Re: reverse processing order: NAT, IPsec ?

To: Hubert Feyrer <hubert%feyrer.de@localhost>
Subject: Re: reverse processing order: NAT, IPsec ?
From: Ignatios Souvatzis <ignatios%cs.uni-bonn.de@localhost>
Date: Fri, 12 Jun 2009 14:17:39 +0200

On Fri, Jun 12, 2009 at 02:14:20PM +0200, Hubert Feyrer wrote:
> On Fri, 12 Jun 2009, Greg Troxel wrote:
> >Start by reading netinet/ip_output.c.  IPSEC is before PFIL_HOOKS.  I
> >think right now munging in there is the only way.
> 
> My hope was to avoid this...
> 
> 
> >You could also have a second machine and NAT but not IPsec on that, and
> >separate NAT and IPsec functionality.  Kludgy perhaps (xen?), but it
> >might be fewer hours to what you want.
> 
> The Netscreen that I've been playing with basically has two machines in 
> one, which allows doing this in a ~sane way. Running something as 
> heavy-weighted as Xen to just do NAT sounds pretty sub-optimal.
> 
> I wonder if all this could be done on a single machine, with some bridge 
> interfaces in between, or similar...

if_tap can be used as a virtual interface; would this help to decouple
the networks before/after NAT?

        -is

References:
- reverse processing order: NAT, IPsec ?
  - From: Hubert Feyrer
- Re: reverse processing order: NAT, IPsec ?
  - From: Greg Troxel
- Re: reverse processing order: NAT, IPsec ?
  - From: Hubert Feyrer

Prev by Date: Re: reverse processing order: NAT, IPsec ?
Next by Date: Re: reverse processing order: NAT, IPsec ?
Previous by Thread: Re: reverse processing order: NAT, IPsec ?
Next by Thread: Re: reverse processing order: NAT, IPsec ?
Indexes:

Home | Main Index | Thread Index | Old Index