lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 7 Nov 2011 19:38:58 +0800
From:	danila.st@...l.ru
To:	linux-kernel@...r.kernel.org
Subject: IPSec IP range in Linux kernel

Hello!

To begin with I'm from Russia. So I apologize in advance for the English from google translate. :)

Plus I had never had to deal with mailing lists. So do not kick me immediately if not written on the topic. But sincerely hope that the requested address.

Initially, I tried to write a letter directly to David Miller. He told me what to write and not directly to the mailing list. To what exactly I did not know why I write here.

I beg you take me seriously! The fact that the Russian people are not located in the most serious and mutual respect.

Now describe directly the problem itself. In our organization for the organization of IPSec encrypted connection used by devices such as Zyxel Zywall. Below is a diagram:

server (zywall)
192.168.1.0/24-----------------192.168.7.1-192.168.7.5 (client 1)
    | |
    | ------------------- 192.168.7.6-192.168.7.10 (client 2)
    |
    --------------------------- 192.168.7.11-192.168.7.15 (client 3)

Explanation of the scheme: at the head zywall prescribed set of IPSec connections. One feature of these rules is that all these compounds combine the main enterprise network 192.168.1.0/24 on the other subnet 192.168.7.0/24, broken into pieces, each of which contains a range of 5 are forwarding addresses.

Instead, head server, we decided to use a server running Linux. And immediately faced with the problem - the connection in Linux you can install only one address / subnet. Ability to connect to a range of addresses is not as such. As a result, the connection fails - fails at the stage of the harmonization of policies.

Therefore appeal to you. Tried to contact the Russian representative office zyxel. Clear answers are not received. Apparently they are not developers, just distributors. Tried to write on the forums. Received only a proposal to replace the range on the subnet. Maybe they're right, but the question arises, why this feature is implemented in devices company zyxel?

In general, writing to you with a rational proposal to help you add this feature in Linux. Well, and related issues:

1) Describe the table structure policies SADB, SPD? Where in the source code they describe?
2) Please explain IPSec device subsystem in Linux. Perhaps you have links to the appropriate literature, description, documentation?

P.S. I'd love to hear the answer himself and David Miller, as is its design.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ