Date: Mon, 10 Apr 2006 23:29:42 +0800 From: gnn@FreeBSD.org To: Robert Watson <rwatson@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, Pawel Jakub Dawidek <pjd@FreeBSD.org>, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netipsec ipsec.c ipsec.h xform_ah.c xform_esp.c Message-ID: <m2u0911mah.wl%gnn@neville-neil.com> In-Reply-To: <20060410152403.T78784@fledge.watson.org> References: <200604091911.k39JBjWI092325@repoman.freebsd.org> <20060410152403.T78784@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At Mon, 10 Apr 2006 15:24:51 +0100 (BST), rwatson wrote: > > Introduce two new sysctls: > > > > net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with > > the same sequence number. This allows to verify if the other side > > has proper replay attacks detection. > > > > net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with > > corrupted HMAC. This allows to verify if the other side properly > > detects modified packets. > > > > I used the first one to discover that we don't have proper replay attacks > > detection in ESP (in fast_ipsec(4)). > > I wonder if these should be placed under "options REGRESSION", which > I've been using to mask the availability of test sysctls that > violate sensible security behavior (such as allowing the securelevel > to be lowered). IMHO, Yes, please. A regression test that set and used these would also be welcome ;-) Thanks, George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m2u0911mah.wl%gnn>