Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Nov 2000 08:05:21 -0800
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        itojun@iijlab.net
Cc:        Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Dominick LaTrappe <seraf@2600.COM>, freebsd-net@freebsd.org, Gerhard Sittig <Gerhard.Sittig@gmx.net>
Subject:   Re: filtering ipsec traffic (fwd) 
Message-ID:  <200011301605.eAUG5PL41238@cwsys.cwsent.com>
In-Reply-To: Your message of "Fri, 01 Dec 2000 00:31:12 %2B0900." <26650.975598272@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <26650.975598272@coconut.itojun.org>, itojun@iijlab.net 
writes:
> >Could we just borrow a something from the pipsecd model?  Pipsecd uses 
> >a tun device to present itself to system.  A network that is associated 
> >via a pipsecd IPSec tunnel is defined in the routing table to route 
> >packets through the tun interface.  Once packets enter the tun 
> >interface pipsecd encapsulates them and spits them out through the 
> >external interface.  Packets coming back in go in reverse order.  E.g.,
> 
> 	from IPv6 point of view (yes, I'm IPv6 centric!) we cannot add extra
> 	interface like tun0.  IPv6 has scoped address, and if we add extra
> 	interface in IP stack we will change the address semantics.

Then only solutions I can think of is to have IPF/IPFW inspect the 
packets before and after they are encapsulated/decapsulated or IP-IP 
tunnelling within the IPSec tunnel.  Given your prior comments in this 
thread, an IP-IP tunnel which uses tun(4) will give IPv4 users some 
additional functionality without having to re-engineer the IPv6 stack.  
Of course this will once again become an issue once the whole world 
goes IPv6 or for current IPv6 users.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011301605.eAUG5PL41238>