Re: Netfilter and IPSec

Re: Netfilter and IPSec

[Jan Engelhardt]

On Tuesday 2008-04-15 05:41, Fábio Souto wrote:
>
> I'm trying to find out some alternatives for a task I have been
> assigned. Basically, I want to sign IPSec packets on another
> machine. The idea is when I receive an IPSec packet, I delegate the
> cryptographic signature generation to another machine, and I
> receive the signed packet.
>
> I'm currently studying several alternatives for doing this, and
> even tried a socket-based approach, by changing some kernel
> modules, which has failed. It would require a huge remake of kernel
> code; this task is made even harder due to lack of documentation.
>
> So I was wondering if anyone knew if with netfilter is possible to
> achieve this. Any other suggestions/hints would be extremely
> valued.

The situation is deliberate, yes. IPsec is done in what you could
call the xfrm subsystem, not netfilter. To that end, the only
suggestion I could give is that you create a new xfrm policy/state
from esp where esp is split into your encryption and signing
"targets".

It kinda brings me the question why the ipsec transformation is
not done with an xtables target instead; that would also give
handy access to connection tracking if needed.

Re: Netfilter and IPSec

[Ingo Oeser]

Jan Engelhardt schrieb:
> It kinda brings me the question why the ipsec transformation is
> not done with an xtables target instead; that would also give
> handy access to connection tracking if needed.

And simplify firewalling A LOT :-)

BTW: Anybody has a working ipsec match these days or is this known broken?


Best regards

Ingo Oeser

Re: Netfilter and IPSec

[Patrick McHardy]

Ingo Oeser wrote:
> BTW: Anybody has a working ipsec match these days or is this known broken?


It should work as always. Are there any problems I'm not aware of?

Re: Netfilter and IPSec

[Jan Engelhardt]

On Tuesday 2008-04-15 18:54, Ingo Oeser wrote:
>Jan Engelhardt schrieb:
>> It kinda brings me the question why the ipsec transformation is
>> not done with an xtables target instead; that would also give
>> handy access to connection tracking if needed.
>
>And simplify firewalling A LOT :-)
>
>BTW: Anybody has a working ipsec match these days or is this known broken?

-p esp, -m policy, take your pick :-)

Re: Netfilter and IPSec

[Fábio Souto]

Jan Engelhardt wrote:
>
>
> The situation is deliberate, yes. IPsec is done in what you could
> call the xfrm subsystem, not netfilter. To that end, the only
> suggestion I could give is that you create a new xfrm policy/state
> from esp where esp is split into your encryption and signing
> "targets".
>
>   
Thank you for all answers. The major problem I'm facing is the lacking 
of documentation on that subsystem.
For example, how to create a policy. And after that?
My task is a bit easier, because I only need to use AH and not ESP.
Although a flexible solution would be of value :)

The kernel is still a bit unknown to me, so I'm having a bit of trouble 
into all the jargon you are using around.
But the few things I understood are being extremely helpful.
> It kinda brings me the question why the ipsec transformation is
> not done with an xtables target instead; that would also give
> handy access to connection tracking if needed.
>   
With that I must agree!

-- 
------------------------------------------------------------------------------------------
Fábio Souto
LaSIGE , Navigators Group
Departamento de Informática, FC/UL
Block C6, room 6.3.32, Campo Grande
1749-016 Lisboa, Portugal