Date: Sun, 11 Dec 2016 15:09:28 +0300 From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: freebsd-net@FreeBSD.org, Eugene Grosbein <eugen@grosbein.net> Subject: Re: [RFC/RFT] projects/ipsec Message-ID: <4f8ad6e3-8028-8656-d286-caa391960632@FreeBSD.org> In-Reply-To: <20161211115802.GD31311@zxy.spb.ru> References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> <20161211115802.GD31311@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --364mLvVx6ANsJmdcdTHvNNwnwCoRRFGCv Content-Type: multipart/mixed; boundary="W562hrvHdf2wfMdWHGdhiq4ncUO4EcnUW"; protected-headers="v1" From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: freebsd-net@FreeBSD.org, Eugene Grosbein <eugen@grosbein.net> Message-ID: <4f8ad6e3-8028-8656-d286-caa391960632@FreeBSD.org> Subject: Re: [RFC/RFT] projects/ipsec References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> <20161211115802.GD31311@zxy.spb.ru> In-Reply-To: <20161211115802.GD31311@zxy.spb.ru> --W562hrvHdf2wfMdWHGdhiq4ncUO4EcnUW Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11.12.2016 14:58, Slawa Olhovchenkov wrote: >> No. An encapsulated by gif(4) packet is considered as own packet. The >> described change is related to transport mode policies, that are match= >> forwarded packets, i.e. when source and destination addresses are not >> our own. In this case we can't handle the returned packets. >=20 > What difference with source packets? > Whu you can handle sourced and can't handle returned packets? IPsec is a set of protocol handlers - ESP/AH/IPcomp. Inbound packets are handled by security association with given destination address and SPI. If returned packets aren't destined to your address, protocol handlers will not handle them. Outbound packets are handled by matching security policy. A needed security association are looking using the address selector from security policy. If security association that matches to a packet is found, a packet will be handled by protocol handler. --=20 WBR, Andrey V. Elsukov --W562hrvHdf2wfMdWHGdhiq4ncUO4EcnUW-- --364mLvVx6ANsJmdcdTHvNNwnwCoRRFGCv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEsBAEBCAAWBQJYTUH4DxxhZUBmcmVlYnNkLm9yZwAKCRABxeoEEMiheqXhB/9a 6mRzs8M5VqiLWk+3DbOaLYNK+kVBcZfaKu+TFMatViI2emu/NlFtkEZCKmCaNhuf AcmUT/5lelMv7wHp4JKdIW3msL9JC6uy6QoevJu3rTBN7PKOV1309WkMEHQ/O6Pm f1lqvROvZZAuy+CFICh0nDbkC1v80HSXUo6VBh6SnADcKPsX/Ot8KrTqJsayhb+a q3a0sC8qjuBEGbzfpB2dhegUPOma3QTxAd5P5ebsd1Ta9RXQQDz/ycKwcxz4Yxbl Z2IwnZtBwp5kn2jLDHVMSc+K7DqKdxnhl0k4YYr6qbaYHGa2i3rn1KjEg8I6vacV f2PfDEns5i3kCyhA+4Dk =LPWo -----END PGP SIGNATURE----- --364mLvVx6ANsJmdcdTHvNNwnwCoRRFGCv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4f8ad6e3-8028-8656-d286-caa391960632>