tcpdump and ipsec
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Sun Apr 2 10:22:41 UTC 2006
Hello!
On Fri, 31 Mar 2006, Bruce M Simpson wrote:
> On Sat, Apr 01, 2006 at 12:28:13AM +0200, VANHULLEBUS Yvan wrote:
>> 2) use enc0 support, which is actually pr kern/94829, and which should
>> be included soon in kernel.
>
> Oh god! Not another ifnet! NoOOOOOO!!!!!!
Why not? IMHO it will be very useful feature: think about e.g. traffic
shaping for several different networks which are routed via the same
ipsec tunnel. Without the enc0, you can only shape them together, e.g.:
ipfw add 100 pipe 1 esp from any to any out via rl0
With enc0, you can shape them separately:
ipfw add 102 pipe 2 all from any to 10.0.2.0/24 out via enc0
ipfw add 103 pipe 3 all from any to 10.0.3.0/24 out via enc0
The only thing which could be improved here is that host can have several
ipsec tunnels, so it would be better to have many separate encX interfaces,
one per tunnel, instead of single enc0. But I don't know how to implement
binding between ipsec tunnels and individual encX devices in this case.
Maybe, by assigning dummy IP addresses to encX which should match
correspondent "local-remote" IP addresses in SPD entry?
After all, this stuff is _optional_, you don't _have_ to use it. However,
I'd like to see it in our tree.
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-net
mailing list