From owner-freebsd-security Sun Aug 4 4:11:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80B9C37B400 for ; Sun, 4 Aug 2002 04:11:13 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 6EE4E43E42 for ; Sun, 4 Aug 2002 04:11:12 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 35073 invoked by uid 1002); 4 Aug 2002 11:11:11 -0000 Date: Sun, 4 Aug 2002 13:11:11 +0200 From: Nomad To: Borja Marcos Cc: freebsd-security@freebsd.org Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Message-ID: <20020804131111.B32133@killer.crypton.pl> References: <200208041224.10309.borjamar@sarenet.es> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200208041224.10309.borjamar@sarenet.es>; from borjamar@sarenet.es on Sun, Aug 04, 2002 at 12:24:10PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Hm, advantages or disadvantages... possibility of sniffing packets is disadvantage in security manner I thing... Anyway building firewall rules to the IPSec connection configured without gif interface is also possible. I have this on my IPSEc VPN gateway. Packets goes via ipfw 2 times: first encoded, in normal IPv4 form, second time encapsulated in EPS frames. Of course my rules are applied on the first visit of packets in my ipfw. I don't know if it works the same whet sysctl's fw_onepass is set to 1 (on my gateway is set to 0) but filtering packets before they passed to the IPSec tunnel is possible and it works without gif's. I think that it will be work on workstations (in my case there are gateways). Of course in that case sniffing is possible to:with ipfw's tee, fwd or divert rules. On gateway it's posiible to sniff on "clear" interface and compare it with ESP traffic on "encrypted" interface. Anyway: without gif's you are not blind. Nomad On Sun, Aug 04, 2002 at 12:24:10PM +0200, Borja Marcos wrote: > On Friday 02 August 2002 23:47, Matthew Grooms wrote: > > Its only backwards if you are used to implimenting IPSEC communications > > in a non-giff'd confguration. As mentioned before, this is endorsed by > > many how-to's available. If you don't like this method, don't use it. I > > for one prefer the giffed alternative but will be more than happy to > > admit that the benifits appear to be mostly cosmetic. > > I am not using gif right now, but I see two important advantages. > > I suppose it will be possible to put firewall rules in a gif interface. > Imagine that you establish a tunnel with a not so trusted party, only for a > limited purpose. > > I suppose as well that it is possible to sniff traffic in a gif interface. > Tools such as Argus, Ntop, can be used with encrypted tunnels. Otherwise, you > are blind. > > > Borja. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message