Date: Fri, 16 Jun 2006 18:14:12 +0200 From: Max Laier <max@love2party.net> To: "Scott Ullrich" <sullrich@gmail.com> Cc: freebsd-net@freebsd.org, Andrew Thompson <thompsa@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: enc0 patch for ipsec Message-ID: <200606161814.19336.max@love2party.net> In-Reply-To: <d5992baf0606160909q66df7c05wf0cd133196339f03@mail.gmail.com> References: <20060615225312.GB64552@heff.fud.org.nz> <200606161805.06651.max@love2party.net> <d5992baf0606160909q66df7c05wf0cd133196339f03@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart4390624.zale1C6xGP Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 16 June 2006 18:09, Scott Ullrich wrote: > On 6/16/06, Max Laier <max@love2party.net> wrote: > > The issue is, if an attacker manages to get root on your box they are > > automatically able to read your IPSEC traffic ending at that box. If y= ou > > don't have enc(4) compiled in, that would be more difficult to do. Same > > reason you don't want SADB_FLUSH on by default. > > Okay, this makes sense. But couldn't you also argue that if someone > gets access to the machine they could also use tcpdump to do the same > thing technically on the internal interface? Just playing devils > advocate.. :) Think tunnel2tunnel or an SA for a local connection, then. Given, if you a= re=20 root you *might* have other means to obtain that information, but that is w= hy=20 we have a switch to turn off bpf, kmem or the like. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4390624.zale1C6xGP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEktjbXyyEoT62BG0RAmjNAJ9WLPc7LByESWUlyzHR/dt0J9OiigCbBAms Fo8vKq0DHjCKaUeltXeskjk= =FL6S -----END PGP SIGNATURE----- --nextPart4390624.zale1C6xGP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606161814.19336.max>