lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 10 May 2007 10:36:14 -0400 (EDT)
From:	Alan Stern <stern@...land.harvard.edu>
To:	Networking development <netdev@...r.kernel.org>
Subject: Questions about IPsec and Netfilter

I've got a few questions about the relationship between the IPsec 
implementation and Netfilter.

Q1: At what points during packet processing do the IPsec transformations 
occur?  In particular, which netfilter hooks do they come before and 
after?  And likewise, which routing operations do they come before and 
after?

Q2: When a packet using IPsec tunnel mode is encapsulated or 
de-encapsulated, does the newly-formed packet return to some earlier point 
in the stack for further netfilter processing or routing?  What about 
transport mode?

Q3: How can iptables rules determine whether they are dealing with a 
packet which has been de-encapsulated from (or encapsulated within) an 
IPsec wrapper?

Q4: Is it true that NAT-Traversal isn't implemented for transport mode?

In RFC 2401 (Security Architecture for the Internet Protocol), section 5
includes this text:

   As mentioned in Section 4.4.1 "The Security Policy Database (SPD)",
   the SPD must be consulted during the processing of all traffic
   (INBOUND and OUTBOUND), including non-IPsec traffic.  If no policy is
   found in the SPD that matches the packet (for either inbound or
   outbound traffic), the packet MUST be discarded.

But on Linux systems, by default the SPD is normally empty (as shown by
"setkey -DP") and all packets are allowed to pass unhindered.

Q5: Isn't this a violation of the RFC?  Or is there some implicit policy 
entry which accepts all packets without applying any security association?


Thanks for any answers.  I may think up more questions later...

Alan Stern

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ