From owner-freebsd-stable Tue Nov 19 19:36: 0 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF96137B401 for ; Tue, 19 Nov 2002 19:35:58 -0800 (PST) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE41D43E6E for ; Tue, 19 Nov 2002 19:35:57 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.6/8.12.6) with ESMTP id gAK3Xxgx066180; Tue, 19 Nov 2002 21:33:59 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.6/8.12.6/Submit) id gAK3XvmZ066179; Tue, 19 Nov 2002 21:33:57 -0600 (CST) Content-Type: text/plain; charset="us-ascii" From: David Kelly To: Guido van Rooij , Scott Ullrich Subject: Re: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?) Date: Tue, 19 Nov 2002 21:33:57 -0600 User-Agent: KMail/1.4.3 Cc: "'Archie Cobbs'" , "'greg.panula@dolaninformation.com'" , FreeBSD-stable@FreeBSD.ORG References: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C62@exchange.corp.cre8.com> <20021119202313.GA44347@gvr.gvr.org> In-Reply-To: <20021119202313.GA44347@gvr.gvr.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200211192133.57758.dkelly@HiWAAY.net> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 19 November 2002 02:23 pm, Guido van Rooij wrote: > > I think having either esp0 as a catch all device, or having a > pseudo-interface per physical interface (e.g. fxp_esp for fxp) > is the solution, where I'd vote for the second one. Reason for that > vote: i you only can filter on esp0 you cant retrieve the original > interface and you might end up having to allow spoofed packets in. Having only esp0 isn't a bad solution. Is currently better than nothing (which we had before) or the wrong interface (which we have now). I don't know how hard it will be to automagically double the number of network interfaces so that every interface potentially has an *_esp twin. But am thinking of the difficulty in using and managing such. Probably best to make them only appear in ifconfig when activated, much like gif. But then does one have to ifconfig the (say) fxp_esp0 interface or does it simply appear when setkey(8) does its thing? A single simple esp0 interface isn't all that bad. Especially when the primary motivation is to track by interface for firewalls. Presumably setkey(8) has control over the IPsec/ESP networks which are tunneling in. Generally no two networks overlap, right? So IPsec could be trusted to honor the limits established with setkey(8), and firewalls could use the combination of esp0 and the known network addresses for filter rules. Esp0-only falls apart when there are multiple routes between the same two nets. Or at least it does to me as I've never dealt with multiple routes between the same two nets before. "Load/bandwidth sharing" is what I'm thinking of. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message