IPv6 + AH + ESP
Michael H. Warfield
Mon, 7 Feb 2000 08:17:03 -0500
On Mon, Feb 07, 2000 at 12:52:12PM +0100, Gerhard Gessler wrote:
> Hi all,
> I would like to know whether somebody is working on integrating AH and
> ESP into the IPv6 networking part of Linux. Is this possible via a
> netfilter module? Are there already plans / actions to do this?
Could you refine that question a bit?
Are you asking if someone is doing IPSec (AH and ESP) on IPv6?
Then the answer is definitely yes. This is being done as part of the
FreeSwan project <www.freeswan.org>. As far as doing it via the netfilter
module... It's not being done that way at this time. I believe, however,
that they are intending to migrate the KLIPS (Kernel Level IPSec code)
to using some of the netfilter hooks in the future.
If you are asking if netfilter is going to support filtering
based on AH and ESP headers, I would think that it could already do
If you are asking if netfilter will filter something like tcp
that is encapsulated by ESP and AH the answer would be "it depends".
Netfilter can't get at the ESP encrypted payload so it can't filter
based on the tcp port unless the IPSec tunnel terminals and is decrypted
on the netfilter system. If the ESP encryption is ESPNULL or it only
contains AH headers, then this is possible and is no different than any
other non-encrypted tunnel (other than the option headers).
> Thank you in advance,
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!