Date: Fri, 16 Jun 2006 19:43:54 +0200 From: Andre Oppermann <andre@freebsd.org> To: Max Laier <max@love2party.net> Cc: freebsd-net@freebsd.org, freebsd-arch@freebsd.org, Andrew Thompson <thompsa@freebsd.org>, Scott Ullrich <sullrich@gmail.com> Subject: Re: enc0 patch for ipsec Message-ID: <4492EDDA.6080406@freebsd.org> In-Reply-To: <200606161805.06651.max@love2party.net> References: <20060615225312.GB64552@heff.fud.org.nz> <200606161735.33801.max@love2party.net> <d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com> <200606161805.06651.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: > On Friday 16 June 2006 17:41, Scott Ullrich wrote: >> On 6/16/06, Max Laier <max@love2party.net> wrote: >>> I think it should get a "device enc" on its own. Some people might >>> consider enc(4) to be a security problem so getting it with FAST_IPSEC >>> automatically isn't preferable. >> You have to specifically create the enc0 interface (ifconfig enc0 >> create) before it becomes active. Otherwise it will not hit the enc >> code path unless the device is created. > > The issue is, if an attacker manages to get root on your box they are > automatically able to read your IPSEC traffic ending at that box. If you > don't have enc(4) compiled in, that would be more difficult to do. Same > reason you don't want SADB_FLUSH on by default. *If* someone manages to get root on you IPSEC endpoint you've lost anyway. The availability of enc(4) then is no longer of importance. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4492EDDA.6080406>