From owner-freebsd-security@FreeBSD.ORG  Sat Mar 10 19:41:17 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id EDBF116A405
	for <freebsd-security@freebsd.org>;
	Sat, 10 Mar 2007 19:41:17 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42])
	by mx1.freebsd.org (Postfix) with ESMTP id ADE4F13C4B5
	for <freebsd-security@freebsd.org>;
	Sat, 10 Mar 2007 19:41:17 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35])
	by postfix1-g20.free.fr (Postfix) with ESMTP id 001AAB44A49
	for <freebsd-security@freebsd.org>;
	Sat, 10 Mar 2007 20:23:48 +0100 (CET)
Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98])
	by smtp5-g19.free.fr (Postfix) with ESMTP id EE8C67DCA;
	Sat, 10 Mar 2007 20:23:47 +0100 (CET)
Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25])
	by tatooine.tataz.chchile.org (Postfix) with ESMTP id C2E219BF12;
	Sat, 10 Mar 2007 19:23:47 +0000 (UTC)
Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000)
	id 995A04063; Sat, 10 Mar 2007 20:23:47 +0100 (CET)
Date: Sat, 10 Mar 2007 20:23:47 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
Message-ID: <20070310192347.GC2887@obiwan.tataz.chchile.org>
References: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu>
	<20070307170617.GA2799@zen.inc>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20070307170617.GA2799@zen.inc>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: freebsd-security@freebsd.org
Subject: Re: IPSec tunnel interfaces (was: freebsd vpn server behind nat dsl
	router)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Mar 2007 19:41:18 -0000

Hi Yvan,

On Wed, Mar 07, 2007 at 06:06:17PM +0100, VANHULLEBUS Yvan wrote:
> - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just
>   forget that part and use directly IPSec tunnels without Gif
>   interfaces.

While I understand why using gif(4) to create IPSec tunnels is
not recommended because of interoperability, administratively it
is pretty useful to see the tunnel as an interface.  Everything
that comes along such as routes, firewall rules et al work very
naturally.  I'm no IPSec expert as you probably are and I seem
to recall the RFC advises (requires ?) it to be implemented as a
bump in a stack.  However, is it reasonable to expect to see
this in the future ?

It seems the enc(4) interface provides this feature somehow but
only for FAST_IPSEC.  What is the doom of IPSEC ?  Are they to
be merged in the future, or is it possible to make the enc(4)
work with IPSEC as well ?

Thank you.
Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >