freebsd security - May 2003 - IP SEC filtering issue

First thing to note is that I am using FreeBSD 4.8 .

We would like to send only the syn packet of a tcp connection through
certain  ipsec tunnels and  the rest of the packets in a connection though
a simple transport mode setup. Yeah, I know it's strange but what can I
say -- we do a lot of strange things. From the best I can tell, the
setkey/spadd filtering capability isn't sophisticated enough to detect
syn packets. Since ipfw does do this sort of thing we can use this to
filter out the syn packet and using divert sockets (we have  a lot of
experience at writing divert sockets) we can put a wrapper
around it so that it goes to a particular port. Since ip sec can filter on
ports, we can just filter that out. The process should look something
like:



syn ---> diverted and wrapped to head for port X ---->
         ipsec filters on port X  sends it into tunnel .........


 ........... ipsec does its thing ---> divert socket unwraps ---> sends
the packet on its way (not passing though ip sec again).



The divert socket solution seems to work fine on the sending side, but
there seems to be problems on the receiving side. I suspect that ipfw is
looking at the packet before ipsec or some such thing. I know that there
were postings about the interaction of ipfw and ipsec and that some of
these were going to be fixed in 4.8.

  If any of you know of a way to get ipsec to filter on syn packets let me
know. If you have ever tried to get divert sockets and ip sec working at
the same time let me know the secret.   I suspect I'm just going to have
to hack the ipsec filter to get it to filter on syn packets.  Any ideas as
to how hard this will be


Alwyn Goodloe

agoodloe@saul.cis.upenn.edu

>From experience I've found you have to break these things up on
different machines. I don't have an intimate knowledge of how and when
the IPSEC processing gets done it the kernel, and maybe if someone did
they could figure out how and if you could do all of this on single
machines.

But in our case, we break down the tasks between machines (traffic
splitter, ipsec processing, etc...) and it works like a charm. It's
also *much* easier to figure out what's wrong, heh. The machines don't
have to be powerful.

Nate

----- Original Message -----
From: "Alwyn Goodloe" <agoodloe@saul.cis.upenn.edu>
To: <freebsd-security@FreeBSD.ORG>
Sent: Wednesday, May 28, 2003 14:44
Subject: IP SEC filtering issue

> First thing to note is that I am using FreeBSD 4.8 .
>
> We would like to send only the syn packet of a tcp connection
through
> certain  ipsec tunnels and  the rest of the packets in a connection
though
> a simple transport mode setup. Yeah, I know it's strange but what
can I
> say -- we do a lot of strange things. From the best I can tell, the
> setkey/spadd filtering capability isn't sophisticated enough to
detect
> syn packets. Since ipfw does do this sort of thing we can use this
to
> filter out the syn packet and using divert sockets (we have  a lot
of
> experience at writing divert sockets) we can put a wrapper
> around it so that it goes to a particular port. Since ip sec can
filter on
> ports, we can just filter that out. The process should look
something
> like:
>
>
>
> syn ---> diverted and wrapped to head for port X ---->
>          ipsec filters on port X  sends it into tunnel .........
>
>
>  ........... ipsec does its thing ---> divert socket unwraps --->
sends
> the packet on its way (not passing though ip sec again).
>
>
>
> The divert socket solution seems to work fine on the sending side,
but
> there seems to be problems on the receiving side. I suspect that
ipfw is
> looking at the packet before ipsec or some such thing. I know that
there
> were postings about the interaction of ipfw and ipsec and that some
of
> these were going to be fixed in 4.8.
>
>   If any of you know of a way to get ipsec to filter on syn packets
let me
> know. If you have ever tried to get divert sockets and ip sec
working at
> the same time let me know the secret.   I suspect I'm just going to
have
> to hack the ipsec filter to get it to filter on syn packets.  Any
ideas as
> to how hard this will be
>
>
> Alwyn Goodloe
>
> agoodloe@saul.cis.upenn.edu
>
>
>
>
>
>
>
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"

Thanks for your advice.


Alwyn

On Fri, 30 May 2003, Nielsen wrote:
> >From experience I've found you have to break these things up on
> different machines. I don't have an intimate knowledge of how and when
> the IPSEC processing gets done it the kernel, and maybe if someone did
> they could figure out how and if you could do all of this on single
> machines.
>
> But in our case, we break down the tasks between machines (traffic
> splitter, ipsec processing, etc...) and it works like a charm. It's
> also *much* easier to figure out what's wrong, heh. The machines
don't
> have to be powerful.
>
> Nate
>
> ----- Original Message -----
> From: "Alwyn Goodloe" <agoodloe@saul.cis.upenn.edu>
> To: <freebsd-security@FreeBSD.ORG>
> Sent: Wednesday, May 28, 2003 14:44
> Subject: IP SEC filtering issue
>
>
> > First thing to note is that I am using FreeBSD 4.8 .
> >
> > We would like to send only the syn packet of a tcp connection
> through
> > certain  ipsec tunnels and  the rest of the packets in a connection
> though
> > a simple transport mode setup. Yeah, I know it's strange but what
> can I
> > say -- we do a lot of strange things. From the best I can tell, the
> > setkey/spadd filtering capability isn't sophisticated enough to
> detect
> > syn packets. Since ipfw does do this sort of thing we can use this
> to
> > filter out the syn packet and using divert sockets (we have  a lot
> of
> > experience at writing divert sockets) we can put a wrapper
> > around it so that it goes to a particular port. Since ip sec can
> filter on
> > ports, we can just filter that out. The process should look
> something
> > like:
> >
> >
> >
> > syn ---> diverted and wrapped to head for port X ---->
> >          ipsec filters on port X  sends it into tunnel .........
> >
> >
> >  ........... ipsec does its thing ---> divert socket unwraps
--->
> sends
> > the packet on its way (not passing though ip sec again).
> >
> >
> >
> > The divert socket solution seems to work fine on the sending side,
> but
> > there seems to be problems on the receiving side. I suspect that
> ipfw is
> > looking at the packet before ipsec or some such thing. I know that
> there
> > were postings about the interaction of ipfw and ipsec and that some
> of
> > these were going to be fixed in 4.8.
> >
> >   If any of you know of a way to get ipsec to filter on syn packets
> let me
> > know. If you have ever tried to get divert sockets and ip sec
> working at
> > the same time let me know the secret.   I suspect I'm just going
to
> have
> > to hack the ipsec filter to get it to filter on syn packets.  Any
> ideas as
> > to how hard this will be
> >
> >
> > Alwyn Goodloe
> >
> > agoodloe@saul.cis.upenn.edu
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"
>