Re: ENskip and masquerading

Sun, 24 Jan 1999 14:50:53 -0500 



Hello Bill,

let me try to answer your questions.

> Date: Sat, 23 Jan 1999 15:59:42 -0800
> From: Bill Randle <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: ENskip and masquerading
> 
> I know you said no support, etc., but I have aquick question that you can
> perhaps clarify for me. What is the relationship/limitations between skip and
> masquerading?

Masquerading is a kernel module for every IP-service.
The main effect is that all packets into the exterior net (e.g. Internet)
look as if they would come from the firewall.
Incoming packets are captured and distributed to their original
destination with an internal list, depending on time and ports used.

Skip encrypts packets and uses another IP-protocol (#57) to deliver
packets to a destination having the key to decode the packets.
This protocol is connectionless.

It's a very good question to ask if masquerading and skip will
collide in theory. In practice (linux) they do. The main problem
is in the way the authors of enskip used the interface to network
devices. This interface should have been rewritten (but who does that)
and then the practical question can turn out to a theoretical one.
That not to criticize the authors of ENskip -- it just a matter of
history. 

The more clean way to avoid masquerading at all is to write transparent 
proxies at user level. You have the advantages of ENskip and masquerading.
With transparent proxies all packets come from the firewall, no matter if
they are destined for the Internet or destined to be delivered for VPN.
If you do ENskip after transparent proxy, you have both points.
The trick is to set up a tunnel to the destination VPN-LANs, going into
ENskip, not to specify tunneling in /etc/skipd.conf.

> Can ENskip be run on a kernel configured for masq. - even if
> it's not in use? 

YES.

> How a clear tunnel to the host(s) that are running skip,
> with the non-skip hosts masqueraded? 

I don't understand your question -- probably my poor english.
Please cite an example.

> Does this mean skip can not be run on
> a firewall machine?

NO.
Please look for my announcement for linuxwall coming monday morning.
If you want the latest patches for ENskip and linux-2.2, look at

  http://www.linux-firewall.de/enskip/

> 
>       -Bill Randle
>       Central Oregon Internet
>       [EMAIL PROTECTED]
> 

Frank Bernard
[EMAIL PROTECTED]
www.linux-firewall.de

Reply via email to