From owner-cvs-all@FreeBSD.ORG  Mon Apr 10 15:29:58 2006
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BC81B16A403;
	Mon, 10 Apr 2006 15:29:58 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from mrout2-b.corp.dcn.yahoo.com (mrout2-b.corp.dcn.yahoo.com
	[216.109.112.28])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 569EA43D48;
	Mon, 10 Apr 2006 15:29:58 +0000 (GMT)
	(envelope-from gnn@neville-neil.com)
Received: from minion.local.neville-neil.com (proxy8.corp.yahoo.com
	[216.145.48.13])
	by mrout2-b.corp.dcn.yahoo.com (8.13.6/8.13.4/y.out) with ESMTP id
	k3AFTiAo081008; Mon, 10 Apr 2006 08:29:47 -0700 (PDT)
Date: Mon, 10 Apr 2006 23:29:42 +0800
Message-ID: <m2u0911mah.wl%gnn@neville-neil.com>
From: gnn@FreeBSD.org
To: Robert Watson <rwatson@FreeBSD.org>
In-Reply-To: <20060410152403.T78784@fledge.watson.org>
References: <200604091911.k39JBjWI092325@repoman.freebsd.org>
	<20060410152403.T78784@fledge.watson.org>
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8
	(=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/22.0.50
	(i386-apple-darwin8.5.1) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org,
	Pawel Jakub Dawidek <pjd@FreeBSD.org>, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netipsec ipsec.c ipsec.h xform_ah.c
	xform_esp.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2006 15:29:58 -0000

At Mon, 10 Apr 2006 15:24:51 +0100 (BST),
rwatson wrote:
> >  Introduce two new sysctls:
> >
> >  net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
> >          the same sequence number. This allows to verify if the other side
> >          has proper replay attacks detection.
> >
> >  net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
> >          corrupted HMAC. This allows to verify if the other side properly
> >          detects modified packets.
> >
> >  I used the first one to discover that we don't have proper replay attacks
> >  detection in ESP (in fast_ipsec(4)).
> 
> I wonder if these should be placed under "options REGRESSION", which
> I've been using to mask the availability of test sysctls that
> violate sensible security behavior (such as allowing the securelevel
> to be lowered).

IMHO, Yes, please.

A regression test that set and used these would also be welcome ;-)

Thanks,
George