[security-discuss] Re: Re: Re: IPsec, NAT and IPF

2007-05-02 Thread Dan McDonald
On Wed, May 02, 2007 at 03:26:36PM -0700, UNIX admin wrote: > > From a practical perspective, the rule syntax is > > very subtle. > > encr_algs aes encr_auth_algs sha1 > > ill use ESP with AES encryption and SHA1 > > authentication. > > > > encr_algs aes auth_algs sha1 > > ses ESP with AES en

[security-discuss] Enhanced SMF Profiles design, second version

2007-05-02 Thread David Bustos
[ blind carbon-copied to security-discuss, nwam-discuss, and sparks-discuss ] The second draft of the Enhanced SMF Profiles design is now available at http://opensolaris.org/os/project/smf-profiles/Design , along with a PDF at http://opensolaris.org/os/project/smf-profiles/Design/design.pdf . Th

[security-discuss] Re: Re: Re: IPsec, NAT and IPF

2007-05-02 Thread UNIX admin
> From a practical perspective, the rule syntax is > very subtle. > encr_algs aes encr_auth_algs sha1 > ill use ESP with AES encryption and SHA1 > authentication. > > encr_algs aes auth_algs sha1 > ses ESP with AES encryption, AH with SHA1 > authentication, incompatible > with NAT. > > It's

[security-discuss] Re: Re: Re: IPsec, NAT and IPF

2007-05-02 Thread UNIX admin
> > OK, how can I check whether I'm using ESP with > auth? > > If you're already protecting traffic with ESP, utter > (with privilege): > > ipseckey dump esp | egrep "AKY:|Authentication" This returns no output. > If you see output, then you're using ESP > authentication. Oops. I guess I

[security-discuss] Re: Re: IPsec, NAT and IPF

2007-05-02 Thread Paul Wernau
Dan McDonald wrote: > On Wed, May 02, 2007 at 01:00:30AM -0700, UNIX admin wrote: >>> ESP has the capability for using authentication on >>> its encapsulated payload. >>> It makes AH *mostly* redundant. You should specify >>> *either* ESP >>> authentication or AH. >> OK, how can I check whether

[security-discuss] Re: Re: IPsec, NAT and IPF

2007-05-02 Thread Dan McDonald
On Wed, May 02, 2007 at 01:00:30AM -0700, UNIX admin wrote: > > ESP has the capability for using authentication on > > its encapsulated payload. > > It makes AH *mostly* redundant. You should specify > > *either* ESP > > authentication or AH. > > OK, how can I check whether I'm using ESP with aut

[security-discuss] Re: Re: IPsec, NAT and IPF

2007-05-02 Thread UNIX admin
> ESP has the capability for using authentication on > its encapsulated payload. > It makes AH *mostly* redundant. You should specify > *either* ESP > authentication or AH. OK, how can I check whether I'm using ESP with auth? > You're correct. And these theoretical attacks are > becoming practi