Date: Sun, 2 Apr 2006 13:22:31 +0300 (EEST) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: Bruce M Simpson <bms@spc.org> Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Subject: Re: tcpdump and ipsec Message-ID: <20060402130227.G99958@atlantis.atlantis.dp.ua> In-Reply-To: <20060331223613.GD80492@spc.org> References: <442D8E98.6050903@vineyard.net> <20060331222813.GA29047@zen.inc> <20060331223613.GD80492@spc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Fri, 31 Mar 2006, Bruce M Simpson wrote: > On Sat, Apr 01, 2006 at 12:28:13AM +0200, VANHULLEBUS Yvan wrote: >> 2) use enc0 support, which is actually pr kern/94829, and which should >> be included soon in kernel. > > Oh god! Not another ifnet! NoOOOOOO!!!!!! Why not? IMHO it will be very useful feature: think about e.g. traffic shaping for several different networks which are routed via the same ipsec tunnel. Without the enc0, you can only shape them together, e.g.: ipfw add 100 pipe 1 esp from any to any out via rl0 With enc0, you can shape them separately: ipfw add 102 pipe 2 all from any to 10.0.2.0/24 out via enc0 ipfw add 103 pipe 3 all from any to 10.0.3.0/24 out via enc0 The only thing which could be improved here is that host can have several ipsec tunnels, so it would be better to have many separate encX interfaces, one per tunnel, instead of single enc0. But I don't know how to implement binding between ipsec tunnels and individual encX devices in this case. Maybe, by assigning dummy IP addresses to encX which should match correspondent "local-remote" IP addresses in SPD entry? After all, this stuff is _optional_, you don't _have_ to use it. However, I'd like to see it in our tree. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060402130227.G99958>