enc0 patch for ipsec
Andre Oppermann
andre at freebsd.org
Fri Jun 16 17:43:58 UTC 2006
Max Laier wrote:
> On Friday 16 June 2006 17:41, Scott Ullrich wrote:
>> On 6/16/06, Max Laier <max at love2party.net> wrote:
>>> I think it should get a "device enc" on its own. Some people might
>>> consider enc(4) to be a security problem so getting it with FAST_IPSEC
>>> automatically isn't preferable.
>> You have to specifically create the enc0 interface (ifconfig enc0
>> create) before it becomes active. Otherwise it will not hit the enc
>> code path unless the device is created.
>
> The issue is, if an attacker manages to get root on your box they are
> automatically able to read your IPSEC traffic ending at that box. If you
> don't have enc(4) compiled in, that would be more difficult to do. Same
> reason you don't want SADB_FLUSH on by default.
*If* someone manages to get root on you IPSEC endpoint you've
lost anyway. The availability of enc(4) then is no longer of
importance.
--
Andre
More information about the freebsd-arch
mailing list