From owner-freebsd-net@freebsd.org Sun Dec 11 12:10:04 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4C56C6F2E5 for ; Sun, 11 Dec 2016 12:10:04 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from butcher-nb.yandex.net (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) by mx1.freebsd.org (Postfix) with ESMTP id ED80686; Sun, 11 Dec 2016 12:10:03 +0000 (UTC) (envelope-from ae@FreeBSD.org) Subject: Re: [RFC/RFT] projects/ipsec To: Slawa Olhovchenkov References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> <20161211115802.GD31311@zxy.spb.ru> Cc: freebsd-net@FreeBSD.org, Eugene Grosbein From: "Andrey V. Elsukov" Message-ID: <4f8ad6e3-8028-8656-d286-caa391960632@FreeBSD.org> Date: Sun, 11 Dec 2016 15:09:28 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161211115802.GD31311@zxy.spb.ru> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="364mLvVx6ANsJmdcdTHvNNwnwCoRRFGCv" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2016 12:10:05 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --364mLvVx6ANsJmdcdTHvNNwnwCoRRFGCv Content-Type: multipart/mixed; boundary="W562hrvHdf2wfMdWHGdhiq4ncUO4EcnUW"; protected-headers="v1" From: "Andrey V. Elsukov" To: Slawa Olhovchenkov Cc: freebsd-net@FreeBSD.org, Eugene Grosbein Message-ID: <4f8ad6e3-8028-8656-d286-caa391960632@FreeBSD.org> Subject: Re: [RFC/RFT] projects/ipsec References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> <584D18D1.8090400@grosbein.net> <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org> <20161211115802.GD31311@zxy.spb.ru> In-Reply-To: <20161211115802.GD31311@zxy.spb.ru> --W562hrvHdf2wfMdWHGdhiq4ncUO4EcnUW Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11.12.2016 14:58, Slawa Olhovchenkov wrote: >> No. An encapsulated by gif(4) packet is considered as own packet. The >> described change is related to transport mode policies, that are match= >> forwarded packets, i.e. when source and destination addresses are not >> our own. In this case we can't handle the returned packets. >=20 > What difference with source packets? > Whu you can handle sourced and can't handle returned packets? IPsec is a set of protocol handlers - ESP/AH/IPcomp. Inbound packets are handled by security association with given destination address and SPI. If returned packets aren't destined to your address, protocol handlers will not handle them. Outbound packets are handled by matching security policy. A needed security association are looking using the address selector from security policy. If security association that matches to a packet is found, a packet will be handled by protocol handler. --=20 WBR, Andrey V. Elsukov --W562hrvHdf2wfMdWHGdhiq4ncUO4EcnUW-- --364mLvVx6ANsJmdcdTHvNNwnwCoRRFGCv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEsBAEBCAAWBQJYTUH4DxxhZUBmcmVlYnNkLm9yZwAKCRABxeoEEMiheqXhB/9a 6mRzs8M5VqiLWk+3DbOaLYNK+kVBcZfaKu+TFMatViI2emu/NlFtkEZCKmCaNhuf AcmUT/5lelMv7wHp4JKdIW3msL9JC6uy6QoevJu3rTBN7PKOV1309WkMEHQ/O6Pm f1lqvROvZZAuy+CFICh0nDbkC1v80HSXUo6VBh6SnADcKPsX/Ot8KrTqJsayhb+a q3a0sC8qjuBEGbzfpB2dhegUPOma3QTxAd5P5ebsd1Ta9RXQQDz/ycKwcxz4Yxbl Z2IwnZtBwp5kn2jLDHVMSc+K7DqKdxnhl0k4YYr6qbaYHGa2i3rn1KjEg8I6vacV f2PfDEns5i3kCyhA+4Dk =LPWo -----END PGP SIGNATURE----- --364mLvVx6ANsJmdcdTHvNNwnwCoRRFGCv--