Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 24 Mar 2001 16:38:06 -0800 (PST)
From:      Mike Harding <mvh@ix.netcom.com>
To:        itojun@iijlab.net
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPSEC/VPN/NAT and filtering
Message-ID:  <20010325003806.090C1113CDC@netcom1.netcom.com>
In-Reply-To: <20010324225835.92CA07E73@starfruit.itojun.org> (message from Jun-ichiro itojun Hagino on Sun, 25 Mar 2001 07:58:35 %2B0900)
References:   <20010324225835.92CA07E73@starfruit.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

I meant a kernel change to the current FreeBSD code to allow decrypted
packets to bypass the packet filter, similar to what you commited to
the KAME tree already.  I think the change you made is sufficient, I
was looking for somebody on the FreeBSD side to coordinate doc and
possible kernel changes.  This would be the check for the use of the
M_DECRYPTED flag on the packet to bypass the packet filter.  This is
clearly inferior to your change, if you are planning to incorporate
that into the FreeBSD releases I will just write a configuration
document.

Thanks for the RFC references!

- Mike Harding

   Cc: freebsd-security@freebsd.org
   X-Template-Reply-To: itojun@itojun.org
   X-Template-Return-Receipt-To: itojun@itojun.org
   X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
   From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
   Date: Sun, 25 Mar 2001 07:58:35 +0900
   Sender: itojun@itojun.org
   X-SpamBouncer: 1.3 (1/18/00)
   X-SBClass: OK

   >Okay, I think I know enough now to procede in making a doc on
   >interacting with a Cisco VPN, with a very minor kernel change.  Can
   >anybody suggest who I should contact to determine if this makes sense,
   >and how I can coordinate with the FreeBSD team?

	   why kernel change is needed to interoperate with specific
	   implementation?  anyway, contact kame guys, core@kame.net or
	   snap-users@kame.net.

   >Also, Itojun, can you provide reference to 'scoped addresses' and
   >'strong host model node'?

	   scoped addresses: IPv6 docs, like RFC2460, RFC2373, whatever.
	   strong host model: RFC1122.

   itojun


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010325003806.090C1113CDC>