On Wed, 16 Nov 2011, David Woodhouse wrote: > On Mon, 2011-11-14 at 21:08 +0400, Lucas wrote: >> >> I am talking about ipsec over TCP. >> >> Everything can do ipsec over UDP, but none over TCP. But on my job for >> the security reason UDP is blocked, cisco vpn can do ipsec over tcp. > > That's entirely stupid. The Cisco "IPsec over TCP" is basically the > *same* as UDP, except it fakes a TCP header on each packet in order to > make it pass through crappy firewalls and NAT which only supports TCP. > > If your IT department think that UDP needs to be blocked "for the > security reason", then it sounds like they are incompetent and should be > fired. Or just taken out back and shot. > > We *have* had Cisco's IPSec over TCP working; it's not particularly > difficult. However, we never really worked out how to make it work > nicely on Linux; the kernel really *really* wants to eat all TCP packets > and will give a TCP RST to any connection it doesn't think is open. Any > mechanism to effectively operate TCP in userspace, which is what we need > to do, would be very much frowned upon.
Openswan had thought about supporting the same silly thing to avoid stupid sysadmins using its KLIPS IPsec stack. We have not done this so far. The problem is once you go this way, you are basically engaging in a warfare that culminates in a "skype" type protocol. Having said that, for DNS (with DNSSEC) facing similar issues, doing raw DNS over 443 works pretty well, and unbound SVN already has alpha support for doing dns-over-real-https. Chrome supports dnssec-blobs-in-x509-options. At what point do we stop building another onion around the internet? Everyone knows the internet should not be tunneled over tcp 443. Everyone knows when your nat on the net your're not on the net. At some point, we are going to have to leave those severely broken networks behind. Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
