On Sun, Dec 10, 2006 at 11:00:01AM +0900, Mathieu Sauve-Frankel wrote: > > So whereas Linux has both a Security Policy Database and a Security > > Association Database in the kernel, I believe (and someone please correct me > > if I'm wrong) that OpenBSD kernel has only an SAD. You put your policy into > > ipsecctl, which passes it onto isakmpd, and isakmpd negotiates keys and > > sticks them in the SAD. > > You're wrong. Look at src/sys/netinet/ip_spd.c. > You can manipulate the spd by using static flow esp rules and using the type > keyword. > > flow esp from 192.168.0.0/24 to 192.168.1.0/24 peer 192.168.0.2 type require
Thank you; that section in ipsecctl(8) makes more sense to me now. 'permit' and 'deny' are obvious. The manpage isn't clear on the others, but as far as I can tell from ip_spd.c they mean something like this: 'require' - if we have an SAD entry then use it. If not, drop the packet but ask the key management daemon to set up an SA. 'dontacq' - if we have an SAD entry then use it. If not, drop the packet. 'acquire' - if we have an SAD entry then use it. If not, accept the packet in the clear but ask the key management daemon to set up an SA. 'use' - if we have an SAD entry then use it. If not, accept the packet in the clear. Still, being able to use pf as well is a big bonus, as it lets you have a simple anti-spoofing policy such as "traffic with source 10/8 must originate from an internal interface or enc0" which is often sufficient. Thanks again, Brian.