Hi, I was wondering if anyone has tested the IPSec functionality in conjunction with NAT for the Linux 2.6 kernel ? with/without VLAN thrown in. Over the weekend I will need to do a lot of kernel code reading because I need to understand the interaction between the NetFilter (NAT) code and the IPSec code, how they tie in, how to play with this interaction to ensure that it will not break under any circumstances, even when deployed with VLANs under various field conditions. Over the last couple of days, I googled for documents that would explain NAT IPSec interaction, and read up on stuff from the Documentation directory. I also did a preliminary review of the code. My background is that I am comfortable with IPSec/IKE, and reasonably familiar with Linux networking code. Here's what I understand. Feel free to correct/berate/curse. 1. Using RFC and BSD terminology, security policies (SP) are stored in the kernel using setkey, and security associations (SA) are then negotiated using IKE (racoon), based on the SP "guidelines" that are programmed into the kernel. 2. xfrm4_policy_check() seems to be the main IPSec policy check function for IPv4 packets. It calls the generic xfrm_policy_check() which then does a match using xfrm_selector_match() and does lookups using "xfrm_sk_policy_lookup()" and "xfrm_policy_lookup()" as necessary, to finally retrieve a policy, if one exists. 3. xfrm4_policy_check() itself is called from many places like ip_rcv(), udp_rcv(), tcp_v4_rcv(), and ip_local_deliver(). 4. When a packet is received, ip_rcv() calls the NF_HOOK (PF_INET, NF_IP_PRE_ROUTING, ip_rcv_finish()...). 5. ip_rcv_finish() then calls ip_route_input(), and dst_input() for forwarded packets. dst_input() calls skb->dst->input() which is set to ip_forward(). 6. ip_forward() is the first place where xfrm4_policy_check() takes place for a packet being forwarded. 7. Thus NAT [step 4] takes place before IPSec policies are invoked [step 6]. Is this correct ? I am trying to understand if NAT takes place before or after IPSec. Ideally, for IPSec + NAT to work smoothly, the IPSec sub-system should be between the NAT sub-system and the Internet. Any explainations here would be greatly appreciated. Thanks, Ranjeet. -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye2 at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
