Date: Fri, 04 Oct 2002 10:52:29 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Vivek Khera <khera@kcilink.com> Cc: stable@freebsd.org Subject: Re: IPSEC warning -- what are alternatives? Message-ID: <3D9DAB2D.3060306@potentialtech.com> References: <15773.39612.629029.716325@onceler.kciLink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Vivek Khera wrote: > Every time IPsec fires up on my 4.6 thru 4.7.2 machines, I get this > warning: > > WARNING: pseudo-random number generator used for IPsec processing > > I'm just curious as to what alternatives I have for the random number > source, or is just an informational message reminding me that my > randomness sucks? Google found all of 5 pages on the web containing > that warning, and none of them were *about* that warning. Read "man 4 random", and pay special attention to the paragraph about urandom and random. On a personal level, I've found that networking applications (vpnd was the experience) don't get enough data from /dev/random and will stall. With /dev/urandom, the theoretical "guessibility" of the "random" data is higher, but I've never heard of anyone getting cracked because they used /dev/urandom. You may also want to look at rndcontrol. You might possibly be able to tweak the random number generator so that /dev/random produces enough data to feed IPsec. I haven't tried this, however, so I don't know. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D9DAB2D.3060306>