Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Jun 2006 18:04:55 +0200
From:      Max Laier <max@love2party.net>
To:        "Scott Ullrich" <sullrich@gmail.com>
Cc:        freebsd-net@freebsd.org, Andrew Thompson <thompsa@freebsd.org>, freebsd-arch@freebsd.org
Subject:   Re: enc0 patch for ipsec
Message-ID:  <200606161805.06651.max@love2party.net>
In-Reply-To: <d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com>
References:  <20060615225312.GB64552@heff.fud.org.nz> <200606161735.33801.max@love2party.net> <d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart4110410.kbyFMc9pHU
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Friday 16 June 2006 17:41, Scott Ullrich wrote:
> On 6/16/06, Max Laier <max@love2party.net> wrote:
> > I think it should get a "device enc" on its own.  Some people might
> > consider enc(4) to be a security problem so getting it with FAST_IPSEC
> > automatically isn't preferable.
>
> You have to specifically create the enc0 interface (ifconfig enc0
> create) before it becomes active.  Otherwise it will not hit the enc
> code path unless the device is created.

The issue is, if an attacker manages to get root on your box they are=20
automatically able to read your IPSEC traffic ending at that box.  If you=20
don't have enc(4) compiled in, that would be more difficult to do.  Same=20
reason you don't want SADB_FLUSH on by default.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart4110410.kbyFMc9pHU
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQBEktayXyyEoT62BG0RAsneAJ9O1gLgquzP085Nqi+8um5aXpnQ/QCfdQVw
Xw51C+T0P5BCfzA43UczxwI=
=eusH
-----END PGP SIGNATURE-----

--nextPart4110410.kbyFMc9pHU--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606161805.06651.max>