enc0 patch for ipsec

Gordon Tetlow gordon at FreeBSD.org
Fri Jun 16 17:22:21 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Max Laier wrote:
> On Friday 16 June 2006 17:41, Scott Ullrich wrote:
>> On 6/16/06, Max Laier <max at love2party.net> wrote:
>>> I think it should get a "device enc" on its own.  Some people might
>>> consider enc(4) to be a security problem so getting it with FAST_IPSEC
>>> automatically isn't preferable.
>> You have to specifically create the enc0 interface (ifconfig enc0
>> create) before it becomes active.  Otherwise it will not hit the enc
>> code path unless the device is created.
> 
> The issue is, if an attacker manages to get root on your box they are 
> automatically able to read your IPSEC traffic ending at that box.  If you 
> don't have enc(4) compiled in, that would be more difficult to do.  Same 
> reason you don't want SADB_FLUSH on by default.

Max is absolutely right here. The snooping interface should be a
separate option altogether (a la bpf).

- -gordon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEktfGRu2t9DV9ZfsRAvyzAJ9jnUigVW7t2SGV89vXStXAZ30b7QCeJ4tZ
tBeTqHk9LofxCRf40uFvpZE=
=RGmG
-----END PGP SIGNATURE-----


More information about the freebsd-net mailing list