enc0 patch for ipsec
Scott Ullrich
sullrich at gmail.com
Fri Jun 16 21:52:25 UTC 2006
On 6/16/06, Max Laier <max at love2party.net> wrote:
> The issue is, if an attacker manages to get root on your box they are
> automatically able to read your IPSEC traffic ending at that box. If you
> don't have enc(4) compiled in, that would be more difficult to do. Same
> reason you don't want SADB_FLUSH on by default.
Okay, this makes sense. But couldn't you also argue that if someone
gets access to the machine they could also use tcpdump to do the same
thing technically on the internal interface? Just playing devils
advocate.. :)
More information about the freebsd-arch
mailing list