Date: Sun, 4 Aug 2002 13:11:11 +0200 From: Nomad <mailman@crypton.pl> To: Borja Marcos <borjamar@sarenet.es> Cc: freebsd-security@freebsd.org Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Message-ID: <20020804131111.B32133@killer.crypton.pl> In-Reply-To: <200208041224.10309.borjamar@sarenet.es>; from borjamar@sarenet.es on Sun, Aug 04, 2002 at 12:24:10PM %2B0200 References: <sd4ab7c6.030@aus-gwia.aus.dcnhs.org> <200208041224.10309.borjamar@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Hm, advantages or disadvantages... possibility of sniffing packets is disadvantage in security manner I thing... Anyway building firewall rules to the IPSec connection configured without gif interface is also possible. I have this on my IPSEc VPN gateway. Packets goes via ipfw 2 times: first encoded, in normal IPv4 form, second time encapsulated in EPS frames. Of course my rules are applied on the first visit of packets in my ipfw. I don't know if it works the same whet sysctl's fw_onepass is set to 1 (on my gateway is set to 0) but filtering packets before they passed to the IPSec tunnel is possible and it works without gif's. I think that it will be work on workstations (in my case there are gateways). Of course in that case sniffing is possible to:with ipfw's tee, fwd or divert rules. On gateway it's posiible to sniff on "clear" interface and compare it with ESP traffic on "encrypted" interface. Anyway: without gif's you are not blind. Nomad On Sun, Aug 04, 2002 at 12:24:10PM +0200, Borja Marcos wrote: > On Friday 02 August 2002 23:47, Matthew Grooms wrote: > > Its only backwards if you are used to implimenting IPSEC communications > > in a non-giff'd confguration. As mentioned before, this is endorsed by > > many how-to's available. If you don't like this method, don't use it. I > > for one prefer the giffed alternative but will be more than happy to > > admit that the benifits appear to be mostly cosmetic. > > I am not using gif right now, but I see two important advantages. > > I suppose it will be possible to put firewall rules in a gif interface. > Imagine that you establish a tunnel with a not so trusted party, only for a > limited purpose. > > I suppose as well that it is possible to sniff traffic in a gif interface. > Tools such as Argus, Ntop, can be used with encrypted tunnels. Otherwise, you > are blind. > > > Borja. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020804131111.B32133>