Subject: Re: IPSEC still fails on BETA2/vax (not anymore!)
To: Olaf Seibert <>
From: Steven M. Bellovin <>
List: current-users
Date: 07/15/2002 08:14:53
In message <>, Olaf Seibert writes:

>I wonder if there would be some other
>clever solution. Why is the kernel stack in the U area anyway? Can't it
>just grow on the normal process stack? Perhaps the answer is in the
>Lions book, or The Design and Implementation Of 4.xBSD, but I don't
>recall it exactly. Maybe it has something to do with pageability of the
>user stack ISTR (after some thinking).

The user-space stack?  It's not trustable, may be badly formatted to =

start with, may not even be a stack.  And any sensitive kernel data
that appears on the stack -- keys, for example, in the ipsec case -- =

would have to be thoroughly scrubbed.

It might be possible to get this right -- but it would be very =

difficult, and I don't know that I'd trust the resulting system.
Don't go there.

		--Steve Bellovin, (me) ("Firewalls" book)