DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st June 2013
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default Ipsec and altq

I have configuration as follows:

NET_A 192.168.20.0/24--|BSD_A 10.20.10.60|=======|10.20.10.20 BSD_B|--NET_B 192.168.10.0/24

IPsec on BSD_A as (and similar on BSD_B):

ike esp from $NET_A to $NET_B local 10.20.10.60 peer 10.20.10.20 \
main auth hmac-sha2-512 enc aes-256 group modp1024 \
quick auth hmac-sha2-512 enc aes-256 group modp1024

routing, x509, IPsec and PF working fine

I want to prioritize IPsec ie ESP traffic, so on BSD_A:

.... something usualy.....

ext-if=em0 # interface IP=10.20.10.60

altq on $ext_if cbq bandwidth 2Mb queue { data_all, data_ipsec }
queue data_all bandwidth 50% priority 0 cbq(default ecn)
queue data_ipsec bandwidth 50% cbq(red)

..........

block log on $ext_if

# pass ESP, ISAKMP
pass out on $ext_if inet proto udp from any to any port=isakmp
pass in on $ext_if inet proto udp from any to any port=isakmp

pass out on $ext_if inet proto esp from any to any queue data_ipsec
pass in on $ext_if inet proto esp from any to any

pass other proto....

So, I can see, prioritization is working here and there.

priorization is not working if on BSD_A I have:
pfctl -ss -vv
all esp 10.20.10.60 <- 10.20.10.20 MULTIPLE:MULTIPLE

i.e. pf "see" ESP as connection from BSD_B to BSD_A
all ESP from A to B packets (they must go into que) are just pass
as part of "keep state" on inbound connection,
this packet are not evaluated in pass rule, and are not part of data_ipsec que

priorization is working if:
pfctl -ss -vv
all esp 10.20.10.60 -> 10.20.10.20 MULTIPLE:MULTIPLE

That behaviour is random, sometimes BSD recognize IPsec as A->B,
then again, after restar maybe it is B->A, I cant force it.

In this moment, I solved problem (on BSD_A) as (use NO STATE):

pass in on $ext_if inet proto esp from any to any no state
pass out on $ext_if inet proto esp from any to any queue data_ipsec

So, state is not created on inbound ESP packet, but allways on outgoing ESP packet

Is is OK? Some smarter solution? Any sugestion?

Igy
Reply With Quote
  #2   (View Single Post)  
Old 22nd June 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Queuing only functions on outbound traffic. From your post, it appears to me that you are concerned that inbound traffic is not queuing. It can't. Did I misunderstand?

You also have Random Early Detection enabled for your IPSec traffic, which seems odd to me. RED is 1) designed to manage TCP congestion with multiple connections and this is ESP traffic between two gateways, and 2) it functions by dropping inbound packets when outbound queues reach thresholds you do not control.
Reply With Quote
  #3   (View Single Post)  
Old 22nd June 2013
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default

I know Queuing work only on outbound traffic. I did not try to use queuing on inbound traffic.

But, if BSD_A router "see" ESP "connection" as inbound:

pfctl -ss -vv
all esp A <- B

then outgoing ESP packet (from A to B) are not in a gue, I can prove that as:
pfctl -sq -vv

but, if:
pfctl -ss -vv
all esp A -> B

then outgoing data pass in que

And, of course, I dont need RED, but everything is working with or without RED in a same way.
Reply With Quote
  #4   (View Single Post)  
Old 22nd June 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Ah, thank you for the clarification. I will restate the problem, to ensure I understand:

An inbound packet that establishes a state will not have outbound packets assigned to the tagged queue, as state was established without a tagged queue.

Perhaps, all that is needed is:
Code:
pass out on $ext_if inet proto esp from any to any queue data_ipsec
pass in on $ext_if inet proto esp from any to any queue data_ipsec
The state will then be established with the assigned tag. Of course, on inbound traffic there won't be anything to queue.
Reply With Quote
  #5   (View Single Post)  
Old 18th February 2014
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default

Thank you jggimi,
you answer is completely right, and help me a lot

Source of my wrong configuration is misunderstanding of "keep state". I thought, if there is keep state (by default), then it is not necessery put queue on every line. All that (packets in and out) is part of the same state. Obviously, it is not....

thanks!
Reply With Quote
  #6   (View Single Post)  
Old 18th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

To be clear, you are queueing ESP packets. This is stateless traffic.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF ALTQ on 3 NIC's magnesik FreeBSD Security 1 13th August 2011 06:18 AM
ALTQ: CBQ issues Lexus45 OpenBSD General 1 23rd May 2010 02:29 AM
ALTQ Question regarding RudiK FreeBSD Security 4 23rd July 2008 01:59 PM
[PF] Problem with ftp and ALTQ gotian FreeBSD Security 1 22nd July 2008 11:25 PM
Queuing with PF and ALTQ Weaseal FreeBSD Security 1 22nd July 2008 05:18 PM


All times are GMT. The time now is 05:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick