[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-net
Subject:    Re: PFIL for IPsec tunneled packets
From:       Hubert Feyrer <hubert () feyrer ! de>
Date:       2009-06-29 10:51:47
Message-ID: alpine.DEB.1.10.0906291248350.13770 () calanda ! fehu ! org
[Download RAW message or body]


On Fri, 26 Jun 2009, Edgar Fuß wrote:
>> Or do you have those anti-spoofing rules in your packet filter
>> (PF/IPfilter) config?
> Yes, but I don't understand what you mean by "or".

I was under the impression that you were referring to some in-kernel code 
that filters certain packets, instead of your own filter rules. Hence the 
"or".


>> Also, if you don't run the PFIL_HOOKS on the decapsulated package, how do
>> you prevent someone from sending "internal" packets via IPSEC - plain
>> trust?
> Yes. I trust the IPsec peer (because it's run by me).
>
> Not that I'm against running de-encapsulated trough the filter again (to 
> the contrary, I would like that idea). Only, those packets must be 
> distinguishable from packets arriving in the clear.

Yes. FWIW, our two IPsec implementations behave different in that regard, 
see the two functions that my last patch disabled: One checks if there's a 
tag that indicates an ESP header, the other indicates whether a packet was 
processed by IPsec or not. I think the latter would be what we'd need 
here, and then an interface would be needed for IPfilter / PF to refer to 
that flag.

The bad news is that I don't have the time to work on that, and that I'll 
just life with my patch for now. Sorry! :)


  - Hubert

[prev in list] [next in list] [prev in thread] [next in thread]