Hello Alexey, Sunday, November 23, 2003, 2:20:05 PM, you wrote:
>> I found the idea of tagging in PF very interesting, and we are >> interesting in using it for policy definitions, but here is the deal: >> OVER THE INTERNET!...i know i know....the "panipulated " or tagged >> packets, wil be capsulated into Ipsec...so problems like fragmantation >> or routers shouldn'T be the problem. And on the other side would be an >> "interpreter" or "translater" who "encodes" the tags off the packets. >> >> It is thought to be used on ipsec gateways or ipsec brisges. >> >> now my question is: >> >> 1. Which code part of pf is responsible for such a thing? (our part >> will be doing it on userspace level, and not kernelspace) >> >> >> 2. What do you think would be problem, for the packets "on the way"? i >> thought since they are capsulated, it should not be a problem...and on >> receiver side, the packets would be joint again 8the fragmented >> packets) and forwarded to client (behind bridge or gateway) AES> there is already some kind of tagging in IP: tos value. unfortunately, AES> pf can not handle tos value for own purposes. from the other side, tos AES> width is 4 bits only so it can not handle much of useful information AES> (pf tags, for example). additionally, the way, the routers over the AES> world can interpret tos value, is unpredictable. How about if i use IP-V6? would that give me more space? comparible to space i have using pf-tagging? (in comparison to the 4 bits given by TOS) -- Best regards, Kifah mailto:[EMAIL PROTECTED]
