From owner-freebsd-net@freebsd.org Tue Jun 9 10:53:17 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8F0843282EF for ; Tue, 9 Jun 2020 10:53:17 +0000 (UTC) (envelope-from tom.marcoen@gmail.com) Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49h6RK1qnmz4HMl; Tue, 9 Jun 2020 10:53:17 +0000 (UTC) (envelope-from tom.marcoen@gmail.com) Received: by mail-lj1-x22a.google.com with SMTP id i27so13482896ljb.12; Tue, 09 Jun 2020 03:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0owGYKFHPKINZOu8lOxkziRFlEFHY3Rpw2kAgQyP2/w=; b=ZzfRCLlBH9xo7wAzV4o+ZBdIWNIxiBHNBAZmNF/MYwQfOjlWOvD7s1d/XUvaSj8uGS QKVu+b62cseCQqpRj4JfE1AkK15Ss+I0PXfdkXTPM4fvXSa5piEEoMAPFNJHtW7QJK6k cdPNzWhfOtkRdxHmaI3pfOOY2I/u8yLRfziEUEf2MMdBo+T3LAmCwtyIngJp+lT0pRMb UjF7DLMdygPrAJQAhPgUrs7HZU22pYTgH5tMmdn5z7fmVL5La5agj6ET06vaE6KcKlRZ 01nmA69YYk/ghGi+TlHjxJoqHjXbOhAQmEc9miAxW/hsDOrUYgNENTSJBC1KPaoltUyX a9kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0owGYKFHPKINZOu8lOxkziRFlEFHY3Rpw2kAgQyP2/w=; b=YKD669HXsMFzprC4ZbP6as4WAI0lU1NQesQV2bhwr6rbIK/z1zUIXrM/YyLXoed99S YAOBtpMFyODknAubmljqOgFjH/yafC64pFuljngK651E5harRPkOdlCx0TcP3LEDp8uI OQNG0D4/kKhXdn+IDpZumzxoxHbS0TVB85nxZrojcZRVgXqNQHNjB+ATJCjzDz5eOhUK pVCknBnm+hVoqCOFDbJuKZvcLlW/4oq+3hJqODgKQgLlWxfi1WbKAASmPQkoCHVCUpRZ BQiQvSI2WPEZl2qL8NpLLT0uoz2XnsR4YzMHa1ETxXnT5LFypnT7jioyNNQKevwyaF4O gUbw== X-Gm-Message-State: AOAM5314o3hcRaIdpzP18neMh61FcbC7/0ys9v7qGtIE+vhjErZM72oj 38z2wEqRhm+C4kg3zAQO3Qv2rR68NPvZkC4PT7BGPb6r X-Google-Smtp-Source: ABdhPJwejBiBfGtRe9e7ekaj0Jqeci9mjnpRnCtkLtabAJAHhAMyth9huzKXBKZDIIqsIoAcGzzMV/2E4K//bOmwjVc= X-Received: by 2002:a2e:b704:: with SMTP id j4mr12973247ljo.458.1591699995153; Tue, 09 Jun 2020 03:53:15 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Tom Marcoen Date: Tue, 9 Jun 2020 12:53:03 +0200 Message-ID: Subject: Re: On Netgraph To: Julian Elischer Cc: freebsd-net@freebsd.org X-Rspamd-Queue-Id: 49h6RK1qnmz4HMl X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2020 10:53:17 -0000 Hey Julian, That is what I had in mind. Though I was hoping I could put the encryption in NetGraph too so that I would not see that interface on my host where I do not need to see it. On Tue, 9 Jun 2020 at 05:28, Julian Elischer wrote: > On 5/27/20 4:20 AM, Eugene Grosbein wrote: > > 27.05.2020 15:06, Tom Marcoen wrote: > > > >> Hey all, > >> > >> I'm new to this mailing list and also quite new to FreeBSD (huray, > welcome > >> to me!) so bare with me, please. > >> > >> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails > and > >> I was looking at some of the examples provided in > >> /usr/share/examples/netgraph and now have the following question. > >> The udp.tunnel example shows an iface point-to-point connection but it > is > >> unencrypted. Of course I could encrypt it with an IPsec tunnel on the > host > >> or tunnel it through SSH, but I was wondering whether there exists a > nice > >> Netgraph solution, e.g. a node with two hooks, receiving unencrypted > >> traffic on the inside hook and sending out encrypted traffic on the > outside > >> hook. > > There is ng_mppc(4) netgraph node capable to perform relatively weak > MPPE encryption > > (and/or compression) but it is designed to work with ng_ppp(4) node > encapsulating IP packets into PPP frames. > > I doubt it's very efficient for inter-jail traffic. > > > > Why do you need encryption for inter-jails traffic in first place? > > Encryption is needed for traffic passing untrusted channels where data > interception is possible > > but inter-jail traffic does not leave the kernel at all until it hits > destination jail. > Once you have a udp tunnel set up you just need to set up an IPSEC SA > to to encrypt just that tunnel. > It's not required to do the encryption in netgraph. > there is a script to make the tunnel in > /usr/share/examples.netgraph/udp.tunnel > you just need to set up the SA to catch it.. > you can also if you desire you can also put a netgraph bridge at both > ends of the tunnel and have a single subnet connected by the link. The > bridge nodes are "learning" so they will learn when to send packets over > the link and when not to. > You can also play tricks with FIBs so that tunnel envelope packets and all > other packets use different routing tables. > > > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >