Date: Sun, 1 Jun 2003 09:27:06 -0400 (EDT) From: Alwyn Goodloe <agoodloe@saul.cis.upenn.edu> To: Nielsen <nielsen@memberwebs.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IP SEC filtering issue Message-ID: <Pine.GSO.4.44.0306010926440.28399-100000@saul.cis.upenn.edu> In-Reply-To: <20030530195629.2282B3FF312@mail.npubs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for your advice. Alwyn On Fri, 30 May 2003, Nielsen wrote: > >From experience I've found you have to break these things up on > different machines. I don't have an intimate knowledge of how and when > the IPSEC processing gets done it the kernel, and maybe if someone did > they could figure out how and if you could do all of this on single > machines. > > But in our case, we break down the tasks between machines (traffic > splitter, ipsec processing, etc...) and it works like a charm. It's > also *much* easier to figure out what's wrong, heh. The machines don't > have to be powerful. > > Nate > > ----- Original Message ----- > From: "Alwyn Goodloe" <agoodloe@saul.cis.upenn.edu> > To: <freebsd-security@FreeBSD.ORG> > Sent: Wednesday, May 28, 2003 14:44 > Subject: IP SEC filtering issue > > > > First thing to note is that I am using FreeBSD 4.8 . > > > > We would like to send only the syn packet of a tcp connection > through > > certain ipsec tunnels and the rest of the packets in a connection > though > > a simple transport mode setup. Yeah, I know it's strange but what > can I > > say -- we do a lot of strange things. From the best I can tell, the > > setkey/spadd filtering capability isn't sophisticated enough to > detect > > syn packets. Since ipfw does do this sort of thing we can use this > to > > filter out the syn packet and using divert sockets (we have a lot > of > > experience at writing divert sockets) we can put a wrapper > > around it so that it goes to a particular port. Since ip sec can > filter on > > ports, we can just filter that out. The process should look > something > > like: > > > > > > > > syn ---> diverted and wrapped to head for port X ----> > > ipsec filters on port X sends it into tunnel ......... > > > > > > ........... ipsec does its thing ---> divert socket unwraps ---> > sends > > the packet on its way (not passing though ip sec again). > > > > > > > > The divert socket solution seems to work fine on the sending side, > but > > there seems to be problems on the receiving side. I suspect that > ipfw is > > looking at the packet before ipsec or some such thing. I know that > there > > were postings about the interaction of ipfw and ipsec and that some > of > > these were going to be fixed in 4.8. > > > > If any of you know of a way to get ipsec to filter on syn packets > let me > > know. If you have ever tried to get divert sockets and ip sec > working at > > the same time let me know the secret. I suspect I'm just going to > have > > to hack the ipsec filter to get it to filter on syn packets. Any > ideas as > > to how hard this will be > > > > > > Alwyn Goodloe > > > > agoodloe@saul.cis.upenn.edu > > > > > > > > > > > > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0306010926440.28399-100000>