From owner-freebsd-security Mon Aug 5 10:42:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A7FB37B400 for ; Mon, 5 Aug 2002 10:42:08 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72A1F43E4A for ; Mon, 5 Aug 2002 10:42:07 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020805174206.PLTJ23732.sccrmhc01.attbi.com@blossom.cjclark.org>; Mon, 5 Aug 2002 17:42:06 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g75Hg5JK063133; Mon, 5 Aug 2002 10:42:05 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g75HfuNC063132; Mon, 5 Aug 2002 10:41:56 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 5 Aug 2002 10:41:56 -0700 From: "Crist J. Clark" To: Eric Masson Cc: Matthew Grooms , dlavigne6@cogeco.ca, Mailing List FreeBSD Security Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...] Message-ID: <20020805174156.GA62935@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020730074813.GF89241@blossom.cjclark.org> <86znw5r9h3.fsf_-_@notbsdems.nantes.kisoft-services.com> <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com> <20020802172729.GA6880@blossom.cjclark.org> <86wur5o0r4.fsf@notbsdems.nantes.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86wur5o0r4.fsf@notbsdems.nantes.kisoft-services.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 05, 2002 at 04:09:51PM +0200, Eric Masson wrote: > >>>>> "Crist" == Crist J Clark writes: > > Crist> It's pretty much automagically done by way of the SPD entry. Any > Crist> packet that matches the source and destination in the SPD gets > Crist> put through the appropriate tunnel with the specified end > Crist> points. > > Ok, I do understand now. > > Crist> It's not the same as the regular routing table and will not show > Crist> up in 'netstat -rn.' > > It would be nice to have netstat -r show these routes with a new flag > (like T for example), tunnelled end address as destination, tunneled > origin address as gateway, and interface bound to tunnel origin address > as netif. > > Does this look interesting or is this plain dumb ? Tunnelling is not the same as routing. The tunnelling actually has no effect on routing. A packet going through the tunnel is encapsulated and sent to a different destination. This is not like routing where we don't touch the source or destination addresses and merely manipulate where the packet is directed on the next hop. Once encapsulation is done, routing is done normally. Another place for confusion, what do you display for, spdadd 10.10.10.0/24[any] 10.99.99.0/24[25] tcp -P out ipsec esp/tunnel/10.10.11.1-10.99.98.1/require Where not all traffic, but only some, goes through the tunnel. (Yes, an odd use of tunnelling, but perfectly valid.) I think trying to add IPsec tunnels to 'netstat -r' is not a good idea. 'netstat -r' should show the routing table and nothing more. I think a command that displays the SPD and live SAD entries in more intuitive ways, possibly in a 'netstat -r'-like fashion would be very useful, but it shouldn't actually be in 'netstat -r.' -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message