From owner-freebsd-net@FreeBSD.ORG  Fri Jun 16 18:57:26 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8A11316A479
	for <freebsd-net@freebsd.org>; Fri, 16 Jun 2006 18:57:26 +0000 (UTC)
	(envelope-from sullrich@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C09F143D45
	for <freebsd-net@freebsd.org>; Fri, 16 Jun 2006 18:57:25 +0000 (GMT)
	(envelope-from sullrich@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m3so1914237uge
	for <freebsd-net@freebsd.org>; Fri, 16 Jun 2006 11:57:24 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=hb566xrx7XnJdRXM676wDgvgW/FAfTKW55zizv3TfbT/tLDwxDoOkNI9qW7EGtqoJO7zJtIvlwDOOFkvsuWHXLE1Pa4WhW6cKvbbk6i7D4//IpXQRhVrouMPW/k6IYHvsfffcEZ+h4+Ct7uN1wme2skGnORDen0krOkES+iREoY=
Received: by 10.66.216.6 with SMTP id o6mr1636550ugg;
	Fri, 16 Jun 2006 09:09:03 -0700 (PDT)
Received: by 10.67.28.14 with HTTP; Fri, 16 Jun 2006 09:09:03 -0700 (PDT)
Message-ID: <d5992baf0606160909q66df7c05wf0cd133196339f03@mail.gmail.com>
Date: Fri, 16 Jun 2006 12:09:03 -0400
From: "Scott Ullrich" <sullrich@gmail.com>
To: "Max Laier" <max@love2party.net>
In-Reply-To: <200606161805.06651.max@love2party.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060615225312.GB64552@heff.fud.org.nz>
	<200606161735.33801.max@love2party.net>
	<d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com>
	<200606161805.06651.max@love2party.net>
Cc: freebsd-net@freebsd.org, Andrew Thompson <thompsa@freebsd.org>,
	freebsd-arch@freebsd.org
Subject: Re: enc0 patch for ipsec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2006 18:57:26 -0000

On 6/16/06, Max Laier <max@love2party.net> wrote:
> The issue is, if an attacker manages to get root on your box they are
> automatically able to read your IPSEC traffic ending at that box.  If you
> don't have enc(4) compiled in, that would be more difficult to do.  Same
> reason you don't want SADB_FLUSH on by default.

Okay, this makes sense.  But couldn't you also argue that if someone
gets access to the machine they could also use tcpdump to do the same
thing technically on the internal interface?  Just playing devils
advocate..  :)