diff options
author | tobhe <tobhe@cvs.openbsd.org> | 2020-04-23 19:38:10 +0000 |
---|---|---|
committer | tobhe <tobhe@cvs.openbsd.org> | 2020-04-23 19:38:10 +0000 |
commit | b4921f76f870f2461ae9f70dabeb2c6d3ddcd425 (patch) | |
tree | 571007de94ea7f2191d4feea227f1ae52d2cdfee /sys/dev/fdt/dwpcie.c | |
parent | 5ac974a527901effb41f7289022a88d576eaa141 (diff) |
Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.
The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.
The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.
Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.
As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.
discussed with chris@ and kn@
ok markus@, patrick@
Diffstat (limited to 'sys/dev/fdt/dwpcie.c')
0 files changed, 0 insertions, 0 deletions