Hosting Provided By

Re: linux-ipsec: short-circuiting port-500 for pluto

From: Henry Spencer <henry(at)spsystems.net>
Date: Tue Oct 20 1998 - 16:59:08 EDT

> Can anybody see any objections to short-circuiting port 500 so that it

Some background on this, in case anyone's not sure what's being proposed:

The problem is that if Pluto negotiates an encrypted connection on behalf of its own host, not a subnet hiding behind said host, then *all* traffic coming to its host from the other end gets encrypted. Including Pluto's own conversations with its peer on the other end. That's unnecessary, because Pluto does its own encryption. Worse, it badly interferes with things like crash recovery, because if Pluto's host goes down and comes back up again, it loses all memory of the encrypted connection, and Pluto can no longer talk to the other end at all.

The right way to solve this is with a full Security Policy Database, as mandated in the specs, so Pluto (or some other policy thing) can tell the kernel to exempt port-500 traffic from encryption etc. However, we don't yet have an SPD. We will eventually, but it's not a small job. So a temporary kludge has been suggested: a hardwired exemption for port-500 traffic, so it always goes through without any IPSEC processing. It's ugly, but it looks helpful, and it *will* be temporary. Can anyone see anything badly wrong with it?

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

Received on Tue Oct 20 18:20:06 1998

This message: [ Message body ]
Next message: Henry Spencer: "Re: linux-ipsec: How stable is linux-ipsec?"
In reply to Richard Guy Briggs: "short-circuiting port-500 for pluto"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:03 EDT