From owner-freebsd-net Thu Nov 30 7: 2:17 2000 Delivered-To: freebsd-net@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id F365937B400 for ; Thu, 30 Nov 2000 07:02:13 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA21844; Thu, 30 Nov 2000 07:01:03 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21840; Thu Nov 30 07:00:48 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eAUF0fd07972; Thu, 30 Nov 2000 07:00:41 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdKt7970; Thu Nov 30 07:00:25 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eAUF0Ol40955; Thu, 30 Nov 2000 07:00:24 -0800 (PST) Message-Id: <200011301500.eAUF0Ol40955@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdz40944; Thu Nov 30 07:00:09 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: itojun@iijlab.net Cc: Dominick LaTrappe , freebsd-net@freebsd.org, Cy Schubert - ITSD Open Systems Group , Gerhard Sittig Subject: Re: filtering ipsec traffic (fwd) In-reply-to: Your message of "Thu, 30 Nov 2000 15:40:09 +0900." <20718.975566409@coconut.itojun.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Nov 2000 07:00:09 -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20718.975566409@coconut.itojun.org>, itojun@iijlab.net writes: > >The order of packet processing cannot just be changed to fix this, because > >NAT is part of filtering, and NAT has to happen before IPsec (other > >reasons anyone?). Perhaps two passes of packet filtering (pre-IPsec and > >post-IPsec) are appropriate as an option...? Or perhaps KAME transport > >mode just has this inherent limitation...? Help! ;-) > > basically, the problem is not that simple. > - relationship between packet filters and tunelling > some people would like to filter before decapsulation, > some would like to do it after decapsulation > - relationship between filters and encryption/authentication > ditto. some wants to filter before decryption, > some wants to filter after decryption. > - NAT and filters > - NAT and IPsec > they are fundamentally unfriendly, I believe. > > there are couple of ways to make it better: > - enhance packet filters so that we can differentiate between multiple > filtering points (make it possible to specify "this filter should > be applied here"). > - integrate all packet-filter-like mechanism into one. make ipsec > processing invoked via packet filter. this still leaves question > regarding to NAT and some other mechanisms. Could we just borrow a something from the pipsecd model? Pipsecd uses a tun device to present itself to system. A network that is associated via a pipsecd IPSec tunnel is defined in the routing table to route packets through the tun interface. Once packets enter the tun interface pipsecd encapsulates them and spits them out through the external interface. Packets coming back in go in reverse order. E.g., tun0 input ----> IPNAT/IPF/IPFW (out on tun0) ----> tun0 output ----> pipsecd ----> xl0 input ----> IPNAT/IPF/IPFW (out on xl0) ----> xl0 output ----> Internet ----> xl0 input ----> IPNAT/IPF/IPFW (in on xl0) ----> xl0 output ----> pipsecd ----> tun0 input ----> IPNAT/IPF/IPFW (in on tun0) ----> tun0 output Now all I need to do is add entries to my routing table defining the remote pipsecd gateway as a router for packets destined for a the specified networks. In the above example I perform NAT to translate my ARPA addresses at home not only to the outside world but also to my pipsecd gateway at work, so packets destined for my employers network get encapsulated and are NATted twice. NAT works in this double NAT situation, however IP Filter's FTP proxy does not, but considering what the packets have to go through to get there I'm happy without the FTP proxy in this case. I have placed my network at home directly on my employers network at one time using an IP alias on my pipsecd/NAT box at work with an IP Filter bimap, however I got all of the broadcasts from my employers routers as well. Without the bimap my network at home is further insulated from my employer's network mitigating my personal exposure in case of anything unfortunate happening there. My point being that what I've described above is extremely flexible. All in all, this approach has been quite successful for me. > > again, there's no clear solution. some change may make you happy > while it makes others unhappy. > > itojun@kame I suppose a simple IP over IP tunnel over the IPSec tunnel implemented using ip-tun from the ports collection might add the extra interface on which to build another packet filter on, similar to the pipsecd approach I described above. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message