IP SEC filtering issue

Nielsen nielsen at memberwebs.com
Fri May 30 12:53:22 PDT 2003 

>From experience I've found you have to break these things up on
different machines. I don't have an intimate knowledge of how and when
the IPSEC processing gets done it the kernel, and maybe if someone did
they could figure out how and if you could do all of this on single
machines.

But in our case, we break down the tasks between machines (traffic
splitter, ipsec processing, etc...) and it works like a charm. It's
also *much* easier to figure out what's wrong, heh. The machines don't
have to be powerful.

Nate

----- Original Message -----
From: "Alwyn Goodloe" <agoodloe at saul.cis.upenn.edu>
To: <freebsd-security at FreeBSD.ORG>
Sent: Wednesday, May 28, 2003 14:44
Subject: IP SEC filtering issue


> First thing to note is that I am using FreeBSD 4.8 .
>
> We would like to send only the syn packet of a tcp connection
through
> certain  ipsec tunnels and  the rest of the packets in a connection
though
> a simple transport mode setup. Yeah, I know it's strange but what
can I
> say -- we do a lot of strange things. From the best I can tell, the
> setkey/spadd filtering capability isn't sophisticated enough to
detect
> syn packets. Since ipfw does do this sort of thing we can use this
to
> filter out the syn packet and using divert sockets (we have  a lot
of
> experience at writing divert sockets) we can put a wrapper
> around it so that it goes to a particular port. Since ip sec can
filter on
> ports, we can just filter that out. The process should look
something
> like:
>
>
>
> syn ---> diverted and wrapped to head for port X ---->
>          ipsec filters on port X  sends it into tunnel .........
>
>
>  ........... ipsec does its thing ---> divert socket unwraps --->
sends
> the packet on its way (not passing though ip sec again).
>
>
>
> The divert socket solution seems to work fine on the sending side,
but
> there seems to be problems on the receiving side. I suspect that
ipfw is
> looking at the packet before ipsec or some such thing. I know that
there
> were postings about the interaction of ipfw and ipsec and that some
of
> these were going to be fixed in 4.8.
>
>   If any of you know of a way to get ipsec to filter on syn packets
let me
> know. If you have ever tried to get divert sockets and ip sec
working at
> the same time let me know the secret.   I suspect I'm just going to
have
> to hack the ipsec filter to get it to filter on syn packets.  Any
ideas as
> to how hard this will be
>
>
> Alwyn Goodloe
>
> agoodloe at saul.cis.upenn.edu
>
>
>
>
>
>
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list