[Openswan dev] per-X controls

Michael Richardson mcr at xelerance.com
Fri Oct 28 13:39:46 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----


A number of people have problems with pluto where it creates policies 
from templates with the wrong granularity. A lot of this has to do with
lack of controls added when protocol and port selectors were added, and
this is compounded by transport-mode SAs and NAT.

For instance, it is now difficult to create a template that says to create
a transport-mode SA where the origin port does not matter, but the
destination port does.  I think that an example is of an L2TP transport
mode SA behind a NAT.  

The problem is that the templates may get instantiated with various
fields filled in or not. 

I'm about to introduce new keywords:
	  perhost
	  pertransport	(or "perprotocol")
	  leftperport
	  rightperport

"perhost" has been previously implied by creating a template SA, (one
with %any as leftsubnet= or rightsubnet= AND opportunistic set) so it
and so will default to =yes, for those situations. (I have to think
about this some more)

This should simplify the question as to whether the kernel interface
routines should pass 0 or the real value to the initiate() routines.

I would like to express these values to the kernel, such that
appropriate %hold eroutes can be made.  This may require some revision
to the policy interface and to the ACQUIRE interface, so should occur
later. (I would like the ACQUIRE interface to provide ~96 bytes of the
header of the packet that caused the ACQUIRE, as well as cooked
values. This should let us do more intelligent things later on. 96 gets
IPv6 + transport header)

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


	  


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQ2JUUIqHRg3pndX9AQHhggP9ErH+wbux8BOekUmcBC5yI5DUNDrOCFfe
Em7TulfTeSe5uigHWqD37ZcERUu3iBfJTzL/7nXTpHk1tqQp1KjgqFDQivrp+BCY
DKlKEq8NsS+Dqsx11aFwWGBCg2iII1/V/I3cpBwJRePW7cTEbjPreeIfY7cY33LK
GznUkIMZxUU=
=9O4C
-----END PGP SIGNATURE-----


More information about the Dev mailing list