cvs commit: src/sys/netipsec ipsec.c ipsec.h xform_ah.c
xform_esp.c
gnn at FreeBSD.org
gnn at FreeBSD.org
Mon Apr 10 15:29:58 UTC 2006
At Mon, 10 Apr 2006 15:24:51 +0100 (BST),
rwatson wrote:
> > Introduce two new sysctls:
> >
> > net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
> > the same sequence number. This allows to verify if the other side
> > has proper replay attacks detection.
> >
> > net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
> > corrupted HMAC. This allows to verify if the other side properly
> > detects modified packets.
> >
> > I used the first one to discover that we don't have proper replay attacks
> > detection in ESP (in fast_ipsec(4)).
>
> I wonder if these should be placed under "options REGRESSION", which
> I've been using to mask the availability of test sysctls that
> violate sensible security behavior (such as allowing the securelevel
> to be lowered).
IMHO, Yes, please.
A regression test that set and used these would also be welcome ;-)
Thanks,
George
More information about the cvs-src
mailing list