iked(8): more descriptive documentation for protected-subnet

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

iked(8): more descriptive documentation for protected-subnet

Tobias Heider-2
As mlarkin@ noted the man page description of the protected-subnet option is not
very helpful. This diff tries to make things a little clearer.

Ok?

Index: iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.55
diff -u -p -u -r1.55 iked.conf.5
--- iked.conf.5 11 May 2019 16:30:23 -0000 1.55
+++ iked.conf.5 3 Aug 2019 11:21:10 -0000
@@ -578,7 +578,11 @@ This option is provided for compatibilit
 .It Ic dhcp-server Ar address
 The address of an internal DHCP server for further configuration.
 .It Ic protected-subnet Ar address/prefix
-The address of the protected subnet within the internal network.
+The address of an additional hidden IPv4 or IPv6 subnet reachable over the
+gateway. This option is used to notify the peer of a private subnet
+behind the gateway. Networks specified in the "from" or
+"to" options are known to the peer and do not necessarily need to be included
+here.
 .It Ic access-server Ar address
 The address of an internal remote access server.
 .El

Reply | Threaded
Open this post in threaded view
|

Re: iked(8): more descriptive documentation for protected-subnet

Stuart Henderson
On 2019/08/03 13:21, Tobias Heider wrote:

> As mlarkin@ noted the man page description of the protected-subnet option is not
> very helpful. This diff tries to make things a little clearer.
>
> Ok?
>
> Index: iked.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> retrieving revision 1.55
> diff -u -p -u -r1.55 iked.conf.5
> --- iked.conf.5 11 May 2019 16:30:23 -0000 1.55
> +++ iked.conf.5 3 Aug 2019 11:21:10 -0000
> @@ -578,7 +578,11 @@ This option is provided for compatibilit
>  .It Ic dhcp-server Ar address
>  The address of an internal DHCP server for further configuration.
>  .It Ic protected-subnet Ar address/prefix
> -The address of the protected subnet within the internal network.
> +The address of an additional hidden IPv4 or IPv6 subnet reachable over the
> +gateway. This option is used to notify the peer of a private subnet

I agree it needs explaining better (the current description seems wrong to me)
but I'm not sure this entirely helps.

(Just looking at iked doesn't help understand this because iked has no
client-side address-config support in the first place, so it's only something
that would be useful when connection non-iked clients).

Even after reading the RFC (https://tools.ietf.org/html/rfc7296#section-3.15.2)
I don't feel like I entirely grok it, but I think this is something that
would be set on the gateway to tell the client that it should negotiate
an additional SA other than the one implied by the address + subnet from
address configuration.

"hidden", "private", etc, well it can be a standard public IP range, it's just
an additional network that wants protecting by IPsec, so probably better to
avoid words like that.

> +behind the gateway. Networks specified in the "from" or
> +"to" options are known to the peer and do not necessarily need to be included
> +here.
>  .It Ic access-server Ar address
>  The address of an internal remote access server.
>  .El
>

(Also manpage nit: new sentence -> new line.)

Reply | Threaded
Open this post in threaded view
|

Re: iked(8): more descriptive documentation for protected-subnet

Tobias Heider-2
> Even after reading the RFC (https://tools.ietf.org/html/rfc7296#section-3.15.2)
> I don't feel like I entirely grok it, but I think this is something that
> would be set on the gateway to tell the client that it should negotiate
> an additional SA other than the one implied by the address + subnet from
> address configuration.

This is one thing it can be used for, but there are other such as when the
tunnel allows all traffic to be routed through (the from and to are 0.0.0.0)
the gateway may need some way to inform the peer that it can reach a private
subnet via the tunnel. Or to inform the peer for which subnets it has to use
the internal IP and for which it should use it's global IP.

> "hidden", "private", etc, well it can be a standard public IP range, it's just
> an additional network that wants protecting by IPsec, so probably better to
> avoid words like that.

I think you are right, the hidden subnet setting is also just one of the
use-cases.

> (Also manpage nit: new sentence -> new line.)

Thanks!

As it turns out it is quite hard to put all these use-cases in a concise
description that is acutally helpful to the uniformed reader.

Here is an updated version:

Index: iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.55
diff -u -p -u -r1.55 iked.conf.5
--- iked.conf.5 11 May 2019 16:30:23 -0000 1.55
+++ iked.conf.5 3 Aug 2019 19:04:02 -0000
@@ -578,7 +578,12 @@ This option is provided for compatibilit
 .It Ic dhcp-server Ar address
 The address of an internal DHCP server for further configuration.
 .It Ic protected-subnet Ar address/prefix
-The address of the protected subnet within the internal network.
+The address of an additional IPv4 or IPv6 subnet reachable over the
+gateway.
+This option is used to notify the peer of a subnet behind the gateway (that
+might require a second SA).
+Networks specified in this SA's "from" or "to" options do not need to be
+included.
 .It Ic access-server Ar address
 The address of an internal remote access server.
 .El