On 6/16/06, Max Laier <[EMAIL PROTECTED]> wrote:
The issue is, if an attacker manages to get root on your box they are automatically able to read your IPSEC traffic ending at that box. If you don't have enc(4) compiled in, that would be more difficult to do. Same reason you don't want SADB_FLUSH on by default.
Okay, this makes sense. But couldn't you also argue that if someone gets access to the machine they could also use tcpdump to do the same thing technically on the internal interface? Just playing devils advocate.. :) _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
