On Tuesday 2008-04-15 05:41, Fábio Souto wrote: > > I'm trying to find out some alternatives for a task I have been > assigned. Basically, I want to sign IPSec packets on another > machine. The idea is when I receive an IPSec packet, I delegate the > cryptographic signature generation to another machine, and I > receive the signed packet. > > I'm currently studying several alternatives for doing this, and > even tried a socket-based approach, by changing some kernel > modules, which has failed. It would require a huge remake of kernel > code; this task is made even harder due to lack of documentation. > > So I was wondering if anyone knew if with netfilter is possible to > achieve this. Any other suggestions/hints would be extremely > valued. The situation is deliberate, yes. IPsec is done in what you could call the xfrm subsystem, not netfilter. To that end, the only suggestion I could give is that you create a new xfrm policy/state from esp where esp is split into your encryption and signing "targets". It kinda brings me the question why the ipsec transformation is not done with an xtables target instead; that would also give handy access to connection tracking if needed. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
