From owner-freebsd-net@freebsd.org  Wed May 27 11:20:57 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9C4DB32F70B
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Wed, 27 May 2020 11:20:57 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 49X7gD3kdjz4BQD
 for <freebsd-net@freebsd.org>; Wed, 27 May 2020 11:20:56 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 04RBKfs4087890
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Wed, 27 May 2020 11:20:42 GMT (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: tom.marcoen@gmail.com
Received: from [10.58.0.10] (dadv@dadvw [10.58.0.10])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id 04RBKeKY006137
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Wed, 27 May 2020 18:20:40 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: On Netgraph
To: Tom Marcoen <tom.marcoen@gmail.com>, freebsd-net@freebsd.org
References: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <d5c2b323-66a6-d88e-91d5-f697aa4fdefe@grosbein.net>
Date: Wed, 27 May 2020 18:20:29 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,
 SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 49X7gD3kdjz4BQD
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-0.71 / 15.00]; ARC_NA(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 NEURAL_HAM_LONG(-0.50)[-0.498]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net];
 NEURAL_SPAM_MEDIUM(0.03)[0.027]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 R_SPF_PERMFAIL(0.00)[empty SPF record];
 RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.14)[-0.138];
 FREEMAIL_TO(0.00)[gmail.com,freebsd.org];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 11:20:57 -0000

27.05.2020 15:06, Tom Marcoen wrote:

> Hey all,
> 
> I'm new to this mailing list and also quite new to FreeBSD (huray, welcome
> to me!) so bare with me, please.
> 
> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails and
> I was looking at some of the examples provided in
> /usr/share/examples/netgraph and now have the following question.
> The udp.tunnel example shows an iface point-to-point connection but it is
> unencrypted. Of course I could encrypt it with an IPsec tunnel on the host
> or tunnel it through SSH, but I was wondering whether there exists a nice
> Netgraph solution, e.g. a node with two hooks, receiving unencrypted
> traffic on the inside hook and sending out encrypted traffic on the outside
> hook.

There is ng_mppc(4) netgraph node capable to perform relatively weak MPPE encryption
(and/or compression) but it is designed to work with ng_ppp(4) node encapsulating IP packets into PPP frames.
I doubt it's very efficient for inter-jail traffic.

Why do you need encryption for inter-jails traffic in first place?
Encryption is needed for traffic passing untrusted channels where data interception is possible
but inter-jail traffic does not leave the kernel at all until it hits destination jail.