Re: linux-ipsec: Notes from _trying_ to install & configure Linux FreeS/WAN...

> > > There is usually a route that will route for a particular address...

I'm not clear on what sequence of events you are suggesting here; please elaborate. Do note that particularly security-conscious sites may *not* want to establish a route that goes direct to a hardware interface, not even momentarily as part of setup, in case cleartext packets escape that way before the IPSEC machinery is set up. (The issue is the production environment, not one-time test arrangements which will not be entrusted with sensitive data.)

> > Sure, *sometimes* there will be an existing route which can be copied.

Hmm, you mean have a magic value for the nexthop parameters which means "take from existing route"? Might be feasible... although it may be awkward figuring out just which route is the relevant one.

> > If you invoke ping with "-p feedfacedeadbeef", then it's pretty easy to
> > tell at a glance whether a hex dump is cleartext or not...
>
> ...this only tests ICMP packets, and takes up much more vertical space.

True. On the other hand, it has the huge advantage of being doable with an off-the-shelf tcpdump.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)