tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: remote kernel debugging over a network
>>>> IPKDB used [...]. [...] easy to support a single IPsec ESP [...]
>>> [...]
>> [...]
> I must say, though, that the more I think about it, the more I'm
> concerned about replay attacks. You suggested that ESP replay
> prevention be disabled, and that is in fact consistent with the ESP
> specs when static keys are used. I think we need to think, hard,
> about what we want to do here.
You are beginning to see, maybe, why I prefer something _not_ built
atop IP. It's a lot easier to ignore this kond of threat when you
don't have to even think about anything beyond the local layer-2
broadcast domain. While of course nothing is perfect, I think the
number of cases where you want the routability of IP but have nothing
on the local broadcast domain that can proxy is small enough that the
cost of writing them off outweighs the cost of dealing with the issues
that using IP raises.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Home |
Main Index |
Thread Index |
Old Index