On Sun, Dec 10, 2006 at 11:00:01AM +0900, Mathieu Sauve-Frankel wrote:
> > So whereas Linux has both a Security Policy Database and a Security
> > Association Database in the kernel, I believe (and someone please correct me
> > if I'm wrong) that OpenBSD kernel has only an SAD. You put your policy into
> > ipsecctl, which passes it onto isakmpd, and isakmpd negotiates keys and
> > sticks them in the SAD.
>
> You're wrong. Look at src/sys/netinet/ip_spd.c.
> You can manipulate the spd by using static flow esp rules and using the type
> keyword.
>
> flow esp from 192.168.0.0/24 to 192.168.1.0/24 peer 192.168.0.2 type require
Thank you; that section in ipsecctl(8) makes more sense to me now.
'permit' and 'deny' are obvious. The manpage isn't clear on the others, but
as far as I can tell from ip_spd.c they mean something like this:
'require' - if we have an SAD entry then use it. If not, drop the packet
but ask the key management daemon to set up an SA.
'dontacq' - if we have an SAD entry then use it. If not, drop the packet.
'acquire' - if we have an SAD entry then use it. If not, accept the packet
in the clear but ask the key management daemon to set up an SA.
'use' - if we have an SAD entry then use it. If not, accept the packet
in the clear.
Still, being able to use pf as well is a big bonus, as it lets you have a
simple anti-spoofing policy such as "traffic with source 10/8 must originate
from an internal interface or enc0" which is often sufficient.
Thanks again,
Brian.
