From owner-freebsd-net@freebsd.org Tue Jun 9 03:27:52 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4E81034666A for ; Tue, 9 Jun 2020 03:27:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49gwYM6fZZz4PMX for ; Tue, 9 Jun 2020 03:27:51 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (c-73-92-239-114.hsd1.ca.comcast.net [73.92.239.114]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id 0593RjPr080791 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Mon, 8 Jun 2020 20:27:45 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: On Netgraph To: freebsd-net@freebsd.org References: From: Julian Elischer Message-ID: Date: Mon, 8 Jun 2020 20:27:40 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 49gwYM6fZZz4PMX X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; local_wl_from(0.00)[freebsd.org]; ASN(0.00)[asn:36236, ipnet:204.109.60.0/22, country:US] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2020 03:27:52 -0000 On 5/27/20 4:20 AM, Eugene Grosbein wrote: > 27.05.2020 15:06, Tom Marcoen wrote: > >> Hey all, >> >> I'm new to this mailing list and also quite new to FreeBSD (huray, welcome >> to me!) so bare with me, please. >> >> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails and >> I was looking at some of the examples provided in >> /usr/share/examples/netgraph and now have the following question. >> The udp.tunnel example shows an iface point-to-point connection but it is >> unencrypted. Of course I could encrypt it with an IPsec tunnel on the host >> or tunnel it through SSH, but I was wondering whether there exists a nice >> Netgraph solution, e.g. a node with two hooks, receiving unencrypted >> traffic on the inside hook and sending out encrypted traffic on the outside >> hook. > There is ng_mppc(4) netgraph node capable to perform relatively weak MPPE encryption > (and/or compression) but it is designed to work with ng_ppp(4) node encapsulating IP packets into PPP frames. > I doubt it's very efficient for inter-jail traffic. > > Why do you need encryption for inter-jails traffic in first place? > Encryption is needed for traffic passing untrusted channels where data interception is possible > but inter-jail traffic does not leave the kernel at all until it hits destination jail. Once you have a udp tunnel set up you just need to set up an IPSEC SA to to encrypt just that tunnel. It's not required to do the encryption in netgraph. there is a script to make the tunnel in /usr/share/examples.netgraph/udp.tunnel you just need to set up the SA to catch it.. you can also if you desire you can also put a netgraph bridge at both ends of the tunnel and have a single subnet connected by the link. The bridge nodes are "learning" so they will learn when to send packets over the link and when not to. You can also play tricks with FIBs so that tunnel envelope packets and all other packets use different routing tables. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"