ipsec & ipfw: 4.7-release vs -stable

From: Andriy Gapon (agapon@cv-nj.com)
Date: 02/10/03


Date: Mon, 10 Feb 2003 11:43:04 -0500 (EST)
From: Andriy Gapon <agapon@cv-nj.com>
To: freebsd-ipfw@freebsd.org, freebsd-security@freebsd.org


Is there any remedy expected before 4.8 release for the situation with
ipsec & ipfw interaction that was created after 'ip_input.c 1.130.2.40,
MFC: 1.214' ?

The reason I am asking this question with such a big crosspost is that it
seems that all previous discussions on this topic resulted in nothing. And
this change definetely breaks things for those who use ipsec without extra
stuff like gif tunnels. It definetely doesn't look like a kind of change
welcomed in -stable branch, not mentioning a potential security
vulnaribity for those who can not use gif.

I apologize in the case I have missed any latest developments in this
area.

-- 
Andriy Gapon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: best encryption + mode for network packets ?
    ... All IPSEC does, therefore, is to send ... > there's a good reason for most ... I have chosen to use ECB mode at the moment. ... Why did IPSEC choose CBC... ...
    (sci.crypt)
  • Re: ipsec & ipfw: 4.7-release vs -stable
    ... > stuff like gif tunnels. ... When enabled it would allow ipsec gateways to filter decrypted rfc1918 ... In the case of non-gateway/single interface boxes using ipsec, ... Not sure how do-able this is, but it avoids the hassle gif/ipip ...
    (FreeBSD-Security)
  • Re: Any third-party tool to deny IP on IIS 5?
    ... The tool of choice is possibly IPsec used in a filtering mode, ... but you likely would not like it either for the same reason, ... I know that I can use WWW Services Master Properties to deny IP on ...
    (microsoft.public.inetserver.iis.security)
  • IPSEC clarifications
    ... What are the consequences when enabling this if one does use IPSEC ... w/o any GIF tunnels? ... # The default is that packets coming from a tunnel are _not_ processed; ... Is just compiling device enc into the kernel, ...
    (freebsd-stable)
  • Re: FW: iHEADS UP: ipsec packet filtering change
    ... >>You don't really need the gif tunnels for ipsec. ... >>using gif tunnels and I've been tripped up by it, ... I have set up IPSec VPN from FreeBSD to: ... do anything to get your packets routed through the VPN, ...
    (freebsd-stable)