Date: Mon, 10 Apr 2006 15:24:51 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netipsec ipsec.c ipsec.h xform_ah.c xform_esp.c Message-ID: <20060410152403.T78784@fledge.watson.org> In-Reply-To: <200604091911.k39JBjWI092325@repoman.freebsd.org> References: <200604091911.k39JBjWI092325@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 9 Apr 2006, Pawel Jakub Dawidek wrote: > Introduce two new sysctls: > > net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with > the same sequence number. This allows to verify if the other side > has proper replay attacks detection. > > net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with > corrupted HMAC. This allows to verify if the other side properly > detects modified packets. > > I used the first one to discover that we don't have proper replay attacks > detection in ESP (in fast_ipsec(4)). I wonder if these should be placed under "options REGRESSION", which I've been using to mask the availability of test sysctls that violate sensible security behavior (such as allowing the securelevel to be lowered). Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060410152403.T78784>