From owner-freebsd-current  Mon Dec 16 05:04:49 1996
Return-Path: <owner-current>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id FAA26862
          for current-outgoing; Mon, 16 Dec 1996 05:04:49 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id FAA26850
          for <current@freebsd.org>; Mon, 16 Dec 1996 05:04:46 -0800 (PST)
Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0vZci4-0003vuC; Mon, 16 Dec 96 05:03 PST
Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id NAA11682; Mon, 16 Dec 1996 13:48:06 +0100 (MET)
To: Bill Paul <wpaul@skynet.ctr.columbia.edu>
cc: current@freebsd.org
Subject: Re: Plan for integrating Secure RPC -- comments wanted 
In-reply-to: Your message of "Sun, 15 Dec 1996 15:22:39 EST."
             <199612152022.PAA05216@skynet.ctr.columbia.edu> 
Date: Mon, 16 Dec 1996 13:48:06 +0100
Message-ID: <11680.850740486@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199612152022.PAA05216@skynet.ctr.columbia.edu>, Bill Paul writes:

Hi Bill,

Thanks for sharing your thoughts on this.  I finally found time to
read it, and here are my comments:

For the DES pollution:

Put DES in the kernel.

	This could be as an LKM, which would be the easiest, or as
	a proper kernel-source file, which would be slightly harder
	to manage distributions-wise.

    Result:
	* You avoid your planned hack.
	* We could do away with the two versions if libcrypt we have
	  now, and collapse them into one.
	* Which makes the dual versions of /bin/ed, /sbin/init ... 
	  unneeded.
	* Our secure dist would consist of only the LKM file.

    Drawback:
	* Minor optional kernel bloat.


For the issue of a secure local transport:

Wouldn't it be pretty easy to fortify our IP implementation a bit ?

	1. reject anything with source/dest 127.0.0.0/8 on anything
	   but the lo0 interface.  (Add a interface flag for this and
	   only set that flag in if_lo.c)

	2. In the case of a destination of 0.0.0.0, Instead of the 
	   first interface we happen to find, use the lo0 interface
	   and the 127.0.0.1 address.

This way you could use tcp/udp and be safe I belive.

For the issue of authenticated local transport:

Instead of an LKM, put the code in the kernel.  It shouldn't be too
hard to make it a getsockopt() instead of a LKM.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@tfs.com           TRW Financial Systems, Inc.
Power and ignorance is a disgusting cocktail.