[Openswan dev] Re: per-X controls

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


{answering some old email... sorry}

>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
    >> For instance, it is now difficult to create a template that says
    >> to create a transport-mode SA where the origin port does not
    >> matter, but the destination port does.  I think that an example
    >> is of an L2TP transport mode SA behind a NAT.

    Herbert> I'm not sure that I understand your example correctly.

    Herbert> 1) For the L2TP server case you should already know what
    Herbert> the full selector is since you're receiving a new
    Herbert> connection from the client.  In fact, if you don't know
    Herbert> what the client's source port is you can't create a policy
    Herbert> at all.

  I'm not talking about kernel level things, but rather policy.
  
    Herbert> 2) For the L2TP client case you already know the server
    Herbert> address which allows you to specify a selector even using
    Herbert> today's pluto configuration language:

    Herbert> leftsubnet= rightsubnet= leftprotoport=udp/0
    Herbert> rightprotoport=udp/1701

  that's says:
	 create an SA with a specific origin port (specified by the
	 client).

  you can not say:
	 create an SA with %any as the origin port 

  that is because "%any" is implemented as "0"
	 
    >> The problem is that the templates may get instantiated with
    >> various fields filled in or not.
    >> 
    >> I'm about to introduce new keywords: perhost pertransport (or
    >> "perprotocol") leftperport rightperport

    Herbert> So I'm afraid I don't understand the need for these yet.
    Herbert> Perhaps they're more useful in an opportunistic encryption
    Herbert> setup?

  OE is always /32<->/32. 
  It's policies are always "per-host", and in fact, many of our %trap
policies mean that. But not all.
  
    >> I would like to express these values to the kernel, such that
    >> appropriate %hold eroutes can be made.  This may require some
    >> revision to the policy interface and to the ACQUIRE interface, so
    >> should occur later. (I would like the ACQUIRE interface to
    >> provide ~96 bytes of the header of the packet that caused the
    >> ACQUIRE, as well as cooked values. This should let us do more
    >> intelligent things later on. 96 gets IPv6 + transport header)

    Herbert> Currently Linux sets the larval state's selector to the
    Herbert> narrowest possible value which lets you identify the
    Herbert> session uniquely.

  Yes. Which works great in the case where you have "perX" as the
policy. There is no better selection. When the case is not perX, then
you have to create a new (broader) SA, an then delete the larval case,
which is fine.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

    "The Microsoft _Get the Facts CD_ does not work on Linux." - orospakr

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRHCX+YCLcPvd0N1lAQKKSwf+JU+YO0jZJ53HQ2TQTz02iwhr4Hh3guDH
PovoIzyiNkW99GvqkyyE/vecA01oNTZYUvzYrvEjnaoBMjGXd3ybcjpvtzdx7znK
puI4fVUN65H61oqMhbzHKKgMCMuHQ3NrC4E3j5GMuXEPkwOnUGw+Ctbr+l3ANsVS
wm957Pp/eG1VjckViZSalsh5BFt7JEg8ar4e3fF9IFlx+LHPNZhxFU24pAPxENKJ
tZnxe8m+6UxKmOlFVxS82HSUbBrgAZ6QpnjVn7AbIckgvHwnTUX9XByXddLj+eON
wUxcZRVAhkVMMh/Lpa/DqhYf/uc7hgvS9/lDffSgpHBbHxeCKqiGvQ==
=kDCF
-----END PGP SIGNATURE-----