enc0 patch for ipsec

FAQ

Memberlist

Usergroups

Profile

Preferences

· nixdoc.net

· man pages

· Linux HOWTOs

· FreeBSD Tips

· Forums

Forum index » *nix » BSD » FreeBSD » mail-lists » Architecture

enc0 patch for ipsec

Page 1 of 1 [12 Posts]

View previous topic :: View next topic

Author

Message

Andrew Thompson
*nix forums beginner

Joined: 24 May 2005
Posts: 11

Posted: Thu Jun 15, 2006 10:53 pm Post subject: Note

enc0 patch for ipsec

Hi,

I have a patch attached that implements the much requested feature of
packet filtering ipsec connections.

This is a device to expose packets going in/out of ipsec and comes
from OpenBSD. There are two functions, a bpf tap which has a basic
header with the SPI number which our current tcpdump knows how to
display, and handoff to pfil(9) for packet filtering.

They way I have hooked it in is compiling it in with fast_ipsec and
the extra work is only done when the enc0 interface is created. The
interface is not created by default so its a minimal hit, the user
will need to 'ifconfig enc0 create' in order to activate it. I
believe the locking is correct so it can be created and destroyed at
runtime.

PRs 98219 and 94829 are requesting this feature.

Andrew

Max Laier
*nix forums beginner

Joined: 21 May 2004
Posts: 30

Posted: Fri Jun 16, 2006 3:35 pm Post subject: Note

Re: enc0 patch for ipsec

On Friday 16 June 2006 00:53, Andrew Thompson wrote:

Quote:

I have a patch attached that implements the much requested feature of
packet filtering ipsec connections.

This is a device to expose packets going in/out of ipsec and comes
from OpenBSD. There are two functions, a bpf tap which has a basic
header with the SPI number which our current tcpdump knows how to
display, and handoff to pfil(9) for packet filtering.

They way I have hooked it in is compiling it in with fast_ipsec and
the extra work is only done when the enc0 interface is created. The
interface is not created by default so its a minimal hit, the user
will need to 'ifconfig enc0 create' in order to activate it. I
believe the locking is correct so it can be created and destroyed at
runtime.

I think it should get a "device enc" on its own. Some people might consider
enc(4) to be a security problem so getting it with FAST_IPSEC automatically
isn't preferable.

Other than that, great news. Thanks a lot.

Quote:

PRs 98219 and 94829 are requesting this feature.

Andrew

--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

Scott Ullrich
*nix forums beginner

Joined: 16 Jun 2006
Posts: 3

Posted: Fri Jun 16, 2006 3:41 pm Post subject: Note

Re: enc0 patch for ipsec

On 6/16/06, Max Laier <max@love2party.net> wrote:

Quote:

I think it should get a "device enc" on its own. Some people might consider
enc(4) to be a security problem so getting it with FAST_IPSEC automatically
isn't preferable.

You have to specifically create the enc0 interface (ifconfig enc0
create) before it becomes active. Otherwise it will not hit the enc
code path unless the device is created.

Scott
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

VANHULLEBUS Yvan
*nix forums beginner

Joined: 19 Dec 2005
Posts: 3

Posted: Fri Jun 16, 2006 3:42 pm Post subject: Note

Re: enc0 patch for ipsec

On Fri, Jun 16, 2006 at 10:53:12AM +1200, Andrew Thompson wrote:

Quote:

Hi,

Hi.

Quote:

PRs 98219 and 94829 are requesting this feature.

Patch provided in PR 94829 does not provide filters hook, but it has
support for both IPSEC and FAST_IPSEC.

Perhaps we could merge some "features" of both patches, I'll have a
look at that.

Yvan.

--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Max Laier
*nix forums beginner

Joined: 21 May 2004
Posts: 30

Posted: Fri Jun 16, 2006 4:04 pm Post subject: Note

Re: enc0 patch for ipsec

On Friday 16 June 2006 17:41, Scott Ullrich wrote:

Quote:

On 6/16/06, Max Laier <max@love2party.net> wrote:
I think it should get a "device enc" on its own. Some people might
consider enc(4) to be a security problem so getting it with FAST_IPSEC
automatically isn't preferable.

You have to specifically create the enc0 interface (ifconfig enc0
create) before it becomes active. Otherwise it will not hit the enc
code path unless the device is created.

The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUSH on by default.

--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

Scott Ullrich
*nix forums beginner

Joined: 16 Jun 2006
Posts: 3

Posted: Fri Jun 16, 2006 4:09 pm Post subject: Note

Re: enc0 patch for ipsec

On 6/16/06, Max Laier <max@love2party.net> wrote:

Quote:

Okay, this makes sense. But couldn't you also argue that if someone
gets access to the machine they could also use tcpdump to do the same
thing technically on the internal interface? Just playing devils
advocate.. Smile

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Max Laier
*nix forums beginner

Joined: 21 May 2004
Posts: 30

Posted: Fri Jun 16, 2006 4:14 pm Post subject: Note

Re: enc0 patch for ipsec

On Friday 16 June 2006 18:09, Scott Ullrich wrote:

Quote:

On 6/16/06, Max Laier <max@love2party.net> wrote:
The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUSH on by default.

Okay, this makes sense. But couldn't you also argue that if someone
gets access to the machine they could also use tcpdump to do the same
thing technically on the internal interface? Just playing devils
advocate.. Smile

Think tunnel2tunnel or an SA for a local connection, then. Given, if you are
root you *might* have other means to obtain that information, but that is why
we have a switch to turn off bpf, kmem or the like.

--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

Scott Ullrich
*nix forums beginner

Joined: 16 Jun 2006
Posts: 3

Posted: Fri Jun 16, 2006 4:15 pm Post subject: Note

Re: enc0 patch for ipsec

On 6/16/06, Max Laier <max@love2party.net> wrote:

Quote:

Gotcha. Thanks for clarifying :)

Scott
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Gordon Tetlow
*nix forums beginner

Joined: 31 May 2002
Posts: 42

Posted: Fri Jun 16, 2006 5:22 pm Post subject: Note

Re: enc0 patch for ipsec

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Max Laier wrote:

Quote:

On Friday 16 June 2006 17:41, Scott Ullrich wrote:
On 6/16/06, Max Laier <max@love2party.net> wrote:
I think it should get a "device enc" on its own. Some people might
consider enc(4) to be a security problem so getting it with FAST_IPSEC
automatically isn't preferable.
You have to specifically create the enc0 interface (ifconfig enc0
create) before it becomes active. Otherwise it will not hit the enc
code path unless the device is created.

The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUSH on by default.

Max is absolutely right here. The snooping interface should be a
separate option altogether (a la bpf).

- -gordon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEktfGRu2t9DV9ZfsRAvyzAJ9jnUigVW7t2SGV89vXStXAZ30b7QCeJ4tZ
tBeTqHk9LofxCRf40uFvpZE=
=RGmG
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Andre Oppermann
*nix forums addict

Joined: 21 Mar 2002
Posts: 55

Posted: Fri Jun 16, 2006 5:43 pm Post subject: Note

Re: enc0 patch for ipsec

Max Laier wrote:

Quote:

*If* someone manages to get root on you IPSEC endpoint you've
lost anyway. The availability of enc(4) then is no longer of
importance.

--
Andre

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Andrew Thompson
*nix forums beginner

Joined: 24 May 2005
Posts: 11

Posted: Fri Jun 16, 2006 10:22 pm Post subject: Note

Re: enc0 patch for ipsec

On Fri, Jun 16, 2006 at 06:14:12PM +0200, Max Laier wrote:

Quote:

On Friday 16 June 2006 18:09, Scott Ullrich wrote:
On 6/16/06, Max Laier <max@love2party.net> wrote:
The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUSH on by default.

Okay, this makes sense. But couldn't you also argue that if someone
gets access to the machine they could also use tcpdump to do the same
thing technically on the internal interface? Just playing devils
advocate.. :)

Think tunnel2tunnel or an SA for a local connection, then. Given, if you are
root you *might* have other means to obtain that information, but that is why
we have a switch to turn off bpf, kmem or the like.

While the encryption keys are just a setkey -D away, I can see the
reason for seperating it out. I have attached another patch with the
changes made.

Andrew

gnn@freebsd.org
*nix forums beginner

Joined: 11 Aug 2005
Posts: 15

Posted: Sat Jun 17, 2006 4:07 am Post subject: Re: enc0 patch for ipsec

I knew there was something bothering me about enc, now I know what it was. I'm glad someone else caught this and that you fixed it. Thanks. I'll be testing the patch today. Later, George _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Google

Display posts from previous:

Page 1 of 1 [12 Posts]

View previous topic :: View next topic

The time now is Tue Dec 02, 2008 1:38 pm | All times are GMT

Forum index » *nix » BSD » FreeBSD » mail-lists » Architecture

Jump to:

Topic		Author	Forum	Replies	Last Post
Similar Topics
	[PATCH] Mantaining turnstile aligned to 128 bytes in i386...	Attilio Rao	Architecture	5	Tue Jul 25, 2006 3:13 pm
	SUSE 10.1 new patch	Butternut Squash	Suse	3	Fri Jul 21, 2006 3:27 am
	Problems with make-kpkg and skas patch	Todd A. Jacobs	Debian	0	Fri Jul 21, 2006 12:30 am
	someone using apmd on ppc please test patch for #222635	Aníbal Monsalve Salazar	devel	1	Thu Jul 20, 2006 11:50 pm
	HPSBMA02133 SSRT061201 rev.1 - HP Oracle for OpenView (Of...	Security Alert	HP-UX	0	Thu Jul 20, 2006 6:43 pm

e Harmony | Remortgages | Debt Management | Hypnosis | Loans

Other DeniX Solutions sites: Unix/Linux blog | electronics forum | medicine forum | science forum |

[ Time: 0.2669s ][ Queries: 16 (0.1487s) ][ GZIP on - Debug on ]