OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Crist J. Clark (crist.clark_at_attbi.com)
Date: Mon Aug 05 2002 - 12:41:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Mon, Aug 05, 2002 at 04:09:51PM +0200, Eric Masson wrote:
    > >>>>> "Crist" == Crist J Clark <crist.clarkattbi.com> writes:
    >
    > Crist> It's pretty much automagically done by way of the SPD entry. Any
    > Crist> packet that matches the source and destination in the SPD gets
    > Crist> put through the appropriate tunnel with the specified end
    > Crist> points.
    >
    > Ok, I do understand now.
    >
    > Crist> It's not the same as the regular routing table and will not show
    > Crist> up in 'netstat -rn.'
    >
    > It would be nice to have netstat -r show these routes with a new flag
    > (like T for example), tunnelled end address as destination, tunneled
    > origin address as gateway, and interface bound to tunnel origin address
    > as netif.
    >
    > Does this look interesting or is this plain dumb ?

    Tunnelling is not the same as routing. The tunnelling actually has no
    effect on routing. A packet going through the tunnel is encapsulated
    and sent to a different destination. This is not like routing where we
    don't touch the source or destination addresses and merely manipulate
    where the packet is directed on the next hop. Once encapsulation is
    done, routing is done normally.

    Another place for confusion, what do you display for,

      spdadd 10.10.10.0/24[any] 10.99.99.0/24[25] tcp
        -P out ipsec esp/tunnel/10.10.11.1-10.99.98.1/require

    Where not all traffic, but only some, goes through the tunnel. (Yes,
    an odd use of tunnelling, but perfectly valid.)

    I think trying to add IPsec tunnels to 'netstat -r' is not a good
    idea. 'netstat -r' should show the routing table and nothing more.

    I think a command that displays the SPD and live SAD entries in more
    intuitive ways, possibly in a 'netstat -r'-like fashion would be very
    useful, but it shouldn't actually be in 'netstat -r.'

    -- 
    Crist J. Clark                     |     cjclarkalum.mit.edu
                                       |     cjclarkjhu.edu
    http://people.freebsd.org/~cjc/    |     cjcfreebsd.org
    

    To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message