On Sun, 9 Apr 2006, Pawel Jakub Dawidek wrote:
Introduce two new sysctls:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
the same sequence number. This allows to verify if the other side
has proper replay attacks detection.
net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
corrupted HMAC. This allows to verify if the other side properly
detects modified packets.
I used the first one to discover that we don't have proper replay attacks
detection in ESP (in fast_ipsec(4)).
I wonder if these should be placed under "options REGRESSION", which I've been
using to mask the availability of test sysctls that violate sensible security
behavior (such as allowing the securelevel to be lowered).
Robert N M Watson
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
