Re: Transport Mode ipsec(4) and inet6(4) gre(4)
Brian A. Seklecki wrote: > I haven't looked if we have support, but gre(4) w/ ipv6 address and stf(4) > seem to be best options out there for secure v6 tunnels. That sounds... bizarre. > I'm wondering if a tranditional ipv6 isakmp(8) ipsec tunnel (using IPv4 > enpoints?!) is a safe alternative, or what other solutions people are > cooking up on OpenBSD for tunneling IPv6 security. The default encapsulation configured by ipsecctl: ESP in tunnel mode. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Running another OS under OpenBSD
On Wed, Dec 24, 2008 at 11:13 AM, Henning Brauer wrote: > * Felipe Alfaro Solana [2008-12-24 06:17]: > > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > > > randomized library addresses etc yadda yadda yadda. > > RedHat has been shipping a version of glibc that does randomized library > > addresses for, at least, a year. > > wow. one thing out of dozens we do. sure a killer argument. Who said this is a killer argument? I was just pointing out that nearly any mainstream OS currently has randomized library address space. > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transport Mode ipsec(4) and inet6(4) gre(4)
I haven't looked if we have support, but gre(4) w/ ipv6 address and stf(4) seem to be best options out there for secure v6 tunnels. That sounds... bizarre. According to ipv6book.ca, M. Blanchet. It's a good read, except OpenBSD/NetBSD are neglected (probably becase of the stf(4)/6to4(4) absence). He also doesn't talk about _securing_ GRE tunnels, altough the logical assumption would be transport mode ipsec between v4 endpoints ~BAS
Re: Running another OS under OpenBSD
> RedHat has been shipping a version of glibc that does randomized library > addresses for, at least, a year. Libraries have to be compiled with -fPIC, > however, but that's the case for most. Not sure about other distros. Right, now tell me again about strl*
Re: Running another OS under OpenBSD
On Thu, Dec 25, 2008 at 10:50 PM, Marco Peereboom wrote: > > RedHat has been shipping a version of glibc that does randomized library > > addresses for, at least, a year. Libraries have to be compiled with > -fPIC, > > however, but that's the case for most. Not sure about other distros. > > Right, now tell me again about strl* What's so special about strl*? Anyone can implement it in glibc. But applications must be changed anyways to use it. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
Every non retarded app uses it. glibc has not support for it because it wants to make stupid better. glibc is a total dissaster; I can't remember seeing much worse code. On Thu, Dec 25, 2008 at 11:29:46PM -0500, Felipe Alfaro Solana wrote: >On Thu, Dec 25, 2008 at 10:50 PM, Marco Peereboom >wrote: > > > RedHat has been shipping a version of glibc that does randomized > library > > addresses for, at least, a year. Libraries have to be compiled with > -fPIC, > > however, but that's the case for most. Not sure about other distros. > > Right, now tell me again about strl* > >What's so special about strl*? Anyone can implement it in glibc. But >applications must be changed anyways to use it. >-- >http://www.felipe-alfaro.org/blog/disclaimer/
