[Openswan dev] Error building klips-ipv6 (missing include?)
Harald Jenny
harald at a-little-linux-box.at
Mon Oct 11 15:38:46 EDT 2010
On Mon, Oct 11, 2010 at 12:32:41PM -0400, Paul Wouters wrote:
> On Mon, 11 Oct 2010, Harald Jenny wrote:
>
> >>[ip route commands] before pluto starts listening on the IPv6 address.
> >
> >Maybe this is related to:
> >
> >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573955
> >
> >Did already discuss this problem with Paul...
>
> If that is the cause, "ipsec whack --listen" should fix that without
> setting any routes.
Hmmm lets better call it a workaround.
>
> I have been working a bit on the listen code, and I was considering an
> option to just listen to ANY. I am not sure what the history was of not
> listening on all IP's whenever they become available to the system.
>From a security point of view I think listening only on dedicated interfaces
is not a bad option...
>
> Perhaps Hugh or Hugh can sched some light on that?
>
> I also thought there was some kind of notification system in the kernel
> where an application can be told when an interface or ip address is
> added/removed from the kernel. (I don't mean messagebus, though that's
> another candidate)
As far as I know strongswan already has such a functionality, how about peeking
it their code?
>
> The easiest would be to just listen on ANY.
Well but in the case of security software easy != best.
>
> Paul
Harald
More information about the Dev
mailing list