[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protection of port 500
In your previous mail you wrote:
> I'd want at least the option of some lower layer policy enforcement (ACLs,
> filters, etc.) in additon to whatever the app layer provides.
For such paranoia, a good implementation should allow that. We allow
node-wide policy to disallow even the root-restricted bypass privilege we
normally allow. We do not default to that, so that we can make our IKE
daemon do per-socket bypass, as well as allow future versions of diagnostic
tools (e.g. traceroute) to potentially bypass policy on a per-invocation
basis.
=> FreeBSD 4.2 (and all BSDs with KAME based IPsec support) has a ping[6]
with a policy option. I have just tried with a remote site configured
with required ESP for everything and it works at you believe (ie. a ping
with no policy or the default output policy (out entrust) triggers IKE
exchanges and works after a small delay, the same with "out bypass" fails
because the peer rejects unprotected echo requests).
This is exactly what you have just described using your proposed API
(draft-mcdonald-simple-ipsec-api-01.txt) ideas...
Thanks
Francis.Dupont@enst-bretagne.fr
References: