From owner-freebsd-net  Wed Nov 29 22:40:45 2000
Delivered-To: freebsd-net@freebsd.org
Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97])
	by hub.freebsd.org (Postfix) with ESMTP id A6B9537B401
	for <freebsd-net@freebsd.org>; Wed, 29 Nov 2000 22:40:42 -0800 (PST)
Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1])
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id PAA20720;
	Thu, 30 Nov 2000 15:40:09 +0900 (JST)
To: Dominick LaTrappe <seraf@2600.COM>
Cc: freebsd-net@freebsd.org,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Gerhard Sittig <Gerhard.Sittig@gmx.net>
In-reply-to: seraf's message of Thu, 30 Nov 2000 01:17:56 EST.
      <Pine.NEB.4.21.0011292359200.29728-100000@phalse.2600.com>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
Subject: Re: filtering ipsec traffic (fwd)
From: itojun@iijlab.net
Date: Thu, 30 Nov 2000 15:40:09 +0900
Message-ID: <20718.975566409@coconut.itojun.org>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>The order of packet processing cannot just be changed to fix this, because
>NAT is part of filtering, and NAT has to happen before IPsec (other
>reasons anyone?).  Perhaps two passes of packet filtering (pre-IPsec and
>post-IPsec) are appropriate as an option...?  Or perhaps KAME transport
>mode just has this inherent limitation...?  Help! ;-)

	basically, the problem is not that simple.
	- relationship between packet filters and tunelling
		some people would like to filter before decapsulation,
		some would like to do it after decapsulation
	- relationship between filters and encryption/authentication
		ditto.  some wants to filter before decryption,
		some wants to filter after decryption.
	- NAT and filters
	- NAT and IPsec
	they are fundamentally unfriendly, I believe.

	there are couple of ways to make it better:
	- enhance packet filters so that we can differentiate between multiple
	  filtering points (make it possible to specify "this filter should
	  be applied here"). 
	- integrate all packet-filter-like mechanism into one.  make ipsec
	  processing invoked via packet filter.  this still leaves question
	  regarding to NAT and some other mechanisms.

	again, there's no clear solution.  some change may make you happy
	while it makes others unhappy.

itojun@kame


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message