ipsec with ipfw
Hooman Fazaeli
hoomanfazaeli at gmail.com
Mon Mar 13 14:53:13 UTC 2017
On 2017-03-13 11:01, Andrey V. Elsukov wrote:
> On 12.03.2017 00:23, Hooman Fazaeli wrote:
>> Hi,
>>
>> As you know the ipsec/setkey provide limited syntax to define security
>> policies: only a single subnet/host, protocol number and optional port
>> may be used to specify traffic's source and destination.
>>
>> I was thinking about the idea of using ipfw as the packet selector for
>> ipsec,
>> much like it is used with dummeynet. Something like:
>>
>> ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table>
>> 80,443,110,139
> What this rule should do? How do you plan implement policy lookup for
> inbound packets?
>
For instance, Outbound packets matching the rule would go through the
tunnel whose index is 2. The tunnel itself is defined using setkey.
Something like:
spdadd 2 esp/tunnel/1.1.1.1-2.2.2.2/require
It's basically the same as spdadd without the src/dst/proto/port
specification. A similar rule would be written for inbound packets.
This is just to indicate the idea. Obviously, exact mechanism
needs further thought & investigation (i.e., the issue of stateful vs.
stateless rules).
One important aspect, as slw at zxy.spb.ru pointed out, is how to deal with
IKE/ISAKMP to support the mechanism, as the current protocol requires that
negotiating parties to exchange & match subject-to-ipsec-traffic
specification in SA payloads (which is restricted to single subnet+proto+port).
I was thinking about some form of labeling (like MPLS) plus custom
payload types or DOIs.
Your ideas are welcome.
--
Best regards
Hooman Fazaeli
More information about the freebsd-net
mailing list