From owner-freebsd-security@FreeBSD.ORG Mon Aug 30 02:25:13 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB33410656AB for ; Mon, 30 Aug 2010 02:25:13 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6EF8E8FC16 for ; Mon, 30 Aug 2010 02:25:13 +0000 (UTC) Received: by ywt2 with SMTP id 2so2151391ywt.13 for ; Sun, 29 Aug 2010 19:25:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=pvyW2w9KQg8gKeZwi5dn9LRFaT/z4b/n1dw2yKWfD/g=; b=o2MguB4b/DEMNDfvxhQgqMbARlPXG8s3lKX1mJJ6Gd+45hunUuE3HbqbVgop0Q1EUT p1IKF5KAMKJWfvF5ioVVN80O/D+b1bmCeT7TVc/8w6Q0nMUgIohLikmcenbMr2ePaZsJ KvLG3CUjrnPld7NNtyXigTzLirJilmGDIzeZY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=Tx52JTBgnbBsGrN/8wf9sKJSJHXeFRVqwQ+HmwcdvhkExo5Gczag3uAAgCQPm+bY8D bzgK5nImOo0qJsZveGz2Vvxs4aTwmNMiIXtXdLznRyKm75k8h9t7OwxhQtLEYSAsmlAZ 8d4PbrfFBJjKibZybpxCPL6rVUiI8apiWzE7g= Received: by 10.100.167.2 with SMTP id p2mr3747509ane.148.1283135112562; Sun, 29 Aug 2010 19:25:12 -0700 (PDT) Received: from centel.dataix.local (adsl-99-181-137-20.dsl.klmzmi.sbcglobal.net [99.181.137.20]) by mx.google.com with ESMTPS id f22sm11705393anh.24.2010.08.29.19.25.10 (version=SSLv3 cipher=RC4-MD5); Sun, 29 Aug 2010 19:25:11 -0700 (PDT) Sender: "J. Hellenthal" Message-ID: <4C7B1685.3010406@DataIX.net> Date: Sun, 29 Aug 2010 22:25:09 -0400 From: jhell User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.8) Gecko/20100806 Lightning/1.0b1 Thunderbird MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4C77A267.10102@thelostparadise.com> <20100827162556.GB14492@calvin.ustdmz.roe.ch> In-Reply-To: <20100827162556.GB14492@calvin.ustdmz.roe.ch> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2010 02:25:13 -0000 On 08/27/2010 12:25, Daniel Roethlisberger wrote: > Pieter de Boer 2010-08-27: >> On 08/27/2010 10:32 AM, Vadim Goncharov wrote: >>> This is a froward message from tcpdump-workers mail list: >>> === 8< ================>8 === >>> $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 >>> [sudo] password for user: >>> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size >>> 65535 bytes >>> (generate some traffic on port 55555) >>> root@blaa ~/temp/tcpdump-4.1.1$ id >>> uid=0(root) gid=0(root) groups=0(root) >>> >>> Is this known and accepted? Could this option maybe be implemented >>> differently? >> >> In my opinion, if you allow people to run tools as root using sudo, >> you'd better make sure those tools don't allow attackers to easily gain >> root access. In the case of tcpdump, the '-w' flag most probably already >> allowed that, although '-z' is a bit more convenient to the attacker. >> >> As a solution, configure your sudo correctly, only allowing specific >> tcpdump command line options (or option sets) to be used. > > Or use NOEXEC on the tcpdump spec in your sudo configuration, see > sudoers(5) for details. > A correct approach if you really need unprivileged users to have access to tcpdump(1) with live network traffic is to provide tcpdump(1) with ``-Z nobody'' or $USER that is starting it with sudo(8) at all times. This does not do anything to the fact that your allowing any user on your network with that type of sudo access to collect password information or any other sensitive information flow on your network. The policy here sounds corrupt but please don't take offense to that as I am sure that you situation is probably viable in its own respectful way. Just beware! Regards, -- jhell,v From owner-freebsd-security@FreeBSD.ORG Wed Sep 1 15:31:55 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 10E5210656CC for ; Wed, 1 Sep 2010 15:31:55 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 1335814EBDD for ; Wed, 1 Sep 2010 15:31:40 +0000 (UTC) Received: (qmail 79849 invoked from network); 1 Sep 2010 15:31:40 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2010 15:31:40 -0000 Message-ID: <4C7E71DC.1040808@freebsd.org> Date: Wed, 01 Sep 2010 08:31:40 -0700 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100803 Thunderbird/3.0.6 MIME-Version: 1.0 To: FreeBSD Stable , freebsd security X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: HEADS UP: FreeBSD 6.4 and 8.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2010 15:31:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, On November 30th, FreeBSD 6.4 and FreeBSD 8.0 will have reached their End of Life and will no longer be supported by the FreeBSD Security Team. Since FreeBSD 6.4 is the last remaining supported release from the FreeBSD 6.x stable branch, support for the FreeBSD 6.x stable branch will also cease at the same point. Users of either of these FreeBSD releases are strongly encouraged to upgrade to either FreeBSD 7.3 or FreeBSD 8.1 before that date. The FreeBSD Ports Management Team wishes to remind users that November 30 is also the end of support for the Ports Collection for both FreeBSD 6.4 RELEASE and the FreeBSD 6.x STABLE branch. Neither the infrastructure nor individual ports are guaranteed to work on these FreeBSD versions after that date. A CVS tag will be created for users who cannot upgrade for some reason, at which time these users are advised to stop tracking the latest ports CVS repository and use the RELEASE_6_EOL tag instead. The current supported branches and expected EoL dates are: +---------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+-----------------+-----------------| |RELENG_6 |n/a |n/a |n/a |November 30, 2010| |---------------------------------------------------------------------| |RELENG_6_4 |6.4-RELEASE |Extended|November 18, 2008|November 30, 2010| |---------------------------------------------------------------------| |RELENG_7 |n/a |n/a |n/a |last release + 2y| |-----------+------------+--------+-----------------+-----------------| |RELENG_7_1 |7.1-RELEASE |Extended|January 4, 2009 |January 31, 2011 | |-----------+------------+--------+-----------------+-----------------| |RELENG_7_3 |7.3-RELEASE |Extended|March 23, 2010 |March 31, 2012 | |-----------+------------+--------+-----------------+-----------------| |RELENG_8 |n/a |n/a |n/a |last release + 2y| |-----------+------------+--------+-----------------+-----------------| |RELENG_8_0 |8.0-RELEASE |Normal |November 25, 2009|November 30, 2010| |-----------+------------+--------+-----------------+-----------------| |RELENG_8_1 |8.1-RELEASE |Extended|July 23, 2010 |July 31, 2012 | +---------------------------------------------------------------------+ - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkx+cdwACgkQFdaIBMps37K/VACgnkGPT1G76AYaor9ifcTeFDA2 dzgAn0Oqz5UsoaoCvWycUSsFFlpBi0gB =WWDq -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 1 16:28:22 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7489E10656A3; Wed, 1 Sep 2010 16:28:22 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id E6E3F8FC18; Wed, 1 Sep 2010 16:28:21 +0000 (UTC) Received: from park.js.berklix.net (p549A5790.dip.t-dialin.net [84.154.87.144]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id o81G9sR4030603; Wed, 1 Sep 2010 16:09:55 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.13.8/8.13.8) with ESMTP id o81G9nxa072715; Wed, 1 Sep 2010 18:09:49 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.3/8.14.3) with ESMTP id o81G9XEQ011268; Wed, 1 Sep 2010 18:09:38 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201009011609.o81G9XEQ011268@fire.js.berklix.net> To: security-officer@freebsd.org From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Wed, 01 Sep 2010 08:31:40 PDT." <4C7E71DC.1040808@freebsd.org> Date: Wed, 01 Sep 2010 18:09:33 +0200 Sender: jhs@berklix.com Cc: freebsd security , Deb Goodkin , FreeBSD Stable , gljennjohn@googlemail.com Subject: Re: HEADS UP: FreeBSD 6.4 and 8.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2010 16:28:22 -0000 > On November 30th, FreeBSD 6.4 and FreeBSD 8.0 will have reached their FreeBSD -7 & -8 do not support ISDN I'm told. So 6.4 is the last working FreeBSD ISDN. DSL is faster than ISDN, but Losing ISDN would be unfortunate: - Not all can get DSL speed, if they live far from phone exchange. - ISDN allows one more security (caller ID comes from phone company), additional to whatever crypto keys/passwords. - ISDN on the PC allows one to have Name (via lookup of number) of phone caller & which incoming destination number received call, show up on an X Term - I've had that with FreeBSD over 10+ years now :-) Could easily be hooked to a database springing up a a custome xterm according to calling customer ID, called number & time of day (all being used to select which service info ) But if we drop ISDN ...! Could FreeBSD reinsert ISDN back into current/8/7 support ? Perhaps via: - a student SOC project ? - FreeBSD foundation paying a FreeBSD consultant (I know one who has the expertise already, has the time, & could use some money (I don't mean me, & he didn't aske me to post this, it'll come as a suprise to him :-) - Or whatever other method to get ISDN back in kernel ? Cheers, Julian -- Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text, Not HTML, quoted-printable & base 64 dumped with spam. Avoid top posting, It cripples itemised cumulative responses. From owner-freebsd-security@FreeBSD.ORG Wed Sep 1 16:54:19 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4CC71065679; Wed, 1 Sep 2010 16:54:19 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 288DD8FC1D; Wed, 1 Sep 2010 16:54:18 +0000 (UTC) Received: from park.js.berklix.net (p549A5790.dip.t-dialin.net [84.154.87.144]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id o81GsDJI031180; Wed, 1 Sep 2010 16:54:14 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.13.8/8.13.8) with ESMTP id o81Gs6gq073091; Wed, 1 Sep 2010 18:54:07 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.3/8.14.3) with ESMTP id o81Grkm4056064; Wed, 1 Sep 2010 18:53:51 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201009011653.o81Grkm4056064@fire.js.berklix.net> From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Wed, 01 Sep 2010 18:09:33 +0200." <201009011609.o81G9XEQ011268@fire.js.berklix.net> Date: Wed, 01 Sep 2010 18:53:46 +0200 Sender: jhs@berklix.com Cc: FreeBSD Stable , Deb Goodkin , Hans Petter Selasky , freebsd security , security-officer@freebsd.org, gljennjohn@googlemail.com Subject: Re: HEADS UP: FreeBSD 6.4 and 8.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2010 16:54:19 -0000 > FreeBSD -7 & -8 do not support ISDN I'm told. > So 6.4 is the last working FreeBSD ISDN. > Could FreeBSD reinsert ISDN back into current/8/7 support ? > Perhaps via: > - a student SOC project ? > - FreeBSD foundation paying a FreeBSD consultant (I know one who has the > expertise already, has the time, & could use some money (I don't mean me, > & he didn't aske me to post this, it'll come as a suprise to him :-) > - Or whatever other method to get ISDN back in kernel ? It seems code exists :-) http://old.nabble.com/ISDN4BSD-on-8-current-td23919925.html ISDN4BSD package has been updated to compile on FreeBSD 8-current http://www.selasky.org/hans_petter/isdn4bsd/ Apparently needs massaging into main FreeBSD tree. Cheers, Julian -- Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text, Not HTML, quoted-printable & base 64 dumped with spam. Avoid top posting, It cripples itemised cumulative responses. From owner-freebsd-security@FreeBSD.ORG Wed Sep 1 17:16:17 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45B8910656C1; Wed, 1 Sep 2010 17:16:17 +0000 (UTC) (envelope-from hselasky@c2i.net) Received: from swip.net (mailfe05.swip.net [212.247.154.129]) by mx1.freebsd.org (Postfix) with ESMTP id 6FE598FC18; Wed, 1 Sep 2010 17:16:16 +0000 (UTC) X-Cloudmark-Score: 0.000000 [] X-Cloudmark-Analysis: v=1.1 cv=sIybwy0z7bWw0ilx/SziPN3xnsQN4yn8NMXKZM3k7p4= c=1 sm=1 a=_BJ4-cef_n8A:10 a=Q9fys5e9bTEA:10 a=M8b_wTzEtboA:10 a=MnI1ikcADjEx7bvsp0jZvQ==:17 a=9I5xiGouAAAA:8 a=ndaoGXS1AAAA:8 a=TegXpj-boEs4gfiFrXcA:9 a=IP8rCA5-S-lGEPKSpdXJWKBwWUgA:4 a=PUjeQqilurYA:10 a=xWb-EmPy6c4A:10 a=MnI1ikcADjEx7bvsp0jZvQ==:117 Received: from [188.126.201.140] (account mc467741@c2i.net HELO laptop002.hselasky.homeunix.org) by mailfe05.swip.net (CommuniGate Pro SMTP 5.2.19) with ESMTPA id 14534062; Wed, 01 Sep 2010 19:06:10 +0200 From: Hans Petter Selasky To: "Julian H. Stacey" Date: Wed, 1 Sep 2010 19:02:06 +0200 User-Agent: KMail/1.13.5 (FreeBSD/8.1-STABLE; KDE/4.4.5; amd64; ; ) References: <201009011653.o81Grkm4056064@fire.js.berklix.net> In-Reply-To: <201009011653.o81Grkm4056064@fire.js.berklix.net> X-Face: +~\`s("[*|O,="7?X@L.elg*F"OA\I/3%^p8g?ab%RN'(; _IjlA: hGE..Ew, XAQ*o#\/M~SC=S1-f9{EzRfT'|Hhll5Q]ha5Bt-s|oTlKMusi:1e[wJl}kd}GR Z0adGx-x_0zGbZj'e(Y[(UNle~)8CQWXW@:DX+9)_YlB[tIccCPN$7/L' MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201009011902.06538.hselasky@c2i.net> X-Mailman-Approved-At: Wed, 01 Sep 2010 17:25:17 +0000 Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable , Deb Goodkin , gljennjohn@googlemail.com Subject: Re: HEADS UP: FreeBSD 6.4 and 8.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2010 17:16:17 -0000 On Wednesday 01 September 2010 18:53:46 Julian H. Stacey wrote: > > FreeBSD -7 & -8 do not support ISDN I'm told. > > So 6.4 is the last working FreeBSD ISDN. > > > > Could FreeBSD reinsert ISDN back into current/8/7 support ? > > Perhaps via: > > - a student SOC project ? > > - FreeBSD foundation paying a FreeBSD consultant (I know one who has the > > > > expertise already, has the time, & could use some money (I don't mean > > me, & he didn't aske me to post this, it'll come as a suprise to him > > :-) > > > > - Or whatever other method to get ISDN back in kernel ? > > It seems code exists :-) > > http://old.nabble.com/ISDN4BSD-on-8-current-td23919925.html > ISDN4BSD package has been updated to compile on FreeBSD > 8-current > > http://www.selasky.org/hans_petter/isdn4bsd/ > > Apparently needs massaging into main FreeBSD tree. I agree that my I4B code should be re-written somewhat before committed. Possibly we should update the API's present too, to support IP-telephony aswell. --HPS From owner-freebsd-security@FreeBSD.ORG Wed Sep 1 17:17:54 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1A9710656CF; Wed, 1 Sep 2010 17:17:54 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id E8DEE8FC29; Wed, 1 Sep 2010 17:17:53 +0000 (UTC) Received: by wwb34 with SMTP id 34so8847094wwb.31 for ; Wed, 01 Sep 2010 10:17:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:received :x-virus-scanned:received:received:to:cc:subject:from:in-reply-to :references:x-operating-system:date:message-id:user-agent :mime-version:content-type:content-transfer-encoding; bh=j2SSUiAMxTxNSTS+kUSQulmGNsJdF7ITb3TcVylVJ8o=; b=xHKq/oak49DK+zFDOTXG3jjYEXkEnjelbS/2Vgke6Mm3Rkg6TqInvThjOgiDiKoatF S/P3PmKS3UFBFEBex+/pY8goetZGDb4+tlezySuKjtYCxW/sxu/VRmfypAB2sY+/6+Oo rTXsbZyWjV+TXZXJZhAvT8p0cWS0zOU0+F2MQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:x-virus-scanned:to:cc:subject:from:in-reply-to:references :x-operating-system:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; b=dT+LFmtBmJ9uBmSmJHGj6TYfGB4SWj/MUoENbVLo4HSGgezdwjYhSRE9RVDpnwwlCY RipUMOiXnjlz/rQ8u2/GYQ51+eIAkgWZ1rtGfLQl+WpoWRGiCzxht2UoohcsDlLarilx Vm7DFwS6j1pFwHHrqi4AuPlMteKY9xPidKAww= Received: by 10.227.134.69 with SMTP id i5mr8255889wbt.165.1283359946996; Wed, 01 Sep 2010 09:52:26 -0700 (PDT) Received: from srvbsdfenssv.interne.associated-bears.org (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr [217.128.200.48]) by mx.google.com with ESMTPS id m25sm8977199wbc.19.2010.09.01.09.52.24 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 01 Sep 2010 09:52:25 -0700 (PDT) Sender: Eric Masson Received: from srvbsdfenssv.interne.associated-bears.org (localhost [127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id C3EDA1CD41; Wed, 1 Sep 2010 18:52:22 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.associated-bears.org Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YMwNAvJKWbij; Wed, 1 Sep 2010 18:52:19 +0200 (CEST) Received: by srvbsdfenssv.interne.associated-bears.org (Postfix, from userid 1001) id DDA371CD24; Wed, 1 Sep 2010 18:52:19 +0200 (CEST) To: "Julian H. Stacey" From: Eric Masson In-Reply-To: <201009011609.o81G9XEQ011268@fire.js.berklix.net> (Julian H. Stacey's message of "Wed, 01 Sep 2010 18:09:33 +0200") References: <201009011609.o81G9XEQ011268@fire.js.berklix.net> X-Operating-System: FreeBSD 8.1-RELEASE amd64 Date: Wed, 01 Sep 2010 18:52:19 +0200 Message-ID: <8662ypo18c.fsf@srvbsdfenssv.interne.associated-bears.org> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 01 Sep 2010 17:25:29 +0000 Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable , Deb Goodkin , gljennjohn@googlemail.com Subject: Re: HEADS UP: FreeBSD 6.4 and 8.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2010 17:17:54 -0000 "Julian H. Stacey" writes: Hello, > FreeBSD -7 & -8 do not support ISDN I'm told. It seems that hps@ maintains an isdn stack outside of freebsd tree : http://www.selasky.org/hans_petter/isdn4bsd/ Regards Éric Masson -- >Une RedHat (je ne connais pas les autres distributions) ce configure >aussi simplement que windows pour un poste client. Hélas, elle génère un maximum de traffic sur Usenet -+- TP in guide du linuxien pervers - "Je veux revoir ma SLS ! -+- From owner-freebsd-security@FreeBSD.ORG Wed Sep 1 19:36:32 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0AF31065675; Wed, 1 Sep 2010 19:36:32 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 0DF968FC12; Wed, 1 Sep 2010 19:36:31 +0000 (UTC) Received: from park.js.berklix.net (p549A5790.dip.t-dialin.net [84.154.87.144]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id o81JaQFA032988; Wed, 1 Sep 2010 19:36:26 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.13.8/8.13.8) with ESMTP id o81JaNgT073932; Wed, 1 Sep 2010 21:36:23 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.3/8.14.3) with ESMTP id o81Ja2bo046886; Wed, 1 Sep 2010 21:36:07 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201009011936.o81Ja2bo046886@fire.js.berklix.net> To: Hans Petter Selasky From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Wed, 01 Sep 2010 19:02:06 +0200." <201009011902.06538.hselasky@c2i.net> Date: Wed, 01 Sep 2010 21:36:02 +0200 Sender: jhs@berklix.com Cc: freebsd security , security-officer@freebsd.org, FreeBSD Stable , Deb Goodkin , gljennjohn@googlemail.com Subject: Re: HEADS UP: FreeBSD 6.4 and 8.0 EoLs coming soon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2010 19:36:32 -0000 Hans Petter Selasky wrote: > On Wednesday 01 September 2010 18:53:46 Julian H. Stacey wrote: > > > FreeBSD -7 & -8 do not support ISDN I'm told. > > > So 6.4 is the last working FreeBSD ISDN. > > > > > > Could FreeBSD reinsert ISDN back into current/8/7 support ? > > > Perhaps via: > > > - a student SOC project ? > > > - FreeBSD foundation paying a FreeBSD consultant (I know one who has the > > > > > > expertise already, has the time, & could use some money (I don't mean > > > me, & he didn't aske me to post this, it'll come as a suprise to him > > > :-) > > > > > > - Or whatever other method to get ISDN back in kernel ? > > > > It seems code exists :-) > > > > http://old.nabble.com/ISDN4BSD-on-8-current-td23919925.html > > ISDN4BSD package has been updated to compile on FreeBSD > > 8-current > > > > http://www.selasky.org/hans_petter/isdn4bsd/ > > > > Apparently needs massaging into main FreeBSD tree. > > I agree that my I4B code should be re-written somewhat before committed. > Possibly we should update the API's present too, to support IP-telephony > aswell. > > --HPS Sorry, I didn't know your code existed, till I was told & searched, Great ! I'll build a new PC soonish to try with current (my gates are 6.2 & 6.4 now). isdn@freebsd.org : I just re-subscribed (used to be on long ago). Cheers, Julian -- Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text, Not HTML, quoted-printable & base 64 dumped with spam. Avoid top posting, It cripples itemised cumulative responses. From owner-freebsd-security@FreeBSD.ORG Fri Sep 3 05:52:26 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1873C10656F7 for ; Fri, 3 Sep 2010 05:52:26 +0000 (UTC) (envelope-from RCharlet@adaranet.com) Received: from barracuda.adaranet.com (smtp.adaranet.com [72.5.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id F18B98FC14 for ; Fri, 3 Sep 2010 05:52:25 +0000 (UTC) X-ASG-Debug-ID: 1283474108-5061b8680001-2RkMqc Received: from SJ-EXCH-1.adaranet.com ([10.10.1.29]) by barracuda.adaranet.com with ESMTP id Z0o27lca9TF365Zs; Thu, 02 Sep 2010 17:35:08 -0700 (PDT) X-Barracuda-Envelope-From: RCharlet@adaranet.com Received: from SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523]) by SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523%14]) with mapi; Thu, 2 Sep 2010 17:35:08 -0700 From: "Ricky Charlet" X-Barracuda-BBL-IP: fe80::7042:d8c2:5973:c523 X-Barracuda-RBL-IP: fe80::7042:d8c2:5973:c523 To: "freebsd-security@freebsd.org" , "freebsd-net@freebsd.org" Date: Thu, 2 Sep 2010 17:35:06 -0700 X-ASG-Orig-Subj: seeking current supported crypto co-processors Thread-Topic: seeking current supported crypto co-processors Thread-Index: ActK/9sFqcM9akWxSiKA96ymOzPvMA== Message-ID: <32AB5C9615CC494997D9ABB1DB12783C024C8DE03A@SJ-EXCH-1.adaranet.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Barracuda-Connect: UNKNOWN[10.10.1.29] X-Barracuda-Start-Time: 1283474108 X-Barracuda-URL: http://172.16.10.203:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at adaranet.com Cc: Subject: seeking current supported crypto co-processors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2010 05:52:26 -0000 Howdy, I'm seeking current cryptographic coprocessors supported in FreeBSD= 8.x. By perusing through the crypto-dev (and subsequently referenced) man= page(s) I found this list: Hifn 7751/7951/7811/7955/7956 crypto accelerator SafeNet 1141/1741 Bluesteel 5501/5601 Broadcom bcm5801/5802/5805/5820/5821/5822/5823/5825 Those are all pretty old (and in some cases, no longer existent). I= 'm surveying these lists to see if anyone knows of more modern chips workin= g with FreeBSD 8.x. Or if you feel some chip on the list above is up to the= task of near about 1 Gb throughput across a PCIe and has friendly vendor s= upport for FreeBSD, I'd sure like to hear about that too. --- Ricky Charlet Adara Networks USA 408-433-4942 From owner-freebsd-security@FreeBSD.ORG Fri Sep 3 06:33:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3ABC71065714 for ; Fri, 3 Sep 2010 06:33:52 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 9ECA58FC16 for ; Fri, 3 Sep 2010 06:33:51 +0000 (UTC) Received: (qmail 22018 invoked from network); 3 Sep 2010 06:04:16 -0000 Received: from localhost (HELO [127.0.0.1]) ([127.0.0.1]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 3 Sep 2010 06:04:16 -0000 Message-ID: <4C80908D.9030106@freebsd.org> Date: Fri, 03 Sep 2010 08:07:09 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 MIME-Version: 1.0 To: Ricky Charlet References: <32AB5C9615CC494997D9ABB1DB12783C024C8DE03A@SJ-EXCH-1.adaranet.com> In-Reply-To: <32AB5C9615CC494997D9ABB1DB12783C024C8DE03A@SJ-EXCH-1.adaranet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 03 Sep 2010 11:16:12 +0000 Cc: "freebsd-security@freebsd.org" , "freebsd-net@freebsd.org" Subject: Re: seeking current supported crypto co-processors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2010 06:33:52 -0000 On 03.09.2010 02:35, Ricky Charlet wrote: > Howdy, > > I'm seeking current cryptographic coprocessors supported in FreeBSD 8.x. By perusing through the > crypto-dev (and subsequently referenced) man page(s) I found this list: Hifn > 7751/7951/7811/7955/7956 crypto accelerator SafeNet 1141/1741 Bluesteel 5501/5601 Broadcom > bcm5801/5802/5805/5820/5821/5822/5823/5825 > > Those are all pretty old (and in some cases, no longer existent). I'm surveying these lists to > see if anyone knows of more modern chips working with FreeBSD 8.x. Or if you feel some chip on > the list above is up to the task of near about 1 Gb throughput across a PCIe and has friendly > vendor support for FreeBSD, I'd sure like to hear about that too. What cypto algorithms do you need? Stream encryption and/or PKI KEX? For AES stream encrpytion there are some CPU's that directly support the crypto primitives on the silicon. For newer x86/amd64 CPU's see: http://en.wikipedia.org/wiki/AES_instruction_set A number of VIA x86 CPU's have supported a set of crypto algorithms inlcuding stream cyphers, cryptographic hashing and RSA for quite some time on their silicon. http://www.via.com.tw/en/initiatives/padlock/hardware.jsp Other than that there are some embedded crypto engines with their own (mostly MIPS based) single and multi-core CPU's. AKAIK they have a FreeBSD API and the FreeBSD MIPS port should work on at least some of them: http://www.caviumnetworks.com/ Cavium also has some plug-in crypto accelerator cards under the brand name Nitrox. IIRC they have some drivers for FreeBSD available. -- Andre From owner-freebsd-security@FreeBSD.ORG Fri Sep 3 21:16:28 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A2B2106571C for ; Fri, 3 Sep 2010 21:16:28 +0000 (UTC) (envelope-from RCharlet@adaranet.com) Received: from barracuda.adaranet.com (smtp.adaranet.com [72.5.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id E43558FC1B for ; Fri, 3 Sep 2010 21:16:27 +0000 (UTC) X-ASG-Debug-ID: 1283548587-5061c0170001-2RkMqc Received: from SJ-EXCH-1.adaranet.com ([10.10.1.29]) by barracuda.adaranet.com with ESMTP id VpPuKBkhgGmVJ37J; Fri, 03 Sep 2010 14:16:27 -0700 (PDT) X-Barracuda-Envelope-From: RCharlet@adaranet.com Received: from SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523]) by SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523%14]) with mapi; Fri, 3 Sep 2010 14:16:27 -0700 From: "Ricky Charlet" X-Barracuda-BBL-IP: fe80::7042:d8c2:5973:c523 X-Barracuda-RBL-IP: fe80::7042:d8c2:5973:c523 To: Andre Oppermann Date: Fri, 3 Sep 2010 14:16:22 -0700 X-ASG-Orig-Subj: RE: seeking current supported crypto co-processors Thread-Topic: seeking current supported crypto co-processors Thread-Index: ActLLj/z32zc9IazR5KSgaZujRSA/QAezwqw Message-ID: <32AB5C9615CC494997D9ABB1DB12783C024C8DE0F2@SJ-EXCH-1.adaranet.com> References: <32AB5C9615CC494997D9ABB1DB12783C024C8DE03A@SJ-EXCH-1.adaranet.com> <4C80908D.9030106@freebsd.org> In-Reply-To: <4C80908D.9030106@freebsd.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Barracuda-Connect: UNKNOWN[10.10.1.29] X-Barracuda-Start-Time: 1283548587 X-Barracuda-URL: http://172.16.10.203:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at adaranet.com Cc: "freebsd-security@freebsd.org" , "freebsd-net@freebsd.org" Subject: RE: seeking current supported crypto co-processors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2010 21:16:28 -0000 Thanks Andre, I'm hoping not to get too distracted by which algorithms I want sup= ported. To answer directly, I want the FIPS-140-2 algorithms in block modes= and optionally the Suite-B NSA stuff too. http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml But the main thrust of my question is not what algs are supported b= y what parts... but instead, are their PCIe attachable crypto co-processors= with current vendor support for FreeBSD8.x? I appreciated your pointers to VIA and various MIPS and specificall= y octeon processors. And I am newly enlightened by your pointers to very ne= w Intel parts coming out with cipher/hash support... that may help me in th= e near future. But at the moment, I am currently bound to Intel parts witho= ut the AES feature set. If anyone else reading this thread want's to chime in with info abo= ut current supported crypto co-processors that plug in via PCIe, please dro= p a note. --- Ricky Charlet Adara Networks USA 408-433-4942 -----Original Message----- From: Andre Oppermann [mailto:andre@freebsd.org] Sent: Thursday, September 02, 2010 11:07 PM To: Ricky Charlet Cc: freebsd-security@freebsd.org; freebsd-net@freebsd.org Subject: Re: seeking current supported crypto co-processors On 03.09.2010 02:35, Ricky Charlet wrote: > Howdy, > > I'm seeking current cryptographic coprocessors supported in FreeBSD 8.x. = By perusing through the > crypto-dev (and subsequently referenced) man page(s) I found this list: H= ifn > 7751/7951/7811/7955/7956 crypto accelerator SafeNet 1141/1741 Bluesteel 5= 501/5601 Broadcom > bcm5801/5802/5805/5820/5821/5822/5823/5825 > > Those are all pretty old (and in some cases, no longer existent). I'm sur= veying these lists to > see if anyone knows of more modern chips working with FreeBSD 8.x. Or if = you feel some chip on > the list above is up to the task of near about 1 Gb throughput across a P= CIe and has friendly > vendor support for FreeBSD, I'd sure like to hear about that too. What cypto algorithms do you need? Stream encryption and/or PKI KEX? For AES stream encrpytion there are some CPU's that directly support the crypto primitives on the silicon. For newer x86/amd64 CPU's see: http://en.wikipedia.org/wiki/AES_instruction_set A number of VIA x86 CPU's have supported a set of crypto algorithms inlcuding stream cyphers, cryptographic hashing and RSA for quite some time on their silicon. http://www.via.com.tw/en/initiatives/padlock/hardware.jsp Other than that there are some embedded crypto engines with their own (mostly MIPS based) single and multi-core CPU's. AKAIK they have a FreeBSD API and the FreeBSD MIPS port should work on at least some of them: http://www.caviumnetworks.com/ Cavium also has some plug-in crypto accelerator cards under the brand name Nitrox. IIRC they have some drivers for FreeBSD available. -- Andre From owner-freebsd-security@FreeBSD.ORG Fri Sep 3 21:27:08 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B525D10656B3 for ; Fri, 3 Sep 2010 21:27:08 +0000 (UTC) (envelope-from RCharlet@adaranet.com) Received: from barracuda.adaranet.com (smtp.adaranet.com [72.5.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 95CEA8FC1D for ; Fri, 3 Sep 2010 21:27:08 +0000 (UTC) X-ASG-Debug-ID: 1283549199-5061c03f0001-2RkMqc Received: from SJ-EXCH-1.adaranet.com ([10.10.1.29]) by barracuda.adaranet.com with ESMTP id FPcIvvxlSBeOKnKq; Fri, 03 Sep 2010 14:26:39 -0700 (PDT) X-Barracuda-Envelope-From: RCharlet@adaranet.com Received: from SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523]) by SJ-EXCH-1.adaranet.com ([fe80::7042:d8c2:5973:c523%14]) with mapi; Fri, 3 Sep 2010 14:26:39 -0700 From: "Ricky Charlet" X-Barracuda-BBL-IP: fe80::7042:d8c2:5973:c523 X-Barracuda-RBL-IP: fe80::7042:d8c2:5973:c523 To: Ivan Voras , "freebsd-net@freebsd.org" Date: Fri, 3 Sep 2010 14:26:37 -0700 X-ASG-Orig-Subj: RE: seeking current supported crypto co-processors Thread-Topic: seeking current supported crypto co-processors Thread-Index: ActLT2FbXLoDehatRd2+DONQA7bToQAXeP2A Message-ID: <32AB5C9615CC494997D9ABB1DB12783C024C8DE0F5@SJ-EXCH-1.adaranet.com> References: <32AB5C9615CC494997D9ABB1DB12783C024C8DE03A@SJ-EXCH-1.adaranet.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Barracuda-Connect: UNKNOWN[10.10.1.29] X-Barracuda-Start-Time: 1283549199 X-Barracuda-URL: http://172.16.10.203:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at adaranet.com Cc: "freebsd-security@freebsd.org" Subject: RE: seeking current supported crypto co-processors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2010 21:27:08 -0000 VGhhbmtzIEl2YW4sDQoNCiAgICAgICAgWW91IGhhdmUgc29tZSB2YWxpZCBwb2ludHMgYWJvdXQg cGVyZm9ybWFuY2UuIEkgd2FzIGhvcGluZyBub3QgdG8gZ2V0IGRpc3RyYWN0ZWQgZnJvbSB0aGUg bWFpbiB0aHJ1c3Qgb2YgbXkgcXVlc3Rpb24gYnkgcGVyZm9ybWFuY2UgY29uc2lkZXJhdGlvbnMg dGhvdWdoLg0KDQogICAgICAgIEFyZSB0aGVpciBQQ0llIGF0dGFjaGFibGUgY3J5cHRvIGNvLXBy b2Nlc3NvcnMgd2l0aCBjdXJyZW50IHZlbmRvciBzdXBwb3J0IGZvciBGcmVlQlNEOC54PyAgSWYg YW55b25lIGVsc2UgcmVhZGluZyB0aGlzIHRocmVhZCB3YW50J3MgdG8gY2hpbWUgaW4gd2l0aCBp bmZvIGFib3V0IGN1cnJlbnQgc3VwcG9ydGVkIGNyeXB0byBjby1wcm9jZXNzb3JzIHRoYXQgcGx1 ZyBpbiB2aWEgUENJZSwgcGxlYXNlIGRyb3AgYSBub3RlLg0KDQoNCiAgICAgICAgSG93ZXZlciwg SSB0aGluayB5b3UgZG8gZGVzZXJ2ZSBhIHJlcGx5IG9uIHRoZSBwZXJmb3JtYW5jZSB0b3BpYy4u Lg0KDQogICAgICAgIEkgYW0gY2xvc2UgZW5vdWdoIHRvIGFncmVlaW5nIHdpdGggeW91IHRvIG5v dCBhcmd1ZSBtdWNoIGFib3V0IHdoZXRoZXIgbW9kZXJuIENQVSBwYXJ0cyBjYW4gc2F0dXJhdGUg YSAxIEdiIGxpbmsgd2l0aCBjcnlwdG8gZGF0YS4gVGhlIENQVSBwYXJ0IEkgYW0gY3VycmVudGx5 IG1hcnJpZWQgdG8gKGEgdG91Y2ggb2xkIGJ1dCBub3QgdGhhdCBiYWQpLCBzZWVtcyB0byBiZSBh YmxlIHRvIHRocm91Z2ggYXJvdW5kIDIwME1iIG9mIElQLUVTUCBkYXRhIGFyb3VuZC4gSG93ZXZl ciwgaW4gc3BpdGUgb2YgdGhlc2Ugb2JzZXJ2YXRpb25zLCBJIHdvdWxkIHByZWZlciBpZiBteSBz eXN0ZW0gY291bGQgaGFuZGxlIHRoYXQgdGhyb3VnaHB1dCBsb2FkIGFuZCB5ZXQgaGF2ZSBDUFUg cG93ZXIgbGVmdCBvdmVyIGZvciBvdGhlciB0YXNrcy4NCg0KICAgICAgICBJJ20gdmVyeSBhdHRy YWN0ZWQgdG8gQW5kcmUncyBtZW50aW9uIG9mICJuZXdlciB4ODYvYW1kNjQgQ1BVJ3Mgc2VlOg0K ICBodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL0FFU19pbnN0cnVjdGlvbl9zZXQiLiBEb2Vz IGFueW9uZSBrbm93IGlmIEZyZWVCU0Qgc3VwcG9ydHMgb3Igd2lsbCBzdXBwb3J0IHRoaXMgdGhy b3VnaCBlaXRoZXIgL2Rldi9jcnlwdG8gb3IgdGhyb3VnaCBvcGVuc3NsIChvciBhbnkgb3RoZXIg bWVjaGFuaXNtIEkgZ3Vlc3MpPw0KDQoNCg0KDQotLS0NClJpY2t5IENoYXJsZXQNCkFkYXJhIE5l dHdvcmtzDQpVU0EgNDA4LTQzMy00OTQyDQoNCg0KDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3Nh Z2UtLS0tLQ0KRnJvbTogb3duZXItZnJlZWJzZC1uZXRAZnJlZWJzZC5vcmcgW21haWx0bzpvd25l ci1mcmVlYnNkLW5ldEBmcmVlYnNkLm9yZ10gT24gQmVoYWxmIE9mIEl2YW4gVm9yYXMNClNlbnQ6 IEZyaWRheSwgU2VwdGVtYmVyIDAzLCAyMDEwIDI6NDkgQU0NClRvOiBmcmVlYnNkLW5ldEBmcmVl YnNkLm9yZw0KQ2M6IGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmcNClN1YmplY3Q6IFJlOiBz ZWVraW5nIGN1cnJlbnQgc3VwcG9ydGVkIGNyeXB0byBjby1wcm9jZXNzb3JzDQoNCk9uIDA5LzAz LzEwIDAyOjM1LCBSaWNreSBDaGFybGV0IHdyb3RlOg0KPiBIb3dkeSwNCj4gICAgIDx0aGlzIG1l c3NhZ2VzIGlzIGNyb3NzIHBvc3RlZCBpbiBmcmVlYnNkLXNlY3VyaXR5IGFuZCBmcmVlYnNkLW5l dD4NCj4NCj4gICAgICAgICAgSSdtIHNlZWtpbmcgY3VycmVudCBjcnlwdG9ncmFwaGljIGNvcHJv Y2Vzc29ycyBzdXBwb3J0ZWQgaW4gRnJlZUJTRCA4LnguICBCeSBwZXJ1c2luZyB0aHJvdWdoIHRo ZSBjcnlwdG8tZGV2IChhbmQgc3Vic2VxdWVudGx5IHJlZmVyZW5jZWQpIG1hbiBwYWdlKHMpIEkg Zm91bmQgdGhpcyBsaXN0Og0KPiBIaWZuIDc3NTEvNzk1MS83ODExLzc5NTUvNzk1NiBjcnlwdG8g YWNjZWxlcmF0b3INCj4gU2FmZU5ldCAxMTQxLzE3NDENCj4gQmx1ZXN0ZWVsIDU1MDEvNTYwMQ0K PiBCcm9hZGNvbSBiY201ODAxLzU4MDIvNTgwNS81ODIwLzU4MjEvNTgyMi81ODIzLzU4MjUNCj4N Cj4gICAgICAgICAgVGhvc2UgYXJlIGFsbCBwcmV0dHkgb2xkIChhbmQgaW4gc29tZSBjYXNlcywg bm8gbG9uZ2VyIGV4aXN0ZW50KS4gSSdtIHN1cnZleWluZyB0aGVzZSBsaXN0cyB0byBzZWUgaWYg YW55b25lIGtub3dzIG9mIG1vcmUgbW9kZXJuIGNoaXBzIHdvcmtpbmcgd2l0aCBGcmVlQlNEIDgu eC4gT3IgaWYgeW91IGZlZWwgc29tZSBjaGlwIG9uIHRoZSBsaXN0IGFib3ZlIGlzIHVwIHRvIHRo ZSB0YXNrIG9mIG5lYXIgYWJvdXQgMSBHYiB0aHJvdWdocHV0IGFjcm9zcyBhIFBDSWUgYW5kIGhh cyBmcmllbmRseSB2ZW5kb3Igc3VwcG9ydCBmb3IgRnJlZUJTRCwgSSdkIHN1cmUgbGlrZSB0byBo ZWFyIGFib3V0IHRoYXQgdG9vLg0KPg0KDQpJJ20gbm90IHNheWluZyB0aGV5IGFyZSB1c2VsZXNz IGJ1dCBhcmUgeW91IHJlYWxseSBzdXJlIHlvdSBuZWVkIHRoZW0/DQpFdmVuIG9uIHRoZSBsYXN0 IGdlbmVyYXRpb24gb2YgQ1BVcyB3aXRob3V0IEFFUyBpbnN0cnVjdGlvbnMgeW91IGNhbg0KZWFz aWx5IGdldCAxMjUgTUIvcyBvZiBBRVMtMTI4IGVuY3J5cHRpb24gYW5kIDMwMCBNQi9zIG9mIFJD NCBwZXIgQ1BVDQpjb3JlLCBzbyBldmVuIG9uZSBjb3JlIGNhbiBzYXR1cmF0ZSBhIDEgR2JpdC9z IGxpbmsuIFlvdSBjYW4gc2V0dXAgYQ0KY2hlYXAgYm94IHRvIGJlIGEgU1NMIHByb3h5IGluIGZy b250IG9mIHRoZSByZWFsIHdlYiBzZXJ2ZXJzIHRvIG9mZmxvYWQgU1NMLg0KDQoNCl9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpmcmVlYnNkLW5ldEBmcmVl YnNkLm9yZyBtYWlsaW5nIGxpc3QNCmh0dHA6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xp c3RpbmZvL2ZyZWVic2QtbmV0DQpUbyB1bnN1YnNjcmliZSwgc2VuZCBhbnkgbWFpbCB0byAiZnJl ZWJzZC1uZXQtdW5zdWJzY3JpYmVAZnJlZWJzZC5vcmciDQo= From owner-freebsd-security@FreeBSD.ORG Fri Sep 3 21:43:31 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 797B210656B5 for ; Fri, 3 Sep 2010 21:43:30 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 441B98FC0C for ; Fri, 3 Sep 2010 21:43:29 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id o83LhMrs083932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 4 Sep 2010 00:43:22 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id o83LhMkS033722; Sat, 4 Sep 2010 00:43:22 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id o83LhM4F033721; Sat, 4 Sep 2010 00:43:22 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 4 Sep 2010 00:43:22 +0300 From: Kostik Belousov To: Ricky Charlet Message-ID: <20100903214322.GU2396@deviant.kiev.zoral.com.ua> References: <32AB5C9615CC494997D9ABB1DB12783C024C8DE03A@SJ-EXCH-1.adaranet.com> <32AB5C9615CC494997D9ABB1DB12783C024C8DE0F5@SJ-EXCH-1.adaranet.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HpNsou9EUJHn1L/v" Content-Disposition: inline In-Reply-To: <32AB5C9615CC494997D9ABB1DB12783C024C8DE0F5@SJ-EXCH-1.adaranet.com> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-2.2 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_50, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: "freebsd-net@freebsd.org" , Ivan Voras , "freebsd-security@freebsd.org" Subject: Re: seeking current supported crypto co-processors X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2010 21:43:31 -0000 --HpNsou9EUJHn1L/v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 03, 2010 at 02:26:37PM -0700, Ricky Charlet wrote: > Thanks Ivan, >=20 > You have some valid points about performance. I was hoping not to= get distracted from the main thrust of my question by performance consider= ations though. >=20 > Are their PCIe attachable crypto co-processors with current vendo= r support for FreeBSD8.x? If anyone else reading this thread want's to chi= me in with info about current supported crypto co-processors that plug in v= ia PCIe, please drop a note. >=20 >=20 > However, I think you do deserve a reply on the performance topic.= .. >=20 > I am close enough to agreeing with you to not argue much about wh= ether modern CPU parts can saturate a 1 Gb link with crypto data. The CPU p= art I am currently married to (a touch old but not that bad), seems to be a= ble to through around 200Mb of IP-ESP data around. However, in spite of the= se observations, I would prefer if my system could handle that throughput l= oad and yet have CPU power left over for other tasks. >=20 > I'm very attracted to Andre's mention of "newer x86/amd64 > CPU's see: http://en.wikipedia.org/wiki/AES_instruction_set". Does > anyone know if FreeBSD supports or will support this through either > /dev/crypto or through openssl (or any other mechanism I guess)? I believe recent OpenSSL 1.x supports AESNI in usermode. For the AES acceleration in the kernel and /dev/crypto support see the aesni driver in the recent HEAD, working both on i386 and amd64 architectures. I had a plan to merge the driver into RELENG_8, but it is stalled due to some issues (not related to the driver quality). --HpNsou9EUJHn1L/v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkyBa/oACgkQC3+MBN1Mb4hzagCfQwfaUXSrtGyvMnfKhFKt1nyW qNEAoIjEPKRs2rqgeh690BXCda/qnmrX =xjfx -----END PGP SIGNATURE----- --HpNsou9EUJHn1L/v--