From owner-freebsd-questions@FreeBSD.ORG Wed Dec 15 20:46:29 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45EFD106566B for ; Wed, 15 Dec 2010 20:46:29 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241]) by mx1.freebsd.org (Postfix) with ESMTP id C44A18FC14 for ; Wed, 15 Dec 2010 20:46:28 +0000 (UTC) Received: from fileserver.home.qeng-ho.org (localhost [127.0.0.1]) by fileserver.home.qeng-ho.org (8.14.4/8.14.4) with ESMTP id oBFKkRWs084935 for ; Wed, 15 Dec 2010 20:46:27 GMT (envelope-from freebsd@qeng-ho.org) Message-ID: <4D092923.8070709@qeng-ho.org> Date: Wed, 15 Dec 2010 20:46:27 +0000 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20101211 Thunderbird/3.0.11 MIME-Version: 1.0 To: FreeBSD-Questions References: In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: FreeBSD IPSec stack contains backdoors? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2010 20:46:29 -0000 [Top posting edited out, with heavy elisions] On 12/15/10 17:55, bsd wrote: > Le 15 déc. 2010 à 15:23, Victor Lyapunov a écrit : >> Recently OpenBSD developer Gregory Perry disclosed information about >> possible backdoors in OpenBSD IPSec stack >> >> As far as I am aware, FreeBSD contains considerable amount of code >> ported from OpenBSD. The question is: was the FreeBSD's ipsec code >> ported from OpenBSD's implementation? If so, what might be the impact >> of this? > This is not so clear ! > > http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-named-participant Possibly a little more information: http://www.theregister.co.uk/2010/12/15/openbsd_backdoor_claim/ > We should ask competent persons like Colin Percival… the FreeBSD Security Officer since 2005. > He would have a point of view much more precise than anyone of us could have. I have no doubt he's looking at it, but waiting until he knows something before making an announcement. Let him take as much time as he needs. Auditing the code seems a good idea, panicking about it a bad one. How many people actually use IPSec anyway? The one time I was forced to use it, it seemed like a hideous, designed by committee nightmare. (Having to set up incoming and outgoing crypto independently, who thought that was a good idea?) I'd always use something like OpenVPN by preference. -- "Although the wombat is real and the dragon is not, few know what a wombat looks like, but everyone knows what a dragon looks like." -- Avram Davidson, _Adventures in Unhistory_