From owner-freebsd-security@freebsd.org Tue Jul 28 17:26:00 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A83109AC14D; Tue, 28 Jul 2015 17:26:00 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 750E17E9; Tue, 28 Jul 2015 17:26:00 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by igbij6 with SMTP id ij6so125739389igb.1; Tue, 28 Jul 2015 10:26:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JM5x/IFesFIhB23B3FG4lbQXh22p7435zFFbTO3IJA4=; b=O5bqKeSJfzqUnSURlkCKXXntQn75gFGxiatSSGI5YrSUwGJ+waqdlJjbnRz3bBUEjx ePnS9i1KsxIRUQmlvBqbveBm0QUc5qExFsd9vmIOoSc1NAGqAEadTJP79hbBVGf6X7Z3 GMv8jE2V0n6Idi/1lrWfXGqzSz8OsMO1krIFqJY83l1x0bQRwTBsLs/Dgl1oq67IxdnL RZGx+dEoPUgPt7PGkTbmaZhVS+PVfWyUIUZP1Yz24q4Bi860U+GtNwzxKygSk81qA7sn Wtg/tfgX2sac/3k9KMKTsL5SwUhPvpF3whn6A9cewfCYtpmFjksyp2th+9/q2nwKFd/a IFqw== MIME-Version: 1.0 X-Received: by 10.50.122.40 with SMTP id lp8mr8905850igb.49.1438104359996; Tue, 28 Jul 2015 10:25:59 -0700 (PDT) Received: by 10.36.38.133 with HTTP; Tue, 28 Jul 2015 10:25:59 -0700 (PDT) In-Reply-To: <55B768DC.6020009@Plominski.eu> References: <20150728005730.GL78154@funkthat.com> <1DB60250-D362-4115-92F6-E27B7A5897C3@netgate.com> <20150728034157.GO78154@funkthat.com> <5E419103-3111-4ADC-A49F-B703BBBC9C5F@netgate.com> <20150728060740.GP78154@funkthat.com> <55B768DC.6020009@Plominski.eu> Date: Tue, 28 Jul 2015 10:25:59 -0700 Message-ID: Subject: Re: remove IPsec SKIPJACK support... From: Adrian Chadd To: Daniel Plominski Cc: freebsd-security@freebsd.org, FreeBSD Net Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Tue, 28 Jul 2015 17:38:31 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 17:26:00 -0000 Hi, I'd put together a deprecation plan, which starts with the kernel warning that this stuff is being removed, MFC that to stable/10 and stable/9 so people aren't surprised when they upgrade, and then have it removed in 11. -adrian On 28 July 2015 at 04:34, Daniel Plominski wrote: > instead of code to remove it is a better idea manuals to revise, people > depend on old recommendations like > https://www.freebsd.org/doc/handbook/ipsec.html > > would be better: > https://blog.plitc.eu/2014/freebsd-10-ipv4-vpn-relay-ipsec-entryopenvpn-middleopenvpn-exit-node-mit-jails/ > > or the racoon example from: > https://blog.plitc.eu/2014/freebsd-10-ipv4-ipsec-net-to-net-vpn-in-der-jail/ > > best regards > > Daniel >