[Openswan dev] Using the spi in a script

John A. Sullivan III jsullivan at opensourcedevel.com
Mon Nov 21 11:28:19 CET 2005 

On Mon, 2005-11-21 at 17:03 +0100, Paul Wouters wrote:
> On Sat, 19 Nov 2005, John A. Sullivan III wrote:
> 
> > >
> > > Thanks!  Yes, SPI is subject to change during rekeying, it's not a
> > > constant.  I think you're best using a combination of DN+Peer ID+IP's
> > Thanks, Ken.  That's what we do now but it's not perfect.  We grab the
> > DN and CA and cache the IP address against it in iptables rules.
> > However, that precludes allowing another user with the same IP since I
> > cannot use the DN as a criterion for iptables.  That's why I was looking
> > at espspi and then marking the packet.
> 
> I think we might have an extra variable once we have finished writing the
> new code to keep track of multiple roadwarriors behind the same NAT. It
> will have to track the original source port of the encapsulated packet,
> so perhaps we should pass that into _updown as well.
> 
That sounds quite interesting. Our problem is almost the opposite -
multiple roadwarriors with the same IP address behind different NAT
gateways.

So to think this through a little further, it is remotely possible that
two roadwarriors behind different NAT gateways could have the same
source socket.  That's certainly much, much better but not fool proof.
Hmm . . . however, just like the spi changes with rekeying, won't the
source port change with each application within the same session?

Let's say I am using esp in tunnel mode, my tunnel is provoked by the
client trying to connect to Exchange.  They start with some random
source port, let's say 2000, to destination port 135.  Are we capturing
source port 2000? If so, what happens when the port mapper then gives
the new destination port and we have a new socket pair governing the
user's connection to Exchange.  Then they decide to telnet to another
device on the same network -- a new socket pair all within the same
tunnel.

Am I missing the point?

So how can we uniquely identify a user's traffic whether multiple
roadwarriors behind the same NAT gateway or multiple roadwarriors with
the same encapsulated source address and source port behind different
NAT gateways? Is the spi still the best route? To interface with
iptables, can the packets be marked in mangle and have that mark follow
the decrypted packet through the rest of netfilter? Can we expose some
facility to engage iptables with each spi change?

I have no idea of what goes on within the code of either product and
have little "right" to even be on the developer's list but these are
some of my practical needs.  Thanks - John
<snip>
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Dev mailing list