Re: enc0 patch for ipsec
- From: "Scott Ullrich" <sullrich@xxxxxxxxx>
- Date: Fri, 16 Jun 2006 12:09:03 -0400
On 6/16/06, Max Laier <max@xxxxxxxxxxxxxx> wrote:
The issue is, if an attacker manages to get root on your box they are
automatically able to read your IPSEC traffic ending at that box. If you
don't have enc(4) compiled in, that would be more difficult to do. Same
reason you don't want SADB_FLUSH on by default.
Okay, this makes sense. But couldn't you also argue that if someone
gets access to the machine they could also use tcpdump to do the same
thing technically on the internal interface? Just playing devils
advocate.. :)
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: enc0 patch for ipsec
- From: Max Laier
- Re: enc0 patch for ipsec
- References:
- enc0 patch for ipsec
- From: Andrew Thompson
- Re: enc0 patch for ipsec
- From: Max Laier
- Re: enc0 patch for ipsec
- From: Scott Ullrich
- Re: enc0 patch for ipsec
- From: Max Laier
- enc0 patch for ipsec
- Prev by Date: Re: enc0 patch for ipsec
- Next by Date: Re: VPN with FAST_IPSEC and ipsec tools
- Previous by thread: Re: enc0 patch for ipsec
- Next by thread: Re: enc0 patch for ipsec
- Index(es):
Relevant Pages
|
|
