  If you have a IPSec packet you can't see the data(even if u can it's
useless as it's encrypted). unless you exchange keys and know what the
encryption algorithm we can't decrypt and know the information being passed.
Hence, the fact that we are using IPsec gives greater security than any
firewall can. You can't possibly break a 128-bit encryption. till now I
don't think it has been broken.

if you want restrict somebody in your internal network from using IPSec.
Then yes we must be able to do it with a firewall.
If somebody in your trusted internal network hacks then you are in trouble .
If I'm not wrong few firewalls take care of it .

Also, if some body corrupts the encrypted packet then we can discard it at
time of decryption.


-----Original Message-----
[mailto:[EMAIL PROTECTED]]On Behalf Of Alex Le Heux
Sent: Monday, January 14, 2002 6:43 PM
To: Kshitij Gunjikar
Subject: Re: Filtering packets received through an ipsec tunnel


I don't think this is quite correct.

The fact that I have a tunnel means I have some relation with the other
network, and that I do not trust the network(s) between us.

It does NOT mean that I trust their security setup and want to receive any
packet that they send me.

So I would certainly hope that I have the option of filtering.


Alex Le Heux

On Mon, Jan 14, 2002 at 05:32:11PM +0530, Kshitij Gunjikar wrote:
> Hi Rene,
>   I'm wondering why do you want to filter Secure traffic?
> The very fact that you have a tunnel to a place means you trust that
> network. Hence, why filter?
> What are the complex situations you have in mind?
> Regards
> Kshitij
> -----Original Message-----
> [mailto:[EMAIL PROTECTED]]On Behalf Of Rene de Vries
> Sent: Sunday, January 13, 2002 10:32 PM
> Subject: Filtering packets received through an ipsec tunnel
> Hello,
> > This message was already posted to [EMAIL PROTECTED], but with
> > limited success. I'm hoping that someone on [EMAIL PROTECTED] can give me
> > some more information.
> By experimenting with ipsec and looking at the source of "ip_input.c" a
> co-worker and I found the following out.
> When a ipsec tunnel packet is received this (protocol 50/51) packet is
> passed through ip-filter (& co). After filtering and when it has been
> determent that the current host is the destination (tunnel end-point),
> this packet is decrypted/verified. The decrypted packet is then pushed
> back into the queue that leads to ip_input(...). So far so good....
> But once in ip_input(...) the filtering code is skipped and we were
> wondering why.
> I know that ipsec has some handles to be able to filter on address,
> protocol and/or port. But for more complex situations this is not
> enough. In these situations it would be nice to be able to use
> ip-filter (& co) on traffic from the tunnel (and also for traffic going
> into the tunnel).
> I was wondering why this is implemented the way it is. Maybe someone on
> this list could shed a light on this?
> Rene
> --
> Rene de Vries <[EMAIL PROTECTED]>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message

"My theory is that the (Internet) industry was started in
large part by technologists rather than media people..."
                - Robin Webster, President, Interactive Advertising Bureau

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to