summaryrefslogtreecommitdiff
path: root/sys/dev/fdt/dwpcie.c
diff options
context:
space:
mode:
authortobhe <tobhe@cvs.openbsd.org>2020-04-23 19:38:10 +0000
committertobhe <tobhe@cvs.openbsd.org>2020-04-23 19:38:10 +0000
commitb4921f76f870f2461ae9f70dabeb2c6d3ddcd425 (patch)
tree571007de94ea7f2191d4feea227f1ae52d2cdfee /sys/dev/fdt/dwpcie.c
parent5ac974a527901effb41f7289022a88d576eaa141 (diff)
Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted network traffic seperated and reduces the attack surface for network sidechannel attacks. The only way to reach the inner rdomain from outside is by successful decryption and integrity verification through the responsible Security Association (SA). The only way for internal traffic to get out is getting encrypted and moved through the outgoing SA. Multiple plaintext rdomains can share the same encrypted rdomain while the unencrypted packets are still kept seperate. The encrypted and unencrypted rdomains can have different default routes. The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'. If this differs from 'tdb_rdomain' then the packet is moved to 'tdb_rdomain_post' afer IPsec processing. Flows and outgoing IPsec SAs are installed in the plaintext rdomain, incoming IPsec SAs are installed in the encrypted rdomain. IPCOMP SAs are always installed in the plaintext rdomain. They can be viewed with 'route -T X exec ipsecctl -sa' where X is the rdomain ID. As the kernel does not create encX devices automatically when creating rdomains they have to be added by hand with ifconfig for IPsec to work in non-default rdomains. discussed with chris@ and kn@ ok markus@, patrick@
Diffstat (limited to 'sys/dev/fdt/dwpcie.c')
0 files changed, 0 insertions, 0 deletions