Hello friends,
The Linux 2.6 ipsec code gets rid of virtual interfaces for IPSec.
This is clearly The Right Thing for transport mode or AH, but it
increasingly seems to me that it's The Wrong Thing for tunnel-mode
ESP.
After all, virtual interfaces are used for unencrypted IPIP; it seems
to me that it would simplify both netfilter (you want different rules
for the encrypted and unencrypted packets!) and routing/source address
selection.
The latter, in particular, is a messy issue. Consider the following
setup:
+-------------------------------+
192.168.1.0/24 -+ 192.161.1.1 201.202.203.204 +------+
+------------gw1----------------+ |
Internet
+------------gw2----------------+ |
192.168.2.0/24 -+ 192.161.2.1 202.204.206.208 +------+
+-------------------------------+
If implemented typically, as for example OpenSWAN does by default, gw1
will have the following routing table:
Destination Gateway Genmask Iface
192.168.1.0 0.0.0.0 255.255.255.0 eth0
192.168.2.0 201.202.203.1 255.255.255.0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 lo
0.0.0.0 201.202.203.1 0.0.0.0 eth1
Unfortunately, this means that if a process on gw1 tries to connect
to, say, 192.168.2.200, it will use a source address of
201.202.203.204, and will send it out unencrypted on the Internet
which, of course, cannot route the packet.
I know there is work underway to deal with the netfilter issue, but
the routing/address selection issue also seems like a problem. How
should this be dealt with?
-hpa
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
