Date: Mon, 13 Mar 2017 18:23:08 +0330 From: Hooman Fazaeli <hoomanfazaeli@gmail.com> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: ipsec with ipfw Message-ID: <58C6B254.1070606@gmail.com> In-Reply-To: <ed0084be-e183-62df-2875-179f20cc0b28@yandex.ru> References: <58C46AE0.7050408@gmail.com> <ed0084be-e183-62df-2875-179f20cc0b28@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2017-03-13 11:01, Andrey V. Elsukov wrote: > On 12.03.2017 00:23, Hooman Fazaeli wrote: >> Hi, >> >> As you know the ipsec/setkey provide limited syntax to define security >> policies: only a single subnet/host, protocol number and optional port >> may be used to specify traffic's source and destination. >> >> I was thinking about the idea of using ipfw as the packet selector for >> ipsec, >> much like it is used with dummeynet. Something like: >> >> ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table> >> 80,443,110,139 > What this rule should do? How do you plan implement policy lookup for > inbound packets? > For instance, Outbound packets matching the rule would go through the tunnel whose index is 2. The tunnel itself is defined using setkey. Something like: spdadd 2 esp/tunnel/1.1.1.1-2.2.2.2/require It's basically the same as spdadd without the src/dst/proto/port specification. A similar rule would be written for inbound packets. This is just to indicate the idea. Obviously, exact mechanism needs further thought & investigation (i.e., the issue of stateful vs. stateless rules). One important aspect, as slw@zxy.spb.ru pointed out, is how to deal with IKE/ISAKMP to support the mechanism, as the current protocol requires that negotiating parties to exchange & match subject-to-ipsec-traffic specification in SA payloads (which is restricted to single subnet+proto+port). I was thinking about some form of labeling (like MPLS) plus custom payload types or DOIs. Your ideas are welcome. -- Best regards Hooman Fazaeli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58C6B254.1070606>