lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 24 May 2007 18:25:23 +0900
From:	Fernando Luis Vázquez Cao 
	<fernando@....ntt.co.jp>
To:	Herbert Xu <herbert@...dor.apana.org.au>
Cc:	netdev@...r.kernel.org, davem@...emloft.net
Subject: Re: [IPv6] UDP Encapsulation of IPsec ESP Packets

On Thu, 2007-05-24 at 18:03 +0900, Fernando Luis Vázquez Cao wrote:
> On Thu, 2007-05-24 at 18:34 +1000, Herbert Xu wrote:
> > Fernando Luis V??zquez Cao <fernando@....ntt.co.jp> wrote:
> > > I noticed that IPv4-over-IPv6 made into 2.6.21 (thank you!) and that
> > > prompted to check the progress with the implementation of rfc3948 (UDP
> > > Encapsulation of IPsec ESP Packets) in Linux. For IPv4 the code is
> > > already there, but that does not seem to be the case for IPv6. I have
> > > checked the usagi kernels and Dave S. Miller's net git tree and could
> > > not find anything.
> > > 
> > > Is anyone working on this? I would appreciate any information on the
> > > status of this work.
> > 
> > If we don't have NAT on IPv6 why would you need UDP encapsulation?
> Hi Herbert,
> 
> Thank you for your feedback.
> 
> Depending on the filtering rules it is possible that a gateway/firewall
> does not accept incoming ESP packets. When the filter rules of the
> firewall cannot be changed (because one is not the administrator) the
> only way of traversing the firewall is using some sort of encapsulation,
> such as UDP encapsulation.
> 
> Is there any other way to circumvent this issue?
> 
> (By the way, the premise is that network is a pure ipv6 environment)
As an aside, RFC-3948 explicitly indicates that ESP encapsulation as
defined in the RFC can be used in both IPv4 and IPv6 scenarios. I guess
that they had cases like this in mind.

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ