enc0 patch for ipsec
Max Laier
max at love2party.net
Fri Jun 16 16:05:09 UTC 2006
On Friday 16 June 2006 17:41, Scott Ullrich wrote:
> On 6/16/06, Max Laier <max at love2party.net> wrote:
> > I think it should get a "device enc" on its own. Some people might
> > consider enc(4) to be a security problem so getting it with FAST_IPSEC
> > automatically isn't preferable.
>
> You have to specifically create the enc0 interface (ifconfig enc0
> create) before it becomes active. Otherwise it will not hit the enc
> code path unless the device is created.
The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUSH on by default.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20060616/596a8c62/attachment.pgp
More information about the freebsd-net
mailing list