- Hubert
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic