Date: Fri, 16 Jun 2006 10:22:22 -0700 From: Gordon Tetlow <gordon@FreeBSD.org> To: Max Laier <max@love2party.net> Cc: freebsd-net@FreeBSD.org, freebsd-arch@FreeBSD.org, Andrew Thompson <thompsa@FreeBSD.org>, Scott Ullrich <sullrich@gmail.com> Subject: Re: enc0 patch for ipsec Message-ID: <4492E8CE.1020405@FreeBSD.org> In-Reply-To: <200606161805.06651.max@love2party.net> References: <20060615225312.GB64552@heff.fud.org.nz> <200606161735.33801.max@love2party.net> <d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com> <200606161805.06651.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Max Laier wrote: > On Friday 16 June 2006 17:41, Scott Ullrich wrote: >> On 6/16/06, Max Laier <max@love2party.net> wrote: >>> I think it should get a "device enc" on its own. Some people might >>> consider enc(4) to be a security problem so getting it with FAST_IPSEC >>> automatically isn't preferable. >> You have to specifically create the enc0 interface (ifconfig enc0 >> create) before it becomes active. Otherwise it will not hit the enc >> code path unless the device is created. > > The issue is, if an attacker manages to get root on your box they are > automatically able to read your IPSEC traffic ending at that box. If you > don't have enc(4) compiled in, that would be more difficult to do. Same > reason you don't want SADB_FLUSH on by default. Max is absolutely right here. The snooping interface should be a separate option altogether (a la bpf). - -gordon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEktfGRu2t9DV9ZfsRAvyzAJ9jnUigVW7t2SGV89vXStXAZ30b7QCeJ4tZ tBeTqHk9LofxCRf40uFvpZE= =RGmG -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4492E8CE.1020405>