promiscuous mode

2009-05-19 Thread Fortunato 
Hello all,

I've looked over the ifconfig man page and can't find a way to set a specific 
interface to PROMISC mode on 4.4, for example:

  vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500

Here's another example of that this possible:

  sis0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500

Is there a way to set the flags to PROMISC for an interface?

A good reference would work.

Ciao for now,

Re: promiscuous mode

2009-05-19 Thread Fortunato 
Thanks, tcpdump does it alright, but I'd like to have promiscuous mode on 
without running tcpdump in the background if possible. (I'll take this as a 
learning moment otherwise.) I'm trying to use the first vr[0-3] interfaces like 
an L2 switch in this case.


-Original Message-
From: Ted Unangst ted.unan...@gmail.com
Sent: May 19, 2009 3:18 PM
To: Fortunato fortunato.montre...@earthlink.net
Cc: misc@openbsd.org
Subject: Re: promiscuous mode

On Tue, May 19, 2009 at 2:51 PM, Fortunato
fortunato.montre...@earthlink.net wrote:
 Hello all,

 I've looked over the ifconfig man page and can't find a way to set a 
 specific interface to PROMISC mode on 4.4, for example:

ifconfig can't be used to set an interface to promiscuous.  You can
use something like tcpdump.

Re: promiscuous mode

2009-05-19 Thread Fortunato 
Grazie,

For some reason when I put all the vr interfaces in the bridge at first, there 
was no forwarding. (I did not verify nor know about the PROMISC settings at the 
time.) After much tinkering, it works and brconfig does set the interfaces on 
PROMISC. 

Thanks to all,

-Original Message-
From: Matthew Dempsky matt...@dempsky.org
Sent: May 19, 2009 4:21 PM
To: Fortunato fortunato.montre...@earthlink.net
Cc: misc@openbsd.org
Subject: Re: promiscuous mode

On Tue, May 19, 2009 at 1:03 PM, Fortunato
fortunato.montre...@earthlink.net wrote:
 Thanks, tcpdump does it alright, but I'd like to have promiscuous mode on 
 without running tcpdump in the background if possible.

The interfaces are put into promiscuous mode automatically when
there's something that needs them to be.  Otherwise, it's a waste of
CPU time to receive packets that the network stack is simply going to
otherwise discard.

 I'm trying to use the first vr[0-3] interfaces like an L2 switch in this 
 case.

It sounds like you want to setup a bridge(4).  Check the bridgename.if
and brconfig man pages.

Re: Help with PKG_PATH=

2009-05-14 Thread Fortunato 
Newbie slap to head - D'OH!

I'm gonna have to memorize the standard package:

  http://www.openbsd.org/faq/faq1.html#Included

Dankeschoen...

-Original Message-
From: Mike Erdely m...@erdelynet.com
Sent: May 14, 2009 1:59 PM
To: Fortunato fortunato.montre...@earthlink.net
Cc: misc@openbsd.org
Subject: Re: Help with PKG_PATH=

On Thu, May 14, 2009 at 01:39:13PM -0700, Fortunato wrote:
   # pwd
   /root/Desktop
   # ls -l openbgpd-4.4.1.tgz 
 
   -rw-r--r--  1 root  wheel  163070 May 13 18:08 openbgpd-4.4.1.tgz
   # export PKG_PATH=/root/Desktop
   # pkg_add openbgpd-4.4.1.tgz   
 
   Can't find openbgpd-4.4.1.tgz
   /usr/sbin/pkg_add: openbgpd-4.4.1.tgz:Fatal error

openbgpd is not a package.  It's included in the base operating system
(assuming you're running OpenBSD).

$ which bgpd
/usr/sbin/bgpd

-ME

Re: vstr string library

2009-05-05 Thread Fortunato 
If I knew enough on how to port stongSwan, I would - but I'm not a developer 
much less a C programmer. (make is like sominex to me)

hearsay
Andreas Steffen from strongSwan mentioned that support for printf hooks (%N, 
%H, etc.) is required, and since BSD doesn't do this - the vstr string library 
is required instead. 

Either way, the strongSwan team is busy porting strongSwan to *BSD. Rumour is 
that the current svn version could possibly work with FreeBSD but they are 
still trying to solve some problems with OpenBSD.
/hearsay

Ciao,

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Stuart Henderson
Sent: Tuesday, May 05, 2009 3:45 AM
To: misc@openbsd.org
Subject: Re: vstr string library

On 2009-05-05, Fortunato fortunato.montre...@earthlink.net wrote:
 Thanks. I tried to compile the strongSwan source and came to screeching halt 
 on this error message.

   checking for main in -lvstr... no configure: error: Vstr string library not 
 found

 Just as an FYI, this is to test some IKEv2 features.

Looks like you can use glibc instead. Are you planning on porting it
to work with our ipsec stack?

configuration of switch ports

2009-05-04 Thread Fortunato 
Hello misc,

Could someone point me towards the conf file (or docs) that sets up ports as 
switch ports? 

Thanks,

vstr string library

2009-05-04 Thread Fortunato 
Hello,
Could someone please let me know if the vstr string library is available under 
a specific OpenBSD lib package? 
Tks

Re: vstr string library

2009-05-04 Thread Fortunato 
Thanks. I tried to compile the strongSwan source and came to screeching halt on 
this error message.

  checking for main in -lvstr... no configure: error: Vstr string library not 
found

Just as an FYI, this is to test some IKEv2 features.

Ciao,

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Stuart Henderson
Sent: Monday, May 04, 2009 4:04 PM
To: misc@openbsd.org
Subject: Re: vstr string library

On 2009-05-04, Fortunato fortunato.montre...@earthlink.net wrote:
 Hello,
 Could someone please let me know if the vstr string library is available 
 under a specific OpenBSD lib package? 
 Tks



Not at the moment. The most likely reason it would be added is if
there's some other software that somebody is particularly interested
in that requires it.

Re: AH+ESP and IPv6

2009-01-06 Thread Fortunato 
Hello again,

I was hoping to avoid a discussion on the merits of AH versus ESP. 

ESP does provide authentication but in the context of of integrity check value 
for the IPv6 payload not the IPv6 header. Additionally from what I've read ESP 
authentication optional, therefore my follow up question is, Is there a way to 
turn off optional ESP authentication in OpenBSD? 

But back to my original question. One of the requirements we have is to use 
both AH and ESP. Is there a way to this in OpenBSD? We got another OSs to use 
both AH and ESP, but I'd personally like to get OpenBSD involved in a more the 
heterogeneous testbed.

Cheers,

-Original Message-
From: t...@fries.net
Sent: Jan 2, 2009 11:36 AM
To: Felipe Alfaro Solana felipe.alf...@gmail.com
Cc: fortunato.montre...@earthlink.net, misc@openbsd.org
Subject: Re: AH+ESP and IPv6

If ESP does not decrypt, the payload is invalid. Adding AH adds no further
functionality other than to thwart any attempts at NAT.
-- 
Todd Fries .. t...@fries.net

 _
| \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \  1.866.792.3418 (FAX)
| ..in support of free software solutions.  \  250797 (FWD)
| \
 \\
 
  37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt

Penned by Felipe Alfaro Solana on 20090102 20:29.56, we have:
| On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries t...@fries.net wrote:
| 
|  The other answer is, ESP provides AH, therefore AH is deprecated.
| 
| 
| What do you mean? That OpenBSD's implementation of ESP automatically uses AH
| too? (payload inside AH inside ESP?) Because ESP only provides
| authentication for the payload only but not for the IP header. That's why AH
| is useful.
| 
| Unless you really really want to play with AH to verify it works and such
|  (which the below suggests it does not) ...
|  --
|  Todd Fries .. t...@fries.net
| 
|   _
|  | \  1.636.410.0632 (voice)
|  | Free Daemon Consulting, LLC \  1.405.227.9094 (voice)
|  | http://FreeDaemonConsulting.com \  1.866.792.3418 (FAX)
|  | ..in support of free software solutions.  \  250797 (FWD)
|  | \
|   \\
| 
|   37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
| http://todd.fries.net/pgp.txt
| 
|  Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have:
|  | On Tue, Dec 30, 2008 at 9:29 PM, fortunato.montre...@earthlink.net
|  wrote:
|  |
|  |  I'm trying to use both AH and ESP to setup IPsec using Transport mode
|  |  between two IPv6 OpenBSD 4.4 hosts.
|  | 
|  |  So far it worked for AH Transport mode or ESP Transport mode but I
|  don't
|  |  quite know how to do both AH and ESP. Any ideas?
|  | 
|  |  Here's a snippet from /etc/ipsec.conf :
|  | 
|  |   ike esp transport from 2001::10 to 2001::5 psk secret
|  | 
|  |  The tried the following (and vice versa - ah vice esp).
|  | 
|  |   ike esp transport from 2001::10 to 2001::5 psk secret
|  |   flow ah from 2001::10 to 2001::5
|  | 
|  |  I'm not sure either.
|  |
|  | Since you can apply ESP then AH, or apply AH and then ESP (depending on
|  | what's more important for you, the digital signature or the encryption)
|  it's
|  | not obvious to me how to do it.
|  |
|  | --
|  | http://www.felipe-alfaro.org/blog/disclaimer/
| 
| 
| 
| 
| -- 
| http://www.felipe-alfaro.org/blog/disclaimer/

AH+ESP and IPv6

2008-12-30 Thread fortunato . montresor 
I'm trying to use both AH and ESP to setup IPsec using Transport mode between 
two IPv6 OpenBSD 4.4 hosts.

So far it worked for AH Transport mode or ESP Transport mode but I don't quite 
know how to do both AH and ESP. Any ideas? 

Here's a snippet from /etc/ipsec.conf :

  ike esp transport from 2001::10 to 2001::5 psk secret

The tried the following (and vice versa - ah vice esp). 

  ike esp transport from 2001::10 to 2001::5 psk secret
  flow ah from 2001::10 to 2001::5