From owner-freebsd-net@FreeBSD.ORG Fri Jun 8 17:31:12 2012 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83FDB1065672 for ; Fri, 8 Jun 2012 17:31:12 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (unknown [IPv6:2001:470:1f09:14c0::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0D4688FC1F for ; Fri, 8 Jun 2012 17:31:11 +0000 (UTC) Received: from [192.168.248.32] ([192.168.248.32]) by elf.hq.norma.perm.ru (8.14.5/8.14.5) with ESMTP id q58HV94G029357 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 8 Jun 2012 23:31:09 +0600 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <4FD236D4.6090409@norma.perm.ru> Date: Fri, 08 Jun 2012 23:31:00 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: "net@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [192.168.3.10]); Fri, 08 Jun 2012 23:31:09 +0600 (YEKT) X-Spam-Status: No hits=-101.0 bayes=0.5 testhits ALL_TRUSTED=-1, USER_IN_WHITELIST=-100 autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru Cc: Subject: if_ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2012 17:31:12 -0000 Hi. I have an idea about new networking feature in FreeBSD. I guess everyone is having ideas from time to time, and lots of these idea having people think that they just had a decent idea. However, only ideas that are complemented by a working code can be considered by the community, and only some of them got commited into the tree, I am fully aware of this fact. Unfortunately, I am not able to produce the code. I guess this is the point where most of the subscribers will (or at least should) stop reading this post. Still, I'm addressing this post for people that have the time and will to do something interesting. I guess that someone may find this interesting. Myself, I find that this could be really useful. (You can skip this part and the next part if you only want to read about the idea) I work about 10 years as a network engineer. My company holds country-wide supermarkets business. I am personally responsible for the network infrastructure of the company. As the company has lots of (hundreds) of branch offices, lots of my time I'm constructing new VPNs between them. My company network infrastructure is build using FreeBSD servers and Cisco (and last year - Juniper) equipment. So I am aware and capable of building VPN of almost any modern type, and this is the post about building it on FreeBSD (this annoying passage was written to give you impression that I'm not just a guy with FreeBSD server at home, holding a couple of movies). So. About VPNs. Another annoying passage about common ways and caveats. Otherwise most of the reading ppl will say 'Why the hell if_ipsec ?' (ppl that are aware of the VPNs can really skip this part). The conventional way to build vpn is to build a tunnel of some sort. This can be an encrypted tunnel, or an unencrypted tunnel. Unencrypted tunnel (gre/ipinip) is obviously unencrypted, but gives you an interface which could be using in routing. Encrypted tunnel (and I'm talking about ipsec) cannot be used for rounting, but is encrypted. Plus, you have to care about policies, and when multiple routers are involved, with hundreds of networks behind them, you have to care about tonns of policies, and this is painful. So, the industry invented a method: you use a gre/ipinip tunnel, you pass the dynamic routing information (you don't care bout networks, you only care abouth the endpoints), and you encrypt this tunnel with ipsec. So, gre + ipsec (of gif + ipsec). This way is supported by all of the major vendors, you can build gre(ipinip)+ipsec tunnel to any Cisco/Juniper device. Though building in to JunOS requires some skill and a deep knowledge. :) (here the idea starts) But what is an gre or gif tunnel ? This is not an interface, but a way to tell the system, that it needs to encapsulate some of the payload with another header, and send it somewhere. So, using ipsec you add an extra header, and using gre(ipinip) you add an extra header. What if we will add an additional ability to understand that some of the ipsec packets are destined to the security gateway (which adds the extra header) itself, like it's possible with gre/ipinip, so we can get rid of one extra header ? Cisco/Juniper did that. So, Cisco has the 'tun mode ipsec ipvX' interface, and Juniper has the st (secure tunnel) interface. How does it work: it's a convenstional ISAKMP IPsec with the ability to treat some of the packets with a particular IP like destined to the local (by this I mean 'this') host. Besides this it's the old IPsec. It's even interoperable between different vendors devices. I don't see any reason why FreeBSD cannot have this ability, since it does have a working Ipsec and working ISAKMP. In order to obtain this functionality FreeBSD needs to have a way to define the templates for the SPD entries, and the way to create these SPD entries after the creation of the interface, based on it's address information. This will really simplify the VPN creating and management. So... here was the idea. :) It came to my head after configuring the Juniper/Cisco VPN (and the config was really short), and after reading quagga-users@ maillist, where some of the subscribers asked about 'tun mode ipsec'. Plus, as far as I know, Linux does not support this too, so we could really score some points. Eugene.