diff options
author | pjd <pjd@FreeBSD.org> | 2006-04-09 19:11:45 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2006-04-09 19:11:45 +0000 |
commit | 0501edbc66645c32bd26858286dc77bbda7e3720 (patch) | |
tree | 77a503b7833e317fcc529ff99d821491c8d3ddfc /sys/netipsec/ipsec.c | |
parent | b9b788a5760c97968cafc3828641761cfe07fae2 (diff) | |
download | FreeBSD-src-0501edbc66645c32bd26858286dc77bbda7e3720.zip FreeBSD-src-0501edbc66645c32bd26858286dc77bbda7e3720.tar.gz |
Introduce two new sysctls:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
the same sequence number. This allows to verify if the other side
has proper replay attacks detection.
net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
corrupted HMAC. This allows to verify if the other side properly
detects modified packets.
I used the first one to discover that we don't have proper replay attacks
detection in ESP (in fast_ipsec(4)).
Diffstat (limited to 'sys/netipsec/ipsec.c')
-rw-r--r-- | sys/netipsec/ipsec.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 4038c00..76bd99e 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -148,6 +148,21 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO, ipsecstats, CTLFLAG_RD, &newipsecstat, newipsecstat, ""); +/* + * When set to 1, IPsec will send packets with the same sequence number. + * This allows to verify if the other side has proper replay attacks detection. + */ +int ipsec_replay = 0; +SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0, + "Emulate replay attack"); +/* + * When set 1, IPsec will send packets with corrupted HMAC. + * This allows to verify if the other side properly detects modified packets. + */ +int ipsec_integrity = 0; +SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, + &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); + #ifdef INET6 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; int ip6_esp_net_deflev = IPSEC_LEVEL_USE; |