On 2017-03-13 11:01, Andrey V. Elsukov wrote:
On 12.03.2017 00:23, Hooman Fazaeli wrote:
Hi,
As you know the ipsec/setkey provide limited syntax to define security
policies: only a single subnet/host, protocol number and optional port
may be used to specify traffic's source and destination.
I was thinking about the idea of using ipfw as the packet selector for
ipsec,
much like it is used with dummeynet. Something like:
ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table>
80,443,110,139
What this rule should do? How do you plan implement policy lookup for
inbound packets?
For instance, Outbound packets matching the rule would go through the
tunnel whose index is 2. The tunnel itself is defined using setkey.
Something like:
spdadd 2 esp/tunnel/1.1.1.1-2.2.2.2/require
It's basically the same as spdadd without the src/dst/proto/port
specification. A similar rule would be written for inbound packets.
This is just to indicate the idea. Obviously, exact mechanism
needs further thought & investigation (i.e., the issue of stateful vs.
stateless rules).
One important aspect, as s...@zxy.spb.ru pointed out, is how to deal with
IKE/ISAKMP to support the mechanism, as the current protocol requires that
negotiating parties to exchange & match subject-to-ipsec-traffic
specification in SA payloads (which is restricted to single subnet+proto+port).
I was thinking about some form of labeling (like MPLS) plus custom
payload types or DOIs.
Your ideas are welcome.
--
Best regards
Hooman Fazaeli
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
