From: jamal <hadi@cyberus.ca>
To: Wolfgang Walter <wolfgang.walter@studentenwerk.mhn.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>, netdev@oss.sgi.com
Subject: Re: Problem with IPSEC tunnel mode
Date: Sun, 24 Apr 2005 18:08:47 -0400 [thread overview]
Message-ID: <1114380527.7669.142.camel@localhost.localdomain> (raw)
In-Reply-To: <200504232303.35549.wolfgang.walter@studentenwerk.mhn.de>
On Sat, 2005-23-04 at 23:03 +0200, Wolfgang Walter wrote:
>
> SPD is indeed also a sort of firewall. You can use it to construct i.e. a
> vpn-gateway and forbid any non-vpn-traffic entering or leaving.
>
So i think design intent must have been to map these to the
netfilter/iptables hooks - fwd/in/out hooks.
> How the SPD is implemented is of course not specified. I think KLIPS use a
> mixing of routing and netfilter and "ipsec-netdevices" to realise the SPD.
>
It could certainly be any applicable classifier that can map at least
the 6 tuples {src/dst IP, src/dst port, proto, netdevice}.
> My personal view is that 2.6 native SPD is better. Its easier to understand
> and protect i.e. vpn-gateways.
Except it introduces yet another firewall scheme. We should look at
unifying these schemes. Both the input/fwding can be derived at the
ingress.
> Using selectors other than src, dst in the SPD is tricky, by the way, because
> of fragments. Say a rule selects packets from a to b with protocol tcp and
> dst-port 80 to be sent through a tunnel you must have an extra rule (and
> tunnel) for the fragments (and all fragments are tunneled then).
>
>
> Maybe more complex selectors should be realised by netfilter, a module which
> can mark packets. And SPD uses that mark. Then statefull policies are
> possible, i.e.
>
I think that it is probably the best path forward - i suppose this being
the first incarnation of native ipsec this could be seen as a lesson.
> I don't know if linux handles ICMP traffic well, often one must check the
> payload against the SPD. I had no time yet to do some tests.
>
from the code it should work just fine.
cheers,
jamal
next prev parent reply other threads:[~2005-04-24 22:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-20 15:37 Problem with IPSEC tunnel mode Wolfgang Walter
2005-04-21 12:57 ` Herbert Xu
2005-04-21 14:40 ` Wolfgang Walter
2005-04-21 21:46 ` Herbert Xu
2005-04-21 23:50 ` jamal
2005-04-21 23:58 ` Herbert Xu
2005-04-22 0:13 ` Patrick McHardy
2005-04-22 0:18 ` jamal
2005-04-22 0:54 ` Herbert Xu
2005-04-22 11:42 ` Wolfgang Walter
2005-04-22 12:14 ` jamal
2005-04-22 13:22 ` Wolfgang Walter
2005-04-22 13:27 ` Herbert Xu
2005-04-22 13:48 ` Wolfgang Walter
2005-04-22 13:53 ` Herbert Xu
2005-04-23 17:49 ` jamal
2005-04-23 17:52 ` David S. Miller
2005-04-23 21:03 ` Wolfgang Walter
2005-04-24 22:08 ` jamal [this message]
2005-04-22 0:40 ` Wolfgang Walter
2005-04-22 1:04 ` Herbert Xu
2005-04-22 9:37 ` Wolfgang Walter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1114380527.7669.142.camel@localhost.localdomain \
--to=hadi@cyberus.ca \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@oss.sgi.com \
--cc=wolfgang.walter@studentenwerk.mhn.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).