Date: Fri, 16 Jun 2006 18:04:55 +0200 From: Max Laier <max@love2party.net> To: "Scott Ullrich" <sullrich@gmail.com> Cc: freebsd-net@freebsd.org, Andrew Thompson <thompsa@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: enc0 patch for ipsec Message-ID: <200606161805.06651.max@love2party.net> In-Reply-To: <d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com> References: <20060615225312.GB64552@heff.fud.org.nz> <200606161735.33801.max@love2party.net> <d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Friday 16 June 2006 17:41, Scott Ullrich wrote: > On 6/16/06, Max Laier <max@love2party.net> wrote: > > I think it should get a "device enc" on its own. Some people might > > consider enc(4) to be a security problem so getting it with FAST_IPSEC > > automatically isn't preferable. > > You have to specifically create the enc0 interface (ifconfig enc0 > create) before it becomes active. Otherwise it will not hit the enc > code path unless the device is created. The issue is, if an attacker manages to get root on your box they are automatically able to read your IPSEC traffic ending at that box. If you don't have enc(4) compiled in, that would be more difficult to do. Same reason you don't want SADB_FLUSH on by default. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEktayXyyEoT62BG0RAsneAJ9O1gLgquzP085Nqi+8um5aXpnQ/QCfdQVw Xw51C+T0P5BCfzA43UczxwI= =eusH -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606161805.06651.max>