Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jan 2003 17:31:49 -0700
From:      Mike Durian <durian@boogie.com>
To:        Pekka Nikander <pekka.nikander@nomadiclab.com>
Cc:        freebsd-net@freebsd.org
Subject:   Question about IPsec and double ipfilter processing
Message-ID:  <200301201731.49942.durian@boogie.com>

next in thread | raw e-mail | index | archive | help
I was looking through the FreeBSD mailing list archives trying to figure
out why ipfilter is filtering on both encapsulated ESP packets and the
decrypted packets (NetBSD says it should only filter on the line packets)=
,
when I saw a relevent posting.  It looks like other people are frustrated=
 by
this double processing too.

In a message Pekka Nikander says:

=09From the security point of view this does not matter so much,
=09since the IPsec code is taking care of the protection and
=09dropping those packets.

Can you clarify on this.  In order to allow a peer network, 192.168.2.0/2=
4,
to connect to my network via a VPN, I need to pass ESP (fine) and
then also 192.168.2.0/24 packets (I'm not so happy about this).  Does
your statement above imply the IPsec code will somehow filter non-ESP
encapsulated packets from 192.168.2.0/24 thus protecting me from spoof
attacks even though the firewall would appear to allow it?

Thanks,
mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301201731.49942.durian>