First thing to note is that I am using FreeBSD 4.8 . We would like to send only the syn packet of a tcp connection through certain ipsec tunnels and the rest of the packets in a connection though a simple transport mode setup. Yeah, I know it's strange but what can I say -- we do a lot of strange things. From the best I can tell, the setkey/spadd filtering capability isn't sophisticated enough to detect syn packets. Since ipfw does do this sort of thing we can use this to filter out the syn packet and using divert sockets (we have a lot of experience at writing divert sockets) we can put a wrapper around it so that it goes to a particular port. Since ip sec can filter on ports, we can just filter that out. The process should look something like: syn ---> diverted and wrapped to head for port X ----> ipsec filters on port X sends it into tunnel ......... ........... ipsec does its thing ---> divert socket unwraps ---> sends the packet on its way (not passing though ip sec again). The divert socket solution seems to work fine on the sending side, but there seems to be problems on the receiving side. I suspect that ipfw is looking at the packet before ipsec or some such thing. I know that there were postings about the interaction of ipfw and ipsec and that some of these were going to be fixed in 4.8. If any of you know of a way to get ipsec to filter on syn packets let me know. If you have ever tried to get divert sockets and ip sec working at the same time let me know the secret. I suspect I'm just going to have to hack the ipsec filter to get it to filter on syn packets. Any ideas as to how hard this will be Alwyn Goodloe agoodloe@saul.cis.upenn.edu
>From experience I've found you have to break these things up ondifferent machines. I don't have an intimate knowledge of how and when the IPSEC processing gets done it the kernel, and maybe if someone did they could figure out how and if you could do all of this on single machines. But in our case, we break down the tasks between machines (traffic splitter, ipsec processing, etc...) and it works like a charm. It's also *much* easier to figure out what's wrong, heh. The machines don't have to be powerful. Nate ----- Original Message ----- From: "Alwyn Goodloe" <agoodloe@saul.cis.upenn.edu> To: <freebsd-security@FreeBSD.ORG> Sent: Wednesday, May 28, 2003 14:44 Subject: IP SEC filtering issue> First thing to note is that I am using FreeBSD 4.8 . > > We would like to send only the syn packet of a tcp connectionthrough> certain ipsec tunnels and the rest of the packets in a connectionthough> a simple transport mode setup. Yeah, I know it's strange but whatcan I> say -- we do a lot of strange things. From the best I can tell, the > setkey/spadd filtering capability isn't sophisticated enough todetect> syn packets. Since ipfw does do this sort of thing we can use thisto> filter out the syn packet and using divert sockets (we have a lotof> experience at writing divert sockets) we can put a wrapper > around it so that it goes to a particular port. Since ip sec canfilter on> ports, we can just filter that out. The process should looksomething> like: > > > > syn ---> diverted and wrapped to head for port X ----> > ipsec filters on port X sends it into tunnel ......... > > > ........... ipsec does its thing ---> divert socket unwraps --->sends> the packet on its way (not passing though ip sec again). > > > > The divert socket solution seems to work fine on the sending side,but> there seems to be problems on the receiving side. I suspect thatipfw is> looking at the packet before ipsec or some such thing. I know thatthere> were postings about the interaction of ipfw and ipsec and that someof> these were going to be fixed in 4.8. > > If any of you know of a way to get ipsec to filter on syn packetslet me> know. If you have ever tried to get divert sockets and ip secworking at> the same time let me know the secret. I suspect I'm just going tohave> to hack the ipsec filter to get it to filter on syn packets. Anyideas as> to how hard this will be > > > Alwyn Goodloe > > agoodloe@saul.cis.upenn.edu > > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to"freebsd-security-unsubscribe@freebsd.org"
Thanks for your advice. Alwyn On Fri, 30 May 2003, Nielsen wrote:> >From experience I've found you have to break these things up on > different machines. I don't have an intimate knowledge of how and when > the IPSEC processing gets done it the kernel, and maybe if someone did > they could figure out how and if you could do all of this on single > machines. > > But in our case, we break down the tasks between machines (traffic > splitter, ipsec processing, etc...) and it works like a charm. It's > also *much* easier to figure out what's wrong, heh. The machines don't > have to be powerful. > > Nate > > ----- Original Message ----- > From: "Alwyn Goodloe" <agoodloe@saul.cis.upenn.edu> > To: <freebsd-security@FreeBSD.ORG> > Sent: Wednesday, May 28, 2003 14:44 > Subject: IP SEC filtering issue > > > > First thing to note is that I am using FreeBSD 4.8 . > > > > We would like to send only the syn packet of a tcp connection > through > > certain ipsec tunnels and the rest of the packets in a connection > though > > a simple transport mode setup. Yeah, I know it's strange but what > can I > > say -- we do a lot of strange things. From the best I can tell, the > > setkey/spadd filtering capability isn't sophisticated enough to > detect > > syn packets. Since ipfw does do this sort of thing we can use this > to > > filter out the syn packet and using divert sockets (we have a lot > of > > experience at writing divert sockets) we can put a wrapper > > around it so that it goes to a particular port. Since ip sec can > filter on > > ports, we can just filter that out. The process should look > something > > like: > > > > > > > > syn ---> diverted and wrapped to head for port X ----> > > ipsec filters on port X sends it into tunnel ......... > > > > > > ........... ipsec does its thing ---> divert socket unwraps ---> > sends > > the packet on its way (not passing though ip sec again). > > > > > > > > The divert socket solution seems to work fine on the sending side, > but > > there seems to be problems on the receiving side. I suspect that > ipfw is > > looking at the packet before ipsec or some such thing. I know that > there > > were postings about the interaction of ipfw and ipsec and that some > of > > these were going to be fixed in 4.8. > > > > If any of you know of a way to get ipsec to filter on syn packets > let me > > know. If you have ever tried to get divert sockets and ip sec > working at > > the same time let me know the secret. I suspect I'm just going to > have > > to hack the ipsec filter to get it to filter on syn packets. Any > ideas as > > to how hard this will be > > > > > > Alwyn Goodloe > > > > agoodloe@saul.cis.upenn.edu > > > > > > > > > > > > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >