From owner-freebsd-security@freebsd.org Wed Jul 29 16:11:05 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EED499AE836; Wed, 29 Jul 2015 16:11:05 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B66DD1FDD; Wed, 29 Jul 2015 16:11:05 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t6TGB5WB007653 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2015 09:11:05 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t6TGB4ZO007652; Wed, 29 Jul 2015 09:11:04 -0700 (PDT) (envelope-from jmg) Date: Wed, 29 Jul 2015 09:11:04 -0700 From: John-Mark Gurney To: George Neville-Neil Cc: Adrian Chadd , freebsd-security@freebsd.org, Daniel Plominski , FreeBSD Net Subject: Re: remove IPsec SKIPJACK support... Message-ID: <20150729161103.GJ78154@funkthat.com> References: <20150728005730.GL78154@funkthat.com> <1DB60250-D362-4115-92F6-E27B7A5897C3@netgate.com> <20150728034157.GO78154@funkthat.com> <5E419103-3111-4ADC-A49F-B703BBBC9C5F@netgate.com> <20150728060740.GP78154@funkthat.com> <55B768DC.6020009@Plominski.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Wed, 29 Jul 2015 09:11:05 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2015 16:11:06 -0000 George Neville-Neil wrote this message on Wed, Jul 29, 2015 at 10:35 -0400: > That's fine so long as its removed in HEAD now, and then the warning can > go into 10 aka 10.3. As I said, setkey doesn't support it.. and I looked at the ports for racoon2 and strongswan (has it in their library, but, and neither support it... Are there any other programs (besides custom software) that can do secdb manipulations that could possibly create a skipjack sdb entry? If not, putting warning into 9 and 10 seems excessive for a feature that people can't even use... > On 28 Jul 2015, at 13:25, Adrian Chadd wrote: > > > I'd put together a deprecation plan, which starts with the kernel > > warning that this stuff is being removed, MFC that to stable/10 and > > stable/9 so people aren't surprised when they upgrade, and then have > > it removed in 11. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."