From owner-freebsd-security Tue Nov 13 16:11:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp5.cluster.oleane.net (smtp5.cluster.oleane.net [195.25.12.27]) by hub.freebsd.org (Postfix) with ESMTP id DFF1837B416 for ; Tue, 13 Nov 2001 16:11:35 -0800 (PST) Received: from diabolic-cow.chatgris.net (c2ce776b.fsp.oleane.fr [194.206.119.107]) by smtp5.cluster.oleane.net with ESMTP id fAE0BVx75561 for ; Wed, 14 Nov 2001 01:11:33 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id D77B0100; Wed, 14 Nov 2001 01:09:41 +0100 (CET) Date: Wed, 14 Nov 2001 01:09:41 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: FreeBSD Security List Subject: Re: Bump-in-the-Road IPsec? Message-ID: <20011114010941.A46471@diabolic-cow.chatgris.net> References: <20011113033151.A56326@diabolo.ifn.fr> <20011112193144.N1819-100000@coredump.scriptkiddie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011112193144.N1819-100000@coredump.scriptkiddie.org>; from lamont@scriptkiddie.org on Mon, Nov 12, 2001 at 07:33:25PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 07:33:25PM -0800, Lamont Granquist wrote: > > On Tue, 13 Nov 2001, Rémi Guyomarch wrote: > > On Tue, Nov 13, 2001 at 03:14:38AM +0100, Rémi Guyomarch wrote: > > ... > > > On OpenBSD, use the gif device, along with IPSec in transport mode > > > and the same bridge setup as described below. > > > > Damn! I just realised that gif(4) only handles IP frames :-( > > Still a transparent bridge, but only suitable for IP... > > [same thing with gre(4)] After reading the gif(4) and brconfig(8) OpenBSD's manpages, it seems gif isn't limited to IP traffic but really handles full ethernet. > only suitable for IP is fine by me. the thing is that i really want these > to be two completely seperate networks with real ip #s. Yuk! I got it. Basically you're trying to do a "tranparent IP router". I think this violates nearly every routing-related RFC ever published ! It might be possible but it would require horrible hacks. > the stuff i've > found on the net so far suggests using gif to bridge between two remote > networks that share the same private ip space. Yes, a bridge only makes sense when the two segments share the same IP address space, or you use some non-routable protocol (ex: NetBEUI, AppleTalk). -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message