From owner-freebsd-stable Fri Oct 4 7:44:44 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E489437B401 for ; Fri, 4 Oct 2002 07:44:42 -0700 (PDT) Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B08643E6E for ; Fri, 4 Oct 2002 07:44:42 -0700 (PDT) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181]) by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g94EiXW13163; Fri, 4 Oct 2002 10:44:33 -0400 Message-ID: <3D9DAB2D.3060306@potentialtech.com> Date: Fri, 04 Oct 2002 10:52:29 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020502 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Vivek Khera Cc: stable@freebsd.org Subject: Re: IPSEC warning -- what are alternatives? References: <15773.39612.629029.716325@onceler.kciLink.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Vivek Khera wrote: > Every time IPsec fires up on my 4.6 thru 4.7.2 machines, I get this > warning: > > WARNING: pseudo-random number generator used for IPsec processing > > I'm just curious as to what alternatives I have for the random number > source, or is just an informational message reminding me that my > randomness sucks? Google found all of 5 pages on the web containing > that warning, and none of them were *about* that warning. Read "man 4 random", and pay special attention to the paragraph about urandom and random. On a personal level, I've found that networking applications (vpnd was the experience) don't get enough data from /dev/random and will stall. With /dev/urandom, the theoretical "guessibility" of the "random" data is higher, but I've never heard of anyone getting cracked because they used /dev/urandom. You may also want to look at rndcontrol. You might possibly be able to tweak the random number generator so that /dev/random produces enough data to feed IPsec. I haven't tried this, however, so I don't know. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message