Re: make iked not static
On 2015/10/21 22:30, Theo de Raadt wrote: > >Already, iked is started after /usr has been mounted, so why the > >static requirement? > > Historic theories about ipsec protected nfs? Who knows. > > >> --- etc/rc 18 Oct 2015 21:33:18 - 1.467 > >> +++ etc/rc 20 Oct 2015 18:03:58 - > >> @@ -353,7 +353,7 @@ make_keys > >> > >> echo -n 'starting early daemons:' > >> start_daemon syslogd ldattach pflogd nsd unbound ntpd > >> -start_daemon iscsid isakmpd iked sasyncd ldapd npppd > >> +start_daemon iscsid isakmpd sasyncd ldapd npppd > >> echo '.' > > > >Most of these are dynamically linked. > > > >You can make iked dynamic without moving it in the startup sequence. > > Let's focus on that question first. Where should it be started? > > Let's move isakmpd and iked at the same time. To where? > I think immediately before iscsid. They need to be after ntpd because you may be running on a machine without RTC and using X.509 certificates for IPsec. And after the DNS daemons because you might be connecting to a VPN by hostname. isakmpd should be before npppd. And actually I think "Load IPsec rules" should also be before npppd, should npppd move later to "starting network daemons"? On 2015/10/20 20:25, Reyk Floeter wrote: > echo -n 'starting network daemons:' > -start_daemon ldomd sshd snmpd ldpd ripd ospfd ospf6d bgpd ifstated > +start_daemon iked ldomd sshd snmpd ldpd ripd ospfd ospf6d bgpd ifstated IPsec should be brought up before ypldap.
Re: make iked not static
Christian Weisgerber(na...@mips.inka.de) on 2015.10.20 20:46:12 +: > On 2015-10-20, Reyk Floeterwrote: > > > For historical reasons, isakmpd and iked are compiled static: > > people used NFS over ipsec. > > > > Is anyone still using this? Is it more than one person? > > > > Otherwise I'd suggest to make iked dynamic. > > Already, iked is started after /usr has been mounted, so why the > static requirement? > > > --- etc/rc 18 Oct 2015 21:33:18 - 1.467 > > +++ etc/rc 20 Oct 2015 18:03:58 - > > @@ -353,7 +353,7 @@ make_keys > > > > echo -n 'starting early daemons:' > > start_daemon syslogd ldattach pflogd nsd unbound ntpd > > -start_daemon iscsid isakmpd iked sasyncd ldapd npppd > > +start_daemon iscsid isakmpd sasyncd ldapd npppd > > echo '.' > > Most of these are dynamically linked. > > You can make iked dynamic without moving it in the startup sequence. In a lot of cases it will need the routing daemons to work anyway, so why start it so much earlier?
Re: make iked not static
On 2015/10/20 23:00, Sebastian Benoit wrote: > Christian Weisgerber(na...@mips.inka.de) on 2015.10.20 20:46:12 +: > > On 2015-10-20, Reyk Floeterwrote: > > > > > For historical reasons, isakmpd and iked are compiled static: > > > people used NFS over ipsec. isakmpd is an odd one. Reading cvs log, it started as a static binary but used dlopen to load the libs. Anyone know the history of that? > > > Is anyone still using this? Is it more than one person? > > > > > > Otherwise I'd suggest to make iked dynamic. > > > > Already, iked is started after /usr has been mounted, so why the > > static requirement? > > > > > --- etc/rc18 Oct 2015 21:33:18 - 1.467 > > > +++ etc/rc20 Oct 2015 18:03:58 - > > > @@ -353,7 +353,7 @@ make_keys > > > > > > echo -n 'starting early daemons:' > > > start_daemon syslogd ldattach pflogd nsd unbound ntpd > > > -start_daemon iscsid isakmpd iked sasyncd ldapd npppd > > > +start_daemon iscsid isakmpd sasyncd ldapd npppd > > > echo '.' > > > > Most of these are dynamically linked. > > > > You can make iked dynamic without moving it in the startup sequence. > > In a lot of cases it will need the routing daemons to work anyway, so why > start it so much earlier? But in other cases (yay OSPFv3 - also bgpd with 'ipsec esp ike', and pfsync setups without dedicated nic, if that still works) you want IPsec up and running before the routing daemons.