enc0 patch for ipsec
Max Laier
max at love2party.net
Fri Jun 16 16:14:22 UTC 2006
On Friday 16 June 2006 18:09, Scott Ullrich wrote:
> On 6/16/06, Max Laier <max at love2party.net> wrote:
> > The issue is, if an attacker manages to get root on your box they are
> > automatically able to read your IPSEC traffic ending at that box. If you
> > don't have enc(4) compiled in, that would be more difficult to do. Same
> > reason you don't want SADB_FLUSH on by default.
>
> Okay, this makes sense. But couldn't you also argue that if someone
> gets access to the machine they could also use tcpdump to do the same
> thing technically on the internal interface? Just playing devils
> advocate.. :)
Think tunnel2tunnel or an SA for a local connection, then. Given, if you are
root you *might* have other means to obtain that information, but that is why
we have a switch to turn off bpf, kmem or the like.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20060616/984e6fae/attachment.pgp
More information about the freebsd-net
mailing list