[Openswan dev] Error building klips-ipv6 (missing include?)

Harald Jenny harald at a-little-linux-box.at
Mon Oct 11 15:38:46 EDT 2010


On Mon, Oct 11, 2010 at 12:32:41PM -0400, Paul Wouters wrote:
> On Mon, 11 Oct 2010, Harald Jenny wrote:
> 
> >>[ip route commands] before pluto starts listening on the IPv6 address.
> >
> >Maybe this is related to:
> >
> >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573955
> >
> >Did already discuss this problem with Paul...
> 
> If that is the cause, "ipsec whack --listen" should fix that without
> setting any routes.

Hmmm lets better call it a workaround.

> 
> I have been working a bit on the listen code, and I was considering an
> option to just listen to ANY. I am not sure what the history was of not
> listening on all IP's whenever they become available to the system.

>From a security point of view I think listening only on dedicated interfaces
is not a bad option...

> 
> Perhaps Hugh or Hugh can sched some light on that?
> 
> I also thought there was some kind of notification system in the kernel
> where an application can be told when an interface or ip address is
> added/removed from the kernel. (I don't mean messagebus, though that's
> another candidate)

As far as I know strongswan already has such a functionality, how about peeking
it their code?

> 
> The easiest would be to just listen on ANY.

Well but in the case of security software easy != best.

> 
> Paul

Harald


More information about the Dev mailing list