Hosting Provided By

Re: [Design] letting traffic flow through a SG by default

From: D. Hugh Redelmeier <hugh(at)mimosa.com>
Date: Wed Mar 12 2003 - 15:57:36 EST

Here's my current thinking on this problem.

management wants folks to be able to drop FreeS/WAN onto a system without requiring any other changes to the system. It should continue to work the way it did, except for the fact that OE might be able to provide privacy for some links.

We'd even like distribution vendors to enable FreeS/WAN without troubling their clients.

This motivating case requires that packets flow by default.

(FreeS/WAN must not automatically enable forwarding -- that would create security problems.)

(Ordinary firewall rules may well not apply to the ipsecN device, so we may actually be creating a security problem that way. Hard to see a way around this.)

we don't really have a way for FreeS/WAN to discover what subnets are "behind" our node. So we pretty much have to default to passing 0.0.0.0/0->0.0.0.0/0 traffic.
how should we pass it? A pass eroute is obvious. An OE conn might be even better:

+ there is an opportunity to keep the traffic private

slower: we must go through the OE protocol for each new pair
there *might* be some security attacks. With the recently added code to check DNS for credentials for the local side, many such opportunities have been foreclosed. Are there any that don't require hijacking the reverse domain of the IP address to be hijacked?

I propose to add the following implicit conn:

conn packetdefault

	    leftsubnet=0.0.0.0/0
	    also=private-or-clear

Do you need help?

The "config setup" option "packetdefault" would be eliminated.

I considered calling it "default", but that would get confused with the %default conn -- something quite different.

Notice that the leftsubnet is hard coded to be everything. We had considered making a general mechanism that would use mysubnet= to specify subnets to be handled, and to default mysubnet to be 0.0.0.0.

I prefer this more modest proposal

the policies for each *real* subnets are likely to be distinct
even when actual subnets are present and reflected in the configuration, there still needs to be a policy for packets from other sources.
the proposal is not likely to interfere with any features that we might add later
the proposal is very easy to implement and needs no new supporting infrastructure.
it is very easy for a sysadmin to override this feature. For example, add to ipsec.conf: conn packetdefault leftsubnet=0.0.0.0/0 also=block

Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Thu Mar 13 01:31:05 2003

This message: [ Message body ]
Next message: Michael Richardson: "Re: [Design] how to get differing DNS results"
Previous message: D. Hugh Redelmeier: "Re: [Design] pluto not responding -- possibly not re-entrant (updown)"
In reply to: D. Hugh Redelmeier: "Re: [Design] letting traffic flow through a SG by default"
Next in thread: D. Hugh Redelmeier: "Re: [Design] letting traffic flow through a SG by default"
Reply: D. Hugh Redelmeier: "Re: [Design] letting traffic flow through a SG by default"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:57 EDT