Max Laier wrote:
On Friday 16 June 2006 17:41, Scott Ullrich wrote:
On 6/16/06, Max Laier <[EMAIL PROTECTED]> wrote:
I think it should get a "device enc" on its own. Some people might
consider enc(4) to be a security problem so getting it with FAST_IPSEC
automatically isn't preferable.
You have to specifically create the enc0 interface (ifconfig enc0
create) before it becomes active. Otherwise it will not hit the enc
code path unless the device is created.
The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUSH on by default.
*If* someone manages to get root on you IPSEC endpoint you've
lost anyway. The availability of enc(4) then is no longer of
importance.
--
Andre
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
