From owner-freebsd-net@FreeBSD.ORG  Sun Apr  2 10:22:41 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 103B316A401
	for <freebsd-net@freebsd.org>; Sun,  2 Apr 2006 10:22:41 +0000 (UTC)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 59F2F43D45
	for <freebsd-net@freebsd.org>; Sun,  2 Apr 2006 10:22:39 +0000 (GMT)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231])
	by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k32AMVqY032427; 
	Sun, 2 Apr 2006 13:22:31 +0300 (EEST)
	(envelope-from dmitry@atlantis.dp.ua)
Date: Sun, 2 Apr 2006 13:22:31 +0300 (EEST)
From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
To: Bruce M Simpson <bms@spc.org>
In-Reply-To: <20060331223613.GD80492@spc.org>
Message-ID: <20060402130227.G99958@atlantis.atlantis.dp.ua>
References: <442D8E98.6050903@vineyard.net> <20060331222813.GA29047@zen.inc>
	<20060331223613.GD80492@spc.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
Subject: Re: tcpdump and ipsec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Apr 2006 10:22:41 -0000


Hello!

On Fri, 31 Mar 2006, Bruce M Simpson wrote:
> On Sat, Apr 01, 2006 at 12:28:13AM +0200, VANHULLEBUS Yvan wrote:
>> 2) use enc0 support, which is actually pr kern/94829, and which should
>>    be included soon in kernel.
>
> Oh god! Not another ifnet! NoOOOOOO!!!!!!

  Why not? IMHO it will be very useful feature: think about e.g. traffic 
shaping for several different networks which are routed via the same
ipsec tunnel. Without the enc0, you can only shape them together, e.g.:

ipfw add 100 pipe 1 esp from any to any out via rl0

With enc0, you can shape them separately:

ipfw add 102 pipe 2 all from any to 10.0.2.0/24 out via enc0
ipfw add 103 pipe 3 all from any to 10.0.3.0/24 out via enc0

The only thing which could be improved here is that host can have several
ipsec tunnels, so it would be better to have many separate encX interfaces,
one per tunnel, instead of single enc0. But I don't know how to implement
binding between ipsec tunnels and individual encX devices in this case.
Maybe, by assigning dummy IP addresses to encX which should match
correspondent "local-remote" IP addresses in SPD entry?

  After all, this stuff is _optional_, you don't _have_ to use it. However,
I'd like to see it in our tree.

Sincerely, Dmitry
-- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE