From owner-freebsd-net@freebsd.org  Fri Nov 30 09:24:45 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FCCE113B8E2
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri, 30 Nov 2018 09:24:45 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward105p.mail.yandex.net (forward105p.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b7:108])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D364178398;
 Fri, 30 Nov 2018 09:24:43 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mxback2j.mail.yandex.net (mxback2j.mail.yandex.net
 [IPv6:2a02:6b8:0:1619::10b])
 by forward105p.mail.yandex.net (Yandex) with ESMTP id 6CE0B8C1ABF;
 Fri, 30 Nov 2018 12:24:40 +0300 (MSK)
Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net
 [2a02:6b8:0:801::ab])
 by mxback2j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id GoQX1xyEbP-OeZWhJP4; 
 Fri, 30 Nov 2018 12:24:40 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1543569880; bh=ivMtewp7xuK9RWZf0rQS8LkWVvtKuHEPYxqAbNdT3TU=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=vVPykDvdIM1DhXJQSEuHbFiRzfTnriFjNwPTbE99d1wVEb3oG0NRWIne6EbUfK/jE
 gkAScsgt+w898ojSsoycvCZfT6gcxIZKtJ9uOcJ/+BAGrdo2YaqYbZpgS8k8c0ARCP
 rkHUlM1039CicBKfeYN48gTOX27Zvq80pDc7smko=
Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 RmaXTAzSrp-OdB8MfUf; Fri, 30 Nov 2018 12:24:39 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1543569879; bh=ivMtewp7xuK9RWZf0rQS8LkWVvtKuHEPYxqAbNdT3TU=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=UTcz+tatWCQWKHX60YdS0Q7I36A+sTDLd+sG50K4We8TtPOvl8zDAzIPNKcwlVFLj
 7uxyneAA9u/KLUewu5utGHDyFTw1rGRwo73kidGSOW+FLaXkhzcezt+AnL1ilDXXnu
 TrH0IgvDC8gJ2M31Mw/t8NVH3mMpkl8sCk1xDwXM=
Authentication-Results: smtp1j.mail.yandex.net; dkim=pass header.i=@yandex.ru
Subject: Re: IPsec: is it possible to encrypt transit traffic in transport
 mode?
To: Eugene Grosbein <eugen@grosbein.net>, Lev Serebryakov <lev@FreeBSD.org>,
 freebsd-net@freebsd.org
References: <1519156224.20181130021136@serebryakov.spb.ru>
 <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata=
 xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5
 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF
 ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B
 bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N
 CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB
 AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI
 BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0
 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX
 GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM
 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ
 SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU
 KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J
 PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+
 LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4
 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU
 X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK
 HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK
 CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw
 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ
 WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz
 BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9
 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i
Message-ID: <cd4c1312-d711-a6c9-fa3e-e92175ff015e@yandex.ru>
Date: Fri, 30 Nov 2018 12:22:14 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="3hUJR67Og9bGQXEvoECnR5SOlc6BZL0Al"
X-Rspamd-Queue-Id: D364178398
X-Spamd-Result: default: False [-6.92 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yandex.ru];
 R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0:1000::/52];
 HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4];
 DKIM_TRACE(0.00)[yandex.ru:+];
 MX_GOOD(-0.01)[mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru];
 DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none];
 NEURAL_HAM_SHORT(-0.99)[-0.988,0]; SIGNED_PGP(-2.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[8.0.1.0.7.b.8.0.0.0.0.0.1.4.7.2.2.7.4.1.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org
 : 127.0.5.1]; 
 IP_SCORE(-1.72)[ipnet: 2a02:6b8::/32(-4.80), asn: 13238(-3.82), country:
 RU(0.01)]; SUBJECT_ENDS_QUESTION(1.00)[];
 FREEMAIL_ENVFROM(0.00)[yandex.ru];
 ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[yandex.ru]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
 RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 09:24:45 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3hUJR67Og9bGQXEvoECnR5SOlc6BZL0Al
Content-Type: multipart/mixed; boundary="qPjTX6hdxkdMocInya4gs3KgcnS9Q8yyC";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Eugene Grosbein <eugen@grosbein.net>, Lev Serebryakov <lev@FreeBSD.org>,
 freebsd-net@freebsd.org
Message-ID: <cd4c1312-d711-a6c9-fa3e-e92175ff015e@yandex.ru>
Subject: Re: IPsec: is it possible to encrypt transit traffic in transport
 mode?
References: <1519156224.20181130021136@serebryakov.spb.ru>
 <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>
In-Reply-To: <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>

--qPjTX6hdxkdMocInya4gs3KgcnS9Q8yyC
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 30.11.2018 04:06, Eugene Grosbein wrote:
>>   Is it possible to encrypt this traffic with IPsec in *transport* mod=
e?
>>  I've tried to create SAs for 10.2.0.1 and 10.2.0.2 and SPDs for 10.1.=
0.0/24
>>  and 10.10.10.0/24 on A and B (not on endpoint devices) but looks like=
 it
>>  doesn't work, traffic stops. It is not as encrypted traffic is sent b=
ut
>>  dropped on other end, no, interfaces between Host A and Host B become=
s
>>  silent according to "tcpdump" and all forwarded/dropped/error counter=
s in
>>  "nestat -s" don't change anymore, only "input packets" in "netstat -s=
 -p ip"
>>  is still counting.
>>
> It is possible and it is the way I use extensively for long time since =
very old
> FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too.
>=20
> You need to read setkey(8) manual page, section ALGORITHMS and make sur=
e
> you use proper sized keys or it won't work, though.
>=20
> And example of transport mode IPSEC with low-powered device having on-b=
oard
> Geode LX Security Block crypto accelerator with AES-128-CBC support:
>=20
> add 1.1.1.1 2.2.2.2 esp 1081 -m transport -E rijndael-cbc "123456789012=
3456" -A hmac-md5 "0123456789123456";
> add 2.2.2.2 1.1.1.1 esp 2081 -m transport -E rijndael-cbc "987654321098=
7654" -A hmac-md5 "6543219876543210";
>=20
> spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/transport//require;
> spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec  esp/transport//require;
>=20
> You have to use bigger keys if you use another -A algorithm like sha*, =
each character counts for 8 bits.

There is one problem. IPsec won't handle inbound packets, that are not
destined to your IP address. Inbound packets are handled based on the
destination address, protocol and SPI value, so if ip_input() doesn't
decide that ESP packet is for your host, it will not invoke
IPSEC_INPUT() and encrypted packet will be routed as is.

--=20
WBR, Andrey V. Elsukov


--qPjTX6hdxkdMocInya4gs3KgcnS9Q8yyC--

--3hUJR67Og9bGQXEvoECnR5SOlc6BZL0Al
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlwBAUsACgkQAcXqBBDI
oXq2QggAiYYRufWOSrnYGDeMs6pLqb4HhQlHY+DZuc6zx3B4OYMqr9hzp/iODVn0
bS5ekIacpVSdf18lb19v1ft2kpf1zt7r1ZjhBukhOsCP8COLhMxTsU6FfIs/x9fZ
uWRddWFLKu0N0rXI87I8Q2lmBs7xiGKGCa/hSCgtgslAI3rDkdVMvA5zPgubJ1A7
82h/1zQYjaCd5vMcWtCUN6ypxEnghUAM2VMWcPOn9T13eo5on8I6x5I98Zvaip6H
YiLK+cnVH5s0NP3c+gXZI1MuhpsGGSbj685ba2t/mNn8gzYOfCK5nk4uxs3sgCE7
iVLfnv9ucC7wGPO/NWZLfDby5mbzUg==
=Ke/X
-----END PGP SIGNATURE-----

--3hUJR67Og9bGQXEvoECnR5SOlc6BZL0Al--