* Re: Netfilter and IPSec [not found] <480423CD.3060707@lasige.di.fc.ul.pt> @ 2008-04-15 11:26 ` Jan Engelhardt 2008-04-15 16:54 ` Ingo Oeser 2008-04-15 18:45 ` Fábio Souto 0 siblings, 2 replies; 5+ messages in thread From: Jan Engelhardt @ 2008-04-15 11:26 UTC (permalink / raw) To: Fábio Souto; +Cc: netfilter, netdev On Tuesday 2008-04-15 05:41, Fábio Souto wrote: > > I'm trying to find out some alternatives for a task I have been > assigned. Basically, I want to sign IPSec packets on another > machine. The idea is when I receive an IPSec packet, I delegate the > cryptographic signature generation to another machine, and I > receive the signed packet. > > I'm currently studying several alternatives for doing this, and > even tried a socket-based approach, by changing some kernel > modules, which has failed. It would require a huge remake of kernel > code; this task is made even harder due to lack of documentation. > > So I was wondering if anyone knew if with netfilter is possible to > achieve this. Any other suggestions/hints would be extremely > valued. The situation is deliberate, yes. IPsec is done in what you could call the xfrm subsystem, not netfilter. To that end, the only suggestion I could give is that you create a new xfrm policy/state from esp where esp is split into your encryption and signing "targets". It kinda brings me the question why the ipsec transformation is not done with an xtables target instead; that would also give handy access to connection tracking if needed. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Netfilter and IPSec 2008-04-15 11:26 ` Netfilter and IPSec Jan Engelhardt @ 2008-04-15 16:54 ` Ingo Oeser 2008-04-15 17:02 ` Patrick McHardy 2008-04-15 17:22 ` Jan Engelhardt 2008-04-15 18:45 ` Fábio Souto 1 sibling, 2 replies; 5+ messages in thread From: Ingo Oeser @ 2008-04-15 16:54 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Fábio Souto, netfilter, netdev Jan Engelhardt schrieb: > It kinda brings me the question why the ipsec transformation is > not done with an xtables target instead; that would also give > handy access to connection tracking if needed. And simplify firewalling A LOT :-) BTW: Anybody has a working ipsec match these days or is this known broken? Best regards Ingo Oeser ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Netfilter and IPSec 2008-04-15 16:54 ` Ingo Oeser @ 2008-04-15 17:02 ` Patrick McHardy 2008-04-15 17:22 ` Jan Engelhardt 1 sibling, 0 replies; 5+ messages in thread From: Patrick McHardy @ 2008-04-15 17:02 UTC (permalink / raw) To: Ingo Oeser; +Cc: Jan Engelhardt, Fábio Souto, netfilter, netdev Ingo Oeser wrote: > BTW: Anybody has a working ipsec match these days or is this known broken? It should work as always. Are there any problems I'm not aware of? ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Netfilter and IPSec 2008-04-15 16:54 ` Ingo Oeser 2008-04-15 17:02 ` Patrick McHardy @ 2008-04-15 17:22 ` Jan Engelhardt 1 sibling, 0 replies; 5+ messages in thread From: Jan Engelhardt @ 2008-04-15 17:22 UTC (permalink / raw) To: Ingo Oeser; +Cc: Fábio Souto, netfilter, netdev On Tuesday 2008-04-15 18:54, Ingo Oeser wrote: >Jan Engelhardt schrieb: >> It kinda brings me the question why the ipsec transformation is >> not done with an xtables target instead; that would also give >> handy access to connection tracking if needed. > >And simplify firewalling A LOT :-) > >BTW: Anybody has a working ipsec match these days or is this known broken? -p esp, -m policy, take your pick :-) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Netfilter and IPSec 2008-04-15 11:26 ` Netfilter and IPSec Jan Engelhardt 2008-04-15 16:54 ` Ingo Oeser @ 2008-04-15 18:45 ` Fábio Souto 1 sibling, 0 replies; 5+ messages in thread From: Fábio Souto @ 2008-04-15 18:45 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter, netdev Jan Engelhardt wrote: > > > The situation is deliberate, yes. IPsec is done in what you could > call the xfrm subsystem, not netfilter. To that end, the only > suggestion I could give is that you create a new xfrm policy/state > from esp where esp is split into your encryption and signing > "targets". > > Thank you for all answers. The major problem I'm facing is the lacking of documentation on that subsystem. For example, how to create a policy. And after that? My task is a bit easier, because I only need to use AH and not ESP. Although a flexible solution would be of value :) The kernel is still a bit unknown to me, so I'm having a bit of trouble into all the jargon you are using around. But the few things I understood are being extremely helpful. > It kinda brings me the question why the ipsec transformation is > not done with an xtables target instead; that would also give > handy access to connection tracking if needed. > With that I must agree! -- ------------------------------------------------------------------------------------------ Fábio Souto LaSIGE , Navigators Group Departamento de Informática, FC/UL Block C6, room 6.3.32, Campo Grande 1749-016 Lisboa, Portugal ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-04-15 18:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <480423CD.3060707@lasige.di.fc.ul.pt>
2008-04-15 11:26 ` Netfilter and IPSec Jan Engelhardt
2008-04-15 16:54 ` Ingo Oeser
2008-04-15 17:02 ` Patrick McHardy
2008-04-15 17:22 ` Jan Engelhardt
2008-04-15 18:45 ` Fábio Souto
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).