Re: make iked not static

2015-10-22 Thread Stuart Henderson 
On 2015/10/21 22:30, Theo de Raadt wrote:
> >Already, iked is started after /usr has been mounted, so why the
> >static requirement?
> 
> Historic theories about ipsec protected nfs?  Who knows.
> 
> >> --- etc/rc 18 Oct 2015 21:33:18 -  1.467
> >> +++ etc/rc 20 Oct 2015 18:03:58 -
> >> @@ -353,7 +353,7 @@ make_keys
> >>  
> >>  echo -n 'starting early daemons:'
> >>  start_daemon syslogd ldattach pflogd nsd unbound ntpd
> >> -start_daemon iscsid isakmpd iked sasyncd ldapd npppd
> >> +start_daemon iscsid isakmpd sasyncd ldapd npppd
> >>  echo '.'
> >
> >Most of these are dynamically linked.
> >
> >You can make iked dynamic without moving it in the startup sequence.
> 
> Let's focus on that question first.  Where should it be started?
> 
> Let's move isakmpd and iked at the same time.  To where?
> 

I think immediately before iscsid. They need to be after ntpd because
you may be running on a machine without RTC and using X.509 certificates
for IPsec. And after the DNS daemons because you might be connecting to
a VPN by hostname. isakmpd should be before npppd. And actually I think
"Load IPsec rules" should also be before npppd, should npppd move later
to "starting network daemons"?

On 2015/10/20 20:25, Reyk Floeter wrote:
>  echo -n 'starting network daemons:'
> -start_daemon ldomd sshd snmpd ldpd ripd ospfd ospf6d bgpd ifstated
> +start_daemon iked ldomd sshd snmpd ldpd ripd ospfd ospf6d bgpd ifstated

IPsec should be brought up before ypldap.

Re: make iked not static

2015-10-20 Thread Sebastian Benoit 
Christian Weisgerber(na...@mips.inka.de) on 2015.10.20 20:46:12 +:
> On 2015-10-20, Reyk Floeter  wrote:
> 
> > For historical reasons, isakmpd and iked are compiled static:
> > people used NFS over ipsec.
> >
> > Is anyone still using this?  Is it more than one person?
> >
> > Otherwise I'd suggest to make iked dynamic.
> 
> Already, iked is started after /usr has been mounted, so why the
> static requirement?
> 
> > --- etc/rc  18 Oct 2015 21:33:18 -  1.467
> > +++ etc/rc  20 Oct 2015 18:03:58 -
> > @@ -353,7 +353,7 @@ make_keys
> >  
> >  echo -n 'starting early daemons:'
> >  start_daemon syslogd ldattach pflogd nsd unbound ntpd
> > -start_daemon iscsid isakmpd iked sasyncd ldapd npppd
> > +start_daemon iscsid isakmpd sasyncd ldapd npppd
> >  echo '.'
> 
> Most of these are dynamically linked.
> 
> You can make iked dynamic without moving it in the startup sequence.

In a lot of cases it will need the routing daemons to work anyway, so why
start it so much earlier?

Re: make iked not static

2015-10-20 Thread Stuart Henderson 
On 2015/10/20 23:00, Sebastian Benoit wrote:
> Christian Weisgerber(na...@mips.inka.de) on 2015.10.20 20:46:12 +:
> > On 2015-10-20, Reyk Floeter  wrote:
> > 
> > > For historical reasons, isakmpd and iked are compiled static:
> > > people used NFS over ipsec.

isakmpd is an odd one. Reading cvs log, it started as a static
binary but used dlopen to load the libs. Anyone know the history
of that?

> > > Is anyone still using this?  Is it more than one person?
> > >
> > > Otherwise I'd suggest to make iked dynamic.
> > 
> > Already, iked is started after /usr has been mounted, so why the
> > static requirement?
> > 
> > > --- etc/rc18 Oct 2015 21:33:18 -  1.467
> > > +++ etc/rc20 Oct 2015 18:03:58 -
> > > @@ -353,7 +353,7 @@ make_keys
> > >  
> > >  echo -n 'starting early daemons:'
> > >  start_daemon syslogd ldattach pflogd nsd unbound ntpd
> > > -start_daemon iscsid isakmpd iked sasyncd ldapd npppd
> > > +start_daemon iscsid isakmpd sasyncd ldapd npppd
> > >  echo '.'
> > 
> > Most of these are dynamically linked.
> > 
> > You can make iked dynamic without moving it in the startup sequence.
> 
> In a lot of cases it will need the routing daemons to work anyway, so why
> start it so much earlier?

But in other cases (yay OSPFv3 - also bgpd with 'ipsec esp ike',
and pfsync setups without dedicated nic, if that still works)
you want IPsec up and running before the routing daemons.