-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Curt" == Curt Sampson <cjs@cynic.net> writes:
    Curt> On Wed, 14 May 2003, YAMAMOTO Takashi wrote:

    >> tcpdump can decode ESP by itsself and i think it should if needed.

    Curt> Using tcpdump's -E option is, in the large majority of cases,
    Curt> impractical. First, it can take only ASCII keys, restricting you to
  
  No, fixed. 0x for hex.
  The one in HEAD of tcpdump.org also takes /file/name for a list of SAs
  
    Curt> using a small portion of the keyspace. Second, if you're using IKE it
    Curt> can be difficult or impossible to find out the key currently in
    Curt> use.

  Yes, a problem. And a feature.

    Curt> Also, using tcpdump before ipsec processing doesn't help if you
    Curt> want to 
    Curt> see if the kernel is correctly decrypting the packets.

  Yes, this is why we need to have tcpdump after IPsec.

    Curt> Note, for example, that tcpdump is hardly the only program that uses
    Curt> BPF. What if I want to do a netflow analysis? Or use ntop?

  There is another program that has a problem: dhclient.
  If you encrypted your link (see www.wavesec.org), dhclient can't see the
replies to the lease renewal, because they are encrypted.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPsPq1IqHRg3pndX9AQFBiwP/Tb6NFyOqYzoWO0SlmZIZ8cmHWzI385JZ
jzoSGTWZ8Scjhl7xZAFjgV3UbELGUAPq0mEWFdh4EUwGtd3UWON5CeU0NWlgPpJC
xPgLNFKZIwlNE1DGrYAZAOAHyv/KLgsbBkg6duP94c4aLAxsLk3lRT6nvMfaaWuw
jbgG67LpL+I=
=QbnW
-----END PGP SIGNATURE-----