Date: Sun, 9 Apr 2006 19:11:45 +0000 (UTC) From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netipsec ipsec.c ipsec.h xform_ah.c xform_esp.c Message-ID: <200604091911.k39JBjWI092325@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
pjd 2006-04-09 19:11:45 UTC
FreeBSD src repository
Modified files:
sys/netipsec ipsec.c ipsec.h xform_ah.c xform_esp.c
Log:
Introduce two new sysctls:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
the same sequence number. This allows to verify if the other side
has proper replay attacks detection.
net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
corrupted HMAC. This allows to verify if the other side properly
detects modified packets.
I used the first one to discover that we don't have proper replay attacks
detection in ESP (in fast_ipsec(4)).
Revision Changes Path
1.15 +15 -0 src/sys/netipsec/ipsec.c
1.10 +2 -0 src/sys/netipsec/ipsec.h
1.11 +15 -1 src/sys/netipsec/xform_ah.c
1.16 +22 -1 src/sys/netipsec/xform_esp.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604091911.k39JBjWI092325>