Date: Tue, 19 Nov 2002 21:33:57 -0600 From: David Kelly <dkelly@HiWAAY.net> To: Guido van Rooij <guido@gvr.org>, Scott Ullrich <sullrich@CRE8.COM> Cc: "'Archie Cobbs'" <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <200211192133.57758.dkelly@HiWAAY.net> In-Reply-To: <20021119202313.GA44347@gvr.gvr.org> References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C62@exchange.corp.cre8.com> <20021119202313.GA44347@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 19 November 2002 02:23 pm, Guido van Rooij wrote: > > I think having either esp0 as a catch all device, or having a > pseudo-interface per physical interface (e.g. fxp_esp<n> for fxp<n>) > is the solution, where I'd vote for the second one. Reason for that > vote: i you only can filter on esp0 you cant retrieve the original > interface and you might end up having to allow spoofed packets in. Having only esp0 isn't a bad solution. Is currently better than nothing (which we had before) or the wrong interface (which we have now). I don't know how hard it will be to automagically double the number of network interfaces so that every interface potentially has an *_esp twin. But am thinking of the difficulty in using and managing such. Probably best to make them only appear in ifconfig when activated, much like gif. But then does one have to ifconfig the (say) fxp_esp0 interface or does it simply appear when setkey(8) does its thing? A single simple esp0 interface isn't all that bad. Especially when the primary motivation is to track by interface for firewalls. Presumably setkey(8) has control over the IPsec/ESP networks which are tunneling in. Generally no two networks overlap, right? So IPsec could be trusted to honor the limits established with setkey(8), and firewalls could use the combination of esp0 and the known network addresses for filter rules. Esp0-only falls apart when there are multiple routes between the same two nets. Or at least it does to me as I've never dealt with multiple routes between the same two nets before. "Load/bandwidth sharing" is what I'm thinking of. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211192133.57758.dkelly>