enc0 patch for ipsec
Gordon Tetlow
gordon at FreeBSD.org
Fri Jun 16 17:22:21 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Max Laier wrote:
> On Friday 16 June 2006 17:41, Scott Ullrich wrote:
>> On 6/16/06, Max Laier <max at love2party.net> wrote:
>>> I think it should get a "device enc" on its own. Some people might
>>> consider enc(4) to be a security problem so getting it with FAST_IPSEC
>>> automatically isn't preferable.
>> You have to specifically create the enc0 interface (ifconfig enc0
>> create) before it becomes active. Otherwise it will not hit the enc
>> code path unless the device is created.
>
> The issue is, if an attacker manages to get root on your box they are
> automatically able to read your IPSEC traffic ending at that box. If you
> don't have enc(4) compiled in, that would be more difficult to do. Same
> reason you don't want SADB_FLUSH on by default.
Max is absolutely right here. The snooping interface should be a
separate option altogether (a la bpf).
- -gordon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEktfGRu2t9DV9ZfsRAvyzAJ9jnUigVW7t2SGV89vXStXAZ30b7QCeJ4tZ
tBeTqHk9LofxCRf40uFvpZE=
=RGmG
-----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list