From owner-freebsd-stable  Fri Oct  4  7:44:44 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E489437B401
	for <stable@freebsd.org>; Fri,  4 Oct 2002 07:44:42 -0700 (PDT)
Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1B08643E6E
	for <stable@freebsd.org>; Fri,  4 Oct 2002 07:44:42 -0700 (PDT)
	(envelope-from wmoran@potentialtech.com)
Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181])
	by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g94EiXW13163;
	Fri, 4 Oct 2002 10:44:33 -0400
Message-ID: <3D9DAB2D.3060306@potentialtech.com>
Date: Fri, 04 Oct 2002 10:52:29 -0400
From: Bill Moran <wmoran@potentialtech.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020502
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Vivek Khera <khera@kcilink.com>
Cc: stable@freebsd.org
Subject: Re: IPSEC warning -- what are alternatives?
References: <15773.39612.629029.716325@onceler.kciLink.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Vivek Khera wrote:
> Every time IPsec fires up on my 4.6 thru 4.7.2 machines, I get this
> warning:
> 
>  WARNING: pseudo-random number generator used for IPsec processing
> 
> I'm just curious as to what alternatives I have for the random number
> source, or is just an informational message reminding me that my
> randomness sucks?  Google found all of 5 pages on the web containing
> that warning, and none of them were *about* that warning.

Read "man 4 random", and pay special attention to the paragraph about
urandom and random.

On a personal level, I've found that networking applications (vpnd was
the experience) don't get enough data from /dev/random and will stall.
With /dev/urandom, the theoretical "guessibility" of the "random" data is
higher, but I've never heard of anyone getting cracked because they used
/dev/urandom.

You may also want to look at rndcontrol.  You might possibly be able to
tweak the random number generator so that /dev/random produces enough
data to feed IPsec.  I haven't tried this, however, so I don't know.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message