Date: Tue, 9 Jun 2020 16:48:59 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Tom Marcoen <tom.marcoen@gmail.com> Cc: Julian Elischer <julian@freebsd.org>, freebsd-net@freebsd.org Subject: Re: On Netgraph Message-ID: <20200609234859.GR4213@funkthat.com> In-Reply-To: <CAJ-iVrMy3Ja_ppb56O0Ft8Gv8aeFPaqvkoaJo0jjNrwufqdeNg@mail.gmail.com> References: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com> <d5c2b323-66a6-d88e-91d5-f697aa4fdefe@grosbein.net> <d110a823-9db8-973d-0bcc-a248b804d752@freebsd.org> <CAJ-iVrMy3Ja_ppb56O0Ft8Gv8aeFPaqvkoaJo0jjNrwufqdeNg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Marcoen wrote this message on Tue, Jun 09, 2020 at 12:53 +0200:
> That is what I had in mind. Though I was hoping I could put the encryption
> in NetGraph too so that I would not see that interface on my host where I
> do not need to see it.
You wouldn't see any interface if you're encrypting and authenticating
a UDP tunnel with IPsec... the Security Association (SA) is transparent
and does not appear on the interface list of your host..
> On Tue, 9 Jun 2020 at 05:28, Julian Elischer <julian@freebsd.org> wrote:
>
> > On 5/27/20 4:20 AM, Eugene Grosbein wrote:
> > > 27.05.2020 15:06, Tom Marcoen wrote:
> > >
> > >> Hey all,
> > >>
> > >> I'm new to this mailing list and also quite new to FreeBSD (huray,
> > welcome
> > >> to me!) so bare with me, please.
> > >>
> > >> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails
> > and
> > >> I was looking at some of the examples provided in
> > >> /usr/share/examples/netgraph and now have the following question.
> > >> The udp.tunnel example shows an iface point-to-point connection but it
> > is
> > >> unencrypted. Of course I could encrypt it with an IPsec tunnel on the
> > host
> > >> or tunnel it through SSH, but I was wondering whether there exists a
> > nice
> > >> Netgraph solution, e.g. a node with two hooks, receiving unencrypted
> > >> traffic on the inside hook and sending out encrypted traffic on the
> > outside
> > >> hook.
> > > There is ng_mppc(4) netgraph node capable to perform relatively weak
> > MPPE encryption
> > > (and/or compression) but it is designed to work with ng_ppp(4) node
> > encapsulating IP packets into PPP frames.
> > > I doubt it's very efficient for inter-jail traffic.
> > >
> > > Why do you need encryption for inter-jails traffic in first place?
> > > Encryption is needed for traffic passing untrusted channels where data
> > interception is possible
> > > but inter-jail traffic does not leave the kernel at all until it hits
> > destination jail.
> > Once you have a udp tunnel set up you just need to set up an IPSEC SA
> > to to encrypt just that tunnel.
> > It's not required to do the encryption in netgraph.
> > there is a script to make the tunnel in
> > /usr/share/examples.netgraph/udp.tunnel
> > you just need to set up the SA to catch it..
> > you can also if you desire you can also put a netgraph bridge at both
> > ends of the tunnel and have a single subnet connected by the link. The
> > bridge nodes are "learning" so they will learn when to send packets over
> > the link and when not to.
> > You can also play tricks with FIBs so that tunnel envelope packets and all
> > other packets use different routing tables.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200609234859.GR4213>