From owner-freebsd-security  Sat Mar 24 16:38:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mclean.mail.mindspring.net (mclean.mail.mindspring.net [207.69.200.57])
	by hub.freebsd.org (Postfix) with ESMTP id ACD3E37B71B
	for <freebsd-security@freebsd.org>; Sat, 24 Mar 2001 16:38:20 -0800 (PST)
	(envelope-from mvh@ix.netcom.com)
Received: from netcom1.netcom.com (lai-ca17b-210.ix.netcom.com [204.32.29.210])
	by mclean.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id TAA22963;
	Sat, 24 Mar 2001 19:38:17 -0500 (EST)
Received: by netcom1.netcom.com (Postfix, from userid 1000)
	id 090C1113CDC; Sat, 24 Mar 2001 16:38:06 -0800 (PST)
From: Mike Harding <mvh@ix.netcom.com>
To: itojun@iijlab.net
Cc: freebsd-security@freebsd.org
In-reply-to: <20010324225835.92CA07E73@starfruit.itojun.org> (message from
	Jun-ichiro itojun Hagino on Sun, 25 Mar 2001 07:58:35 +0900)
Subject: Re: IPSEC/VPN/NAT and filtering
References:  <20010324225835.92CA07E73@starfruit.itojun.org>
Message-Id: <20010325003806.090C1113CDC@netcom1.netcom.com>
Date: Sat, 24 Mar 2001 16:38:06 -0800 (PST)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


I meant a kernel change to the current FreeBSD code to allow decrypted
packets to bypass the packet filter, similar to what you commited to
the KAME tree already.  I think the change you made is sufficient, I
was looking for somebody on the FreeBSD side to coordinate doc and
possible kernel changes.  This would be the check for the use of the
M_DECRYPTED flag on the packet to bypass the packet filter.  This is
clearly inferior to your change, if you are planning to incorporate
that into the FreeBSD releases I will just write a configuration
document.

Thanks for the RFC references!

- Mike Harding

   Cc: freebsd-security@freebsd.org
   X-Template-Reply-To: itojun@itojun.org
   X-Template-Return-Receipt-To: itojun@itojun.org
   X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
   From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
   Date: Sun, 25 Mar 2001 07:58:35 +0900
   Sender: itojun@itojun.org
   X-SpamBouncer: 1.3 (1/18/00)
   X-SBClass: OK

   >Okay, I think I know enough now to procede in making a doc on
   >interacting with a Cisco VPN, with a very minor kernel change.  Can
   >anybody suggest who I should contact to determine if this makes sense,
   >and how I can coordinate with the FreeBSD team?

	   why kernel change is needed to interoperate with specific
	   implementation?  anyway, contact kame guys, core@kame.net or
	   snap-users@kame.net.

   >Also, Itojun, can you provide reference to 'scoped addresses' and
   >'strong host model node'?

	   scoped addresses: IPv6 docs, like RFC2460, RFC2373, whatever.
	   strong host model: RFC1122.

   itojun


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message