Date: Fri, 16 Jun 2006 12:09:03 -0400 From: "Scott Ullrich" <sullrich@gmail.com> To: "Max Laier" <max@love2party.net> Cc: freebsd-net@freebsd.org, Andrew Thompson <thompsa@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: enc0 patch for ipsec Message-ID: <d5992baf0606160909q66df7c05wf0cd133196339f03@mail.gmail.com> In-Reply-To: <200606161805.06651.max@love2party.net> References: <20060615225312.GB64552@heff.fud.org.nz> <200606161735.33801.max@love2party.net> <d5992baf0606160841u39594c81y870a894b56d1e30c@mail.gmail.com> <200606161805.06651.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/16/06, Max Laier <max@love2party.net> wrote: > The issue is, if an attacker manages to get root on your box they are > automatically able to read your IPSEC traffic ending at that box. If you > don't have enc(4) compiled in, that would be more difficult to do. Same > reason you don't want SADB_FLUSH on by default. Okay, this makes sense. But couldn't you also argue that if someone gets access to the machine they could also use tcpdump to do the same thing technically on the internal interface? Just playing devils advocate.. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5992baf0606160909q66df7c05wf0cd133196339f03>