From owner-cvs-src@FreeBSD.ORG  Mon Apr 10 14:24:53 2006
Return-Path: <owner-cvs-src@FreeBSD.ORG>
X-Original-To: cvs-src@FreeBSD.org
Delivered-To: cvs-src@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EC18916A401;
	Mon, 10 Apr 2006 14:24:53 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4F58F43D5A;
	Mon, 10 Apr 2006 14:24:53 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id AAE3546B98;
	Mon, 10 Apr 2006 10:24:51 -0400 (EDT)
Date: Mon, 10 Apr 2006 15:24:51 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
In-Reply-To: <200604091911.k39JBjWI092325@repoman.freebsd.org>
Message-ID: <20060410152403.T78784@fledge.watson.org>
References: <200604091911.k39JBjWI092325@repoman.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netipsec ipsec.c ipsec.h xform_ah.c 
 xform_esp.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2006 14:24:54 -0000


On Sun, 9 Apr 2006, Pawel Jakub Dawidek wrote:

>  Introduce two new sysctls:
>
>  net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
>          the same sequence number. This allows to verify if the other side
>          has proper replay attacks detection.
>
>  net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
>          corrupted HMAC. This allows to verify if the other side properly
>          detects modified packets.
>
>  I used the first one to discover that we don't have proper replay attacks
>  detection in ESP (in fast_ipsec(4)).

I wonder if these should be placed under "options REGRESSION", which I've been 
using to mask the availability of test sysctls that violate sensible security 
behavior (such as allowing the securelevel to be lowered).

Robert N M Watson