From owner-freebsd-security  Sun Aug  4  3:24:20 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3541E37B401
	for <freebsd-security@FreeBSD.ORG>; Sun,  4 Aug 2002 03:24:15 -0700 (PDT)
Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7CE1843E6A
	for <freebsd-security@FreeBSD.ORG>; Sun,  4 Aug 2002 03:24:13 -0700 (PDT)
	(envelope-from borjamar@sarenet.es)
Received: from nenuial.arnor.es (localhost [127.0.0.1])
	by borja.sarenet.es (8.12.3/8.12.3) with ESMTP id g74AOAxh009554
	for <freebsd-security@FreeBSD.ORG>; Sun, 4 Aug 2002 12:24:11 +0200 (CEST)
	(envelope-from borjamar@sarenet.es)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Borja Marcos <borjamar@sarenet.es>
To: <freebsd-security@FreeBSD.ORG>
Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...]
Date: Sun, 4 Aug 2002 12:24:10 +0200
User-Agent: KMail/1.4.2
References: <sd4ab7c6.030@aus-gwia.aus.dcnhs.org>
In-Reply-To: <sd4ab7c6.030@aus-gwia.aus.dcnhs.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200208041224.10309.borjamar@sarenet.es>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Friday 02 August 2002 23:47, Matthew Grooms wrote:
> Its only backwards if you are used to implimenting IPSEC communications
> in a non-giff'd confguration. As mentioned before, this is endorsed by
> many how-to's available. If you don't like this method, don't use it. I
> for one prefer the giffed alternative but will be more than happy to
> admit that the benifits appear to be mostly cosmetic.

=09I am not using gif right now, but I see two important advantages.

=09I suppose it will be possible to put firewall rules in a gif interface=
=2E=20
Imagine that you establish a tunnel with a not so trusted party, only for=
 a=20
limited purpose.

=09I suppose as well that it is possible to sniff traffic in a gif interf=
ace.=20
Tools such as Argus, Ntop, can be used with encrypted tunnels. Otherwise,=
 you=20
are blind.


=09Borja.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message