On 18.10.2016 21:43, Brian O'Connor wrote:
> I think I have the decryption process clear but was not clear on the iptables 
> processing for
> encrypted packets.  From what you said, it looks like the NAT-T header is 
> added after the
> iptables processing of an outbound encrypted packet, on the second pass by the
> outbound XFRM lookup. Is my understanding correct?

ESP encapsulation and NAT-T are applied in a single step when the packet is 
processed in xfrm encode.

Generally, a packet that is sent *from a local process* and is to be protected 
with IPsec makes two passes
through the OUTPUT PATH part of the graphic:

1) When it is sent by the process and passed through the chains and other parts 
of Netfilter in the path,
   until it is catched by xfrm lookup and is fed into xfrm encode.
2) When it is passed from xfrm encode into *raw OUTPUT. When that happens, the 
original packet that was sent by the kernel
   is transformed by xfrm into an ESP or NAT-T packet (That is simply ESP in a 
UDP shell. Nothing fancy about that.)
   It then traverses through the Netfilter chains as an ESP or UDP packet 
through the chains and other parts of Netfilter
   until it reaches egress (qdisc).


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Attachment: signature.asc
Description: OpenPGP digital signature

Users mailing list

Reply via email to