Date: Wed, 29 Jul 2015 10:10:52 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: George Neville-Neil <gnn@neville-neil.com> Cc: Adrian Chadd <adrian.chadd@gmail.com>, freebsd-security@freebsd.org, Daniel Plominski <Daniel@plominski.eu>, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: remove IPsec SKIPJACK support... Message-ID: <20150729171052.GK78154@funkthat.com> In-Reply-To: <20150729161103.GJ78154@funkthat.com> References: <20150728005730.GL78154@funkthat.com> <1DB60250-D362-4115-92F6-E27B7A5897C3@netgate.com> <20150728034157.GO78154@funkthat.com> <5E419103-3111-4ADC-A49F-B703BBBC9C5F@netgate.com> <20150728060740.GP78154@funkthat.com> <55B768DC.6020009@Plominski.eu> <CAJ-VmonhV2oCem4ZDnPdPOzk5H%2BGxK77VQQVQjJKS_9ZWv-mSA@mail.gmail.com> <AD9A5E4B-73C5-46EE-A20D-4260EFC48090@neville-neil.com> <20150729161103.GJ78154@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney wrote this message on Wed, Jul 29, 2015 at 09:11 -0700:
> George Neville-Neil wrote this message on Wed, Jul 29, 2015 at 10:35 -0400:
> > That's fine so long as its removed in HEAD now, and then the warning can
> > go into 10 aka 10.3.
>
> As I said, setkey doesn't support it.. and I looked at the ports for
> racoon2 and strongswan (has it in their library, but, and neither support it... Are there any other
> programs (besides custom software) that can do secdb manipulations that
> could possibly create a skipjack sdb entry?
Checked the other two IKE daemons in ports, and ipsec-tools does not
use it, and isakmpd has a define in the OpenBSD specific headers (which
we don't use), but doesn't use it for anything...
> If not, putting warning into 9 and 10 seems excessive for a feature that
> people can't even use...
>
> > On 28 Jul 2015, at 13:25, Adrian Chadd wrote:
> >
> > > I'd put together a deprecation plan, which starts with the kernel
> > > warning that this stuff is being removed, MFC that to stable/10 and
> > > stable/9 so people aren't surprised when they upgrade, and then have
> > > it removed in 11.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150729171052.GK78154>