From owner-freebsd-arch@FreeBSD.ORG Fri Jun 16 16:14:22 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D8D316A479; Fri, 16 Jun 2006 16:14:22 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F95143D49; Fri, 16 Jun 2006 16:14:21 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.14] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1FrGxg0zHV-0000Bm; Fri, 16 Jun 2006 18:14:20 +0200 From: Max Laier Organization: FreeBSD To: "Scott Ullrich" Date: Fri, 16 Jun 2006 18:14:12 +0200 User-Agent: KMail/1.9.1 References: <20060615225312.GB64552@heff.fud.org.nz> <200606161805.06651.max@love2party.net> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4390624.zale1C6xGP"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606161814.19336.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-net@freebsd.org, Andrew Thompson , freebsd-arch@freebsd.org Subject: Re: enc0 patch for ipsec X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2006 16:14:22 -0000 --nextPart4390624.zale1C6xGP Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 16 June 2006 18:09, Scott Ullrich wrote: > On 6/16/06, Max Laier wrote: > > The issue is, if an attacker manages to get root on your box they are > > automatically able to read your IPSEC traffic ending at that box. If y= ou > > don't have enc(4) compiled in, that would be more difficult to do. Same > > reason you don't want SADB_FLUSH on by default. > > Okay, this makes sense. But couldn't you also argue that if someone > gets access to the machine they could also use tcpdump to do the same > thing technically on the internal interface? Just playing devils > advocate.. :) Think tunnel2tunnel or an SA for a local connection, then. Given, if you a= re=20 root you *might* have other means to obtain that information, but that is w= hy=20 we have a switch to turn off bpf, kmem or the like. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4390624.zale1C6xGP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEktjbXyyEoT62BG0RAmjNAJ9WLPc7LByESWUlyzHR/dt0J9OiigCbBAms Fo8vKq0DHjCKaUeltXeskjk= =FL6S -----END PGP SIGNATURE----- --nextPart4390624.zale1C6xGP--