| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <48DB4304.4050801@iki.fi> Date: Thu, 25 Sep 2008 10:51:32 +0300 From: Timo Teräs <timo.teras@....fi> To: netdev@...r.kernel.org CC: Herbert Xu <herbert@...dor.apana.org.au>, Alexey Kuznetsov <kuznet@....inr.ac.ru> Subject: NBMA GRE over IPsec behind NAT I've been working on OpenNHRP (http://opennhrp.sf.net) to get Cisco DMVPN support for Linux boxes. Basically it is NBMA GRE over IPsec. And the GRE level private IP-public IP mapping is done via NHRP protocol. OpenNHRP does this by talking to kernel neighbor cache. I haven't still bumped into this problem (and probably won't for a while), but it'd be good to solve it anyway. The problem is that, if I have multiple IPsec nodes behind same NAT box, that is both have same public-ip, but different NAT original address, the NHRP private ip to public ip mapping is not enough. Since NHRP knows the NAT-OA it could indicate that back to kernel to the neighbor cache. ip_gre could then pass that information to xfrm layer which could using that decide the correct IPsec SA to use. Now trying to figure out how this should be done. Maybe a new attribute to neighbor cache message? Or give both IP addresses in the NDA_LLADDR attribute? And how could ip_gre pass that info to xfrm? Or maybe IP gre would not have to be touched, just make xfrm get the extra info from neighbor cache? Thanks, Timo -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists