Add new file README.FreeBSD+NAT to the documentation subdirectory, describing

how to run SKIP and natd together. Submitted by: Jim Flowers <jflowers@ezo.net> Mark this port as BROKEN until the device registration bit is fixed.
svn path=/head/; revision=20319
1999-07-22 18:37:09 +00:00 · 1999-07-22 18:37:09 +00:00 · 892a9dd098 · 2021-03-31 03:12:20 +00:00
commit 892a9dd098
parent 7efe79f49b
5 changed files with 90 additions and 12 deletions
--- a/security/skip/Makefile
+++ b/security/skip/Makefile
@ -3,7 +3,7 @@
 # Date created:         		26 November 1997
 # Whom:                 		Archie L. Cobbs <archie@whistle.com>
 #
-# $Id: Makefile,v 1.6 1999/02/26 01:01:19 archie Exp $
+# $Id: Makefile,v 1.7 1999/05/04 23:18:35 steve Exp $

 DISTNAME=		skip-1.0
 CATEGORIES=		security
@ -56,4 +56,6 @@ post-patch:
 	  mv $$FILE.new $$FILE; \
 	done

+BROKEN=		Needs to be updated wrt. new device registration
+
 .include <bsd.port.mk>
--- a/security/skip/files/patch-aw
+++ b/security/skip/files/patch-aw
@ -1,18 +1,21 @@
 diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/ROADMAP work.new/doc/ROADMAP
 --- skipsrc-1.0.orig/doc/ROADMAP	Fri Oct 25 13:11:55 1996
-+++ work.new/doc/ROADMAP	Mon Mar  8 21:33:38 1999
-@@ -1,6 +1,10 @@
+++ work.new/doc/ROADMAP	Thu Jul 22 11:13:09 1999
+@@ -1,6 +1,13 @@
 This directory contains documentation and legal statements for this
 release.
 
 +README.FreeBSD			- Notes on the FreeBSD port of SKIP.
-+				  All of the other documentation is NOT
-+				  specific to FreeBSD.
+
+README.FreeBSD+NAT		- Notes on using SKIP with FreeBSD's NAT
+				  (Network Address Translation).
+
+All of the other documentation is NOT specific to FreeBSD:
 +
 00README		        - Introduction, Release notes and Build 
 			          Instructions.  Read this first.  You
 				  should read this if only for the 
-@@ -24,3 +28,4 @@
+@@ -24,3 +31,4 @@
 				  architecture and performance.
 
 usersguide.*			- User's guide in various formats
--- a/security/skip/files/patch-bb
+++ b/security/skip/files/patch-bb
@ -1,15 +1,16 @@
 diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work.new/mkpkgs/freebsd/Makefile
 --- skipsrc-1.0.orig/mkpkgs/freebsd/Makefile	Fri Oct 25 13:12:32 1996
-+++ work.new/mkpkgs/freebsd/Makefile	Mon Mar  8 22:13:27 1999
-@@ -64,6 +64,7 @@
+++ work.new/mkpkgs/freebsd/Makefile	Thu Jul 22 11:03:37 1999
+@@ -64,6 +64,8 @@
 	$(BLD_DIR)/doc/SKIP_SOFTWARE_LICENSE \
 	$(BLD_DIR)/doc/BN_SOFTWARE_LICENSE \
 	$(BLD_DIR)/doc/README.PATENT \
 +	$(BLD_DIR)/doc/README.FreeBSD \
+	$(BLD_DIR)/doc/README.FreeBSD+NAT \
 	$(BLD_DIR)/doc/00README \
 	$(BLD_DIR)/doc/INSTALL \
 	$(BLD_DIR)/doc/advanced.TOPICS \
-@@ -104,10 +105,10 @@
+@@ -104,10 +106,10 @@
 	$(MKDIR) $(BSDPROTO)/bin
 	$(MKDIR) $(BSDPROTO)/doc
 
@ -24,7 +25,7 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work
 
 	@echo "Initializing skip/etc directory"
 	$(INSTALL) -m 0444 $(BLD_DIR)/admin/SunICG_CA_selfcert \
-@@ -124,8 +125,8 @@
+@@ -124,8 +126,8 @@
 		$(BSDPROTO)/etc/skipd.conf
 
 	@echo "Adding skip/drv to release"
@ -35,16 +36,18 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work
 
 	@echo "Adding skip/bin to release"
 	$(INSTALL) -m 0755 $(BLD_DIR)/skip/tools/skiptool/none.ras \
-@@ -191,6 +192,8 @@
+@@ -191,6 +193,10 @@
 		$(BSDPROTO)/doc/BN_SOFTWARE_LICENSE
 	$(INSTALL) -m 0644 $(BLD_DIR)/doc/README.PATENT \
 		$(BSDPROTO)/doc/README.PATENT
 +	$(INSTALL) -m 0644 $(BLD_DIR)/doc/README.FreeBSD \
 +		$(BSDPROTO)/doc/README.FreeBSD
+	$(INSTALL) -m 0644 $(BLD_DIR)/doc/README.FreeBSD+NAT \
+		$(BSDPROTO)/doc/README.FreeBSD+NAT
 	$(INSTALL) -m 0644 $(BLD_DIR)/doc/00README \
 		$(BSDPROTO)/doc/00README
 	$(INSTALL) -m 0644 $(BLD_DIR)/doc/INSTALL \
-@@ -239,8 +242,8 @@
+@@ -239,8 +245,8 @@
 		$(BSDPROTO)/man/man4/raw_keys.4
 	$(INSTALL) -m 0644 $(BLD_DIR)/certs/man/print_cert.1m \
 		$(BSDPROTO)/man/man1/print_cert.1
--- a/security/skip/files/patch-cu
+++ b/security/skip/files/patch-cu
@ -0,0 +1,69 @@
+diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/README.FreeBSD+NAT work.new/doc/README.FreeBSD+NAT
+--- skipsrc-1.0.orig/doc/README.FreeBSD+NAT	Wed Dec 31 16:00:00 1969
+++ work.new/doc/README.FreeBSD+NAT	Thu Jul 22 11:02:18 1999
+@@ -0,0 +1,65 @@
+Using SKIP and FreeBSD's NAT (Network Address Translation) together
+-------------------------------------------------------------------
+
+Skip and NAT are two very popular strategies for building secure 
+networks with FreeBSD.  They are sometimes believed to be incompatable 
+when applied to the same interface.  They will work together, however,  
+when correctly configured.  This document addresses the reference 
+implementation of SKIP (1.0) and natd as implemented through ipfw.
+
+The key to understanding the operation of SKIP and NAT in parallel is to 
+realize that inbound packets traverse the ipfw ruleset twice - once as an 
+encapsulated packet and once as an de-encapsulated packet with the 
+original destination address restored.  Outbound packets, on the other
+hand, make a single pass in the unencapsulated state.  This understanding
+can be used to advantage in building a nomadic SKIP server.  A nomadic SKIP
+server allows any host equipped with a SKIP client to connect to the
+Internet (eg. via a dialup connection to an ISP) and then establish a
+secure connection to the nomadic SKIP server allowing full access to a
+Local Area Network.  Because the remote host may have a different IP
+address each time it connects it is known as a nomad and its KeyID is
+used for identification rather than the IP address identification normally
+used to establish authenticity.
+
+The primary difficulty in setting up a nomadic server in conjunction with 
+NAT is not in reaching in to the LAN but in returning a response to the 
+remote host.  The remote host IP address cannot, by definition, be known 
+in advance.  Further - authentication of the remote host and 
+identification of its IP address by the SKIP module does not proceed to 
+update the routing tables in the kernel.  A LAN host receiving a 
+connection request has insufficient information to reply to the remote 
+host either via a static route or by dynamic routing.
+
+This leads to the requirement that the nomadic server must be in-line 
+between the Internet and the LAN so that all packets not destined for the 
+LAN are routed to the nomadic server by the gateway address in the LAN 
+host.
+
+The second requirement is to prevent NAT from interfering.  NAT does 
+not bother the SKIP pass as the packet header is directed to the 
+nat/skiphost.  You can count the inbound SKIP packets as they 
+can be identified by the SKIP protocol (57).  Use an ipfw rule 
+before the NAT rule such as:
+
+00010 allow skip from any to any in recv fxp0
+00100 divert 8668 ip from any to any via fxp0
+
+assuming that skip is identified as 57 in /etc/protocols.
+
+A rule is required for the de-encrypted packets to allow them to be 
+forwarded to the LAN by the routing mechanism without interference from 
+NAT during the second pass:
+
+00010 allow skip from any to any in recv fxp0
+00020 allow ip from any to 192.168.0.0/24 in recv fxp0
+00100 divert 8668 ip from any to any via fxp0
+
+Now you can have nomadic hosts connect securely as part of the LAN and 
+hosts on the LAN can continue to access the Internet through NAT. Of 
+course, you have to configure the skiphost ACL correctly and setup the 
+SKIP client on the nomad to match but that's covered in the 
+documentation. 
+
+Jim Flowers <jflowers@ezo.net>
+#4 ISP on C|NET, #1 in Ohio
+
--- a/security/skip/pkg-plist
+++ b/security/skip/pkg-plist
@ -36,6 +36,7 @@ share/doc/skip/README.PATENT
 share/doc/skip/00README
 share/doc/skip/INSTALL
 share/doc/skip/README.FreeBSD
+share/doc/skip/README.FreeBSD+NAT
 share/doc/skip/advanced.TOPICS
 share/doc/skip/usersguide.txt
 share/doc/skip/usersguide.ps