Message-ID: <4198B2B6.9050803@globalintech.pl>
Date: Mon, 15 Nov 2004 14:44:22 +0100
From: Blizbor <kernel@globalintech.pl>
User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
MIME-Version: 1.0
To: linux-kernel@vger.kernel.org
Subject: 2.6 native IPsec implementation question
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1262
Lines: 38

Greetings,

I hope, this is right place to ask my questions.

1. Why IPsec in 2.6 doesn't uses separate interface ?
It makes impossible to implement firewall logic like this (or I'm 
missing something):

incoming from eth0 allow AH
incoming from eth0 allow ESP
incoming from eth0 allow udp 500
incoming from eth0 allow udp 53
incoming from eth0 allow ICMP related
incoming from eth0 deny all

then set of filters restricting traffic incoming via IPsec for examle:
incoming from ipsec0 allow tcp 389
incoming from ipsec0 allow ICMP related
incoming from ipsec0 deny all

(please consider roadwarrior client with not known IP address)

2. Why IPsec in 2.6 doesn't creates entries in the route tables ?
It's a bit confusing when 'ip route list' doesnt makes you aware that
some traffic is going somwhere else than defined in route tables.

(you must know that there is IPsec in use on the host, then you are using
setkey to list rules, and then you must analyse rules to catch routes - 
ugly solution.)


Reards,
Blizbor
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/