Date: Fri, 10 Aug 2018 18:48:49 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Mike Tancsa <mike@sentex.net> Cc: "David P. Discher" <dpd@dpdtech.com>, "Andrey V. Elsukov" <bu7cher@yandex.ru>, freebsd-net@freebsd.org Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? Message-ID: <20180811014849.GC97145@funkthat.com> In-Reply-To: <ef2e1dfe-bace-af46-6c64-fd387c646b0a@sentex.net> References: <D47976AF-A0AF-4A58-B80E-31E9DED96D26@dpdtech.com> <dc8bea35-1770-48d0-3662-c58e72bd3d2d@yandex.ru> <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> <e9da62df-90e4-e45b-b073-c4c39555b38d@yandex.ru> <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com> <ef2e1dfe-bace-af46-6c64-fd387c646b0a@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote this message on Fri, Aug 10, 2018 at 16:44 -0400:
> On 8/9/2018 4:11 PM, David P. Discher wrote:
> > [ pts/0 sjc2 util201:~ ]
> > [ dpd ] > sudo setkey -D
> > Password:
> > 10.245.0.201 10.245.0.202
> > esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x0000000c)
> > E: rijndael-cbc xxxx
> ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
>
> BTW, if you use a static psk, does not the above line essentially give
> someone with access to the ESP traffic a way to decode your traffic ?
Yes, this does... And the A: line gives you the ability to spoof
packets as well...
Hopefully there wasn't any important data encrypted w/ that key...
Always X those out...
> > A: hmac-sha2-256 xxx
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180811014849.GC97145>