From owner-freebsd-security Sat Mar 24 16:38:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mclean.mail.mindspring.net (mclean.mail.mindspring.net [207.69.200.57]) by hub.freebsd.org (Postfix) with ESMTP id ACD3E37B71B for ; Sat, 24 Mar 2001 16:38:20 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca17b-210.ix.netcom.com [204.32.29.210]) by mclean.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id TAA22963; Sat, 24 Mar 2001 19:38:17 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 090C1113CDC; Sat, 24 Mar 2001 16:38:06 -0800 (PST) From: Mike Harding To: itojun@iijlab.net Cc: freebsd-security@freebsd.org In-reply-to: <20010324225835.92CA07E73@starfruit.itojun.org> (message from Jun-ichiro itojun Hagino on Sun, 25 Mar 2001 07:58:35 +0900) Subject: Re: IPSEC/VPN/NAT and filtering References: <20010324225835.92CA07E73@starfruit.itojun.org> Message-Id: <20010325003806.090C1113CDC@netcom1.netcom.com> Date: Sat, 24 Mar 2001 16:38:06 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I meant a kernel change to the current FreeBSD code to allow decrypted packets to bypass the packet filter, similar to what you commited to the KAME tree already. I think the change you made is sufficient, I was looking for somebody on the FreeBSD side to coordinate doc and possible kernel changes. This would be the check for the use of the M_DECRYPTED flag on the packet to bypass the packet filter. This is clearly inferior to your change, if you are planning to incorporate that into the FreeBSD releases I will just write a configuration document. Thanks for the RFC references! - Mike Harding Cc: freebsd-security@freebsd.org X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 From: Jun-ichiro itojun Hagino Date: Sun, 25 Mar 2001 07:58:35 +0900 Sender: itojun@itojun.org X-SpamBouncer: 1.3 (1/18/00) X-SBClass: OK >Okay, I think I know enough now to procede in making a doc on >interacting with a Cisco VPN, with a very minor kernel change. Can >anybody suggest who I should contact to determine if this makes sense, >and how I can coordinate with the FreeBSD team? why kernel change is needed to interoperate with specific implementation? anyway, contact kame guys, core@kame.net or snap-users@kame.net. >Also, Itojun, can you provide reference to 'scoped addresses' and >'strong host model node'? scoped addresses: IPv6 docs, like RFC2460, RFC2373, whatever. strong host model: RFC1122. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message