On Friday 16 June 2006 18:09, Scott Ullrich wrote: > On 6/16/06, Max Laier <[EMAIL PROTECTED]> wrote: > > The issue is, if an attacker manages to get root on your box they are > > automatically able to read your IPSEC traffic ending at that box. If you > > don't have enc(4) compiled in, that would be more difficult to do. Same > > reason you don't want SADB_FLUSH on by default. > > Okay, this makes sense. But couldn't you also argue that if someone > gets access to the machine they could also use tcpdump to do the same > thing technically on the internal interface? Just playing devils > advocate.. :)
Think tunnel2tunnel or an SA for a local connection, then. Given, if you are root you *might* have other means to obtain that information, but that is why we have a switch to turn off bpf, kmem or the like. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpXCLfgewdgR.pgp
Description: PGP signature
