From owner-freebsd-net  Thu Nov 30 12: 0:51 2000
Delivered-To: freebsd-net@freebsd.org
Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2])
	by hub.freebsd.org (Postfix) with ESMTP id 7652037B400
	for <freebsd-net@freebsd.org>; Thu, 30 Nov 2000 12:00:48 -0800 (PST)
Received: from localhost (localhost [[UNIX: localhost]])
	by phalse.2600.com (8.8.8/8.8.8) with ESMTP id PAA08800;
	Thu, 30 Nov 2000 15:00:29 -0500 (EST)
Date: Thu, 30 Nov 2000 15:00:29 -0500 (EST)
From: Dominick LaTrappe <seraf@2600.COM>
To: itojun@iijlab.net
Cc: freebsd-net@freebsd.org,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Gerhard Sittig <Gerhard.Sittig@gmx.net>
Subject: Re: filtering ipsec traffic (fwd) 
In-Reply-To: <26650.975598272@coconut.itojun.org>
Message-ID: <Pine.NEB.4.21.0011301440230.8590-100000@phalse.2600.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 1 Dec 2000 itojun@iijlab.net wrote:
> from IPv6 point of view (yes, I'm IPv6 centric!) we cannot add extra
> interface like tun0.  IPv6 has scoped address, and if we add extra
> interface in IP stack we will change the address semantics.

I take this to mean that in KAME an IPv6 address's scope cannot span
multiple interfaces, which is in itself a big limitation that will prevent
a lot of code from being IPv6-enabled.

Given that, I think a sysctl like net.inet.ipsec.filter would be a good
solution -- to cause a pass over the filter rules to be called from inside
KAME, when the packet is in its non-IPsec state.  Address scope will be
preserved because no additional interface is required.  If the rules are
written efficiently (with groups or skipto's to distinguish between IPsec
and non-IPsec packets), the overhead will be little -- certainly no more
than filtering built-into other IPsec implementations.

Alternatively, this could be introduced as an SPD flag.

So far, just one limitation comes to mind, which is that the packet
filters cannot discriminate between a naturally non-IPsec packet, and a
non-IPsec packet which 'was' or 'will be' an IPsec one.  I don't think
this is a big problem though.

	||| Dominick




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message