From owner-freebsd-security Tue Apr 17 7: 7: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id B144437B424 for ; Tue, 17 Apr 2001 07:07:00 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.16 #1) id 14pW85-0004D8-00 for freebsd-security@freebsd.org; Tue, 17 Apr 2001 15:06:53 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) for freebsd-security@FreeBSD.ORG id 14pW85-0002Q2-00; Tue, 17 Apr 2001 15:06:53 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd In-reply-to: Your message of "Mon, 16 Apr 2001 12:14:05 PDT." <200104161914.f3GJEMh06453@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 17 Apr 2001 15:06:53 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Just sort of thinking out loud here, would some kind of daemon (or > other facility), that would attach itself to a tun(4) (or other) > interface, like pipsecd does, but use the kernel's IPSec facility to > encrypt and encapsulate the packets instead of its own, then inject > them into the external interface be of use? I think so - but I don't see why a daemon whould be necessary. It seems to me that the sort of mechanism used by the "gif" interfaces would be appropriate. It *might* even be possible to extend the "gif" interface to do the job. The difference being that instead of encapsulating in an IP "tunnel" it would encapsulate in an IPSEC "tunnel". It probably would not be either appropriate or necessary to be able to handle AH-only packets this way. Of course, I may be talking through my hat; is so I;m sure someone will tell me... -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message