From owner-freebsd-security@FreeBSD.ORG Sun Oct 19 14:12:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97D4C16A4B3 for ; Sun, 19 Oct 2003 14:12:47 -0700 (PDT) Received: from bialystok.bsk.vectranet.pl (bialystok.bsk.vectranet.pl [212.33.81.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E95A543FBD for ; Sun, 19 Oct 2003 14:12:45 -0700 (PDT) (envelope-from ptnowak@bsk.vectranet.pl) Received: from [10.1.255.220] (helo=bsk.vectranet.pl) by bialystok.bsk.vectranet.pl with esmtp (Exim 3.35 #1 (Debian)) id 1ABKqy-0002tH-00 for ; Sun, 19 Oct 2003 23:12:44 +0200 Message-ID: <3F92FE5B.5070709@bsk.vectranet.pl> Date: Sun, 19 Oct 2003 23:12:59 +0200 From: Adam Nowacki User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: pl, en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: jail + devfs + snp problem (FreeBSD 5.1-RELEASE-p10) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Oct 2003 21:12:47 -0000 shell# /sbin/devfs rule -s 2 delset shell# /sbin/devfs rule -s 2 add hide shell# /sbin/devfs rule -s 2 add path random unhide shell# /sbin/devfs rule -s 2 add path urandom unhide shell# /sbin/devfs rule -s 2 add path zero unhide shell# /sbin/devfs rule -s 2 add path pty\* unhide shell# /sbin/devfs rule -s 2 add path pty\* unhide shell# /sbin/devfs rule -s 2 add path tty\* unhide shell# /sbin/mount_devfs devfs /storage0/site/dev shell# /sbin/devfs -m /storage0/site/dev ruleset 2 shell# cd /storage0/site/dev shell# ls fd ptyp6 ptypf ptypo ttyld0 ttyp7 ttypg ttypp ttyv6 ttyvf net ptyp7 ptypg ptypp ttyld1 ttyp8 ttyph ttypq ttyv7 urandom null ptyp8 ptyph ptypq ttyp0 ttyp9 ttypi ttypr ttyv8 zero ptyp0 ptyp9 ptypi ptypr ttyp1 ttypa ttypj ttyv0 ttyv9 ptyp1 ptypa ptypj random ttyp2 ttypb ttypk ttyv1 ttyva ptyp2 ptypb ptypk ttyd0 ttyp3 ttypc ttypl ttyv2 ttyvb ptyp3 ptypc ptypl ttyd1 ttyp4 ttypd ttypm ttyv3 ttyvc ptyp4 ptypd ptypm ttyid0 ttyp5 ttype ttypn ttyv4 ttyvd ptyp5 ptype ptypn ttyid1 ttyp6 ttypf ttypo ttyv5 ttyve Everything looks great, but: shell# w -n USER TTY FROM LOGIN@ IDLE WHAT root pm ??? ??? - w -n shell# jexec 1 /bin/sh # cd /dev # ls -al snp* ls: snp*: No such file or directory # watch -W pm shell# id uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator) And I'm outside ! From owner-freebsd-security@FreeBSD.ORG Mon Oct 20 09:30:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 778C016A4BF for ; Mon, 20 Oct 2003 09:30:34 -0700 (PDT) Received: from web20509.mail.yahoo.com (web20509.mail.yahoo.com [216.136.226.144]) by mx1.FreeBSD.org (Postfix) with SMTP id E7BAF43F3F for ; Mon, 20 Oct 2003 09:30:33 -0700 (PDT) (envelope-from alhagiep@yahoo.com) Message-ID: <20031020163033.9682.qmail@web20509.mail.yahoo.com> Received: from [24.87.98.182] by web20509.mail.yahoo.com via HTTP; Mon, 20 Oct 2003 09:30:33 PDT Date: Mon, 20 Oct 2003 09:30:33 -0700 (PDT) From: Alhagie Puye To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Equal bandwidth configuration among host with dummynet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2003 16:30:34 -0000 Hi all, First of all, I have spent a lot of time reading up on it. Anyway, I live in a shared accomodation with 2 roommates and a landlord and we share a cable internet connection. It is 2Mbit/400Kbit connection. Sometimes when one of us is downloading a song through Kazaa or a new Linux or FreeBSD iso, the bandwidth gets hogged and other users can't get through. I was trying to configure dummynet using Fair Queues but I seem to be missing something. I tried to modify some of the examples on Luigi Rizzo's web site (http://info.iet.unipi.it/~luigi/ip_dummynet/) but it doesn't seem to be working. It is a very simple setup. Private network (192.168.42.0/24)--------> FreeBSD 5.1 firewall doing NAT (DHCP on external interface) My configuration file excerpt: ipfw pipe 1 config bw 400Kbit/s ipfw pipe 2 config bw 1000Kbit/s ipfw add queue 1 ip from 192.168.42.0/24 to any via fxp0 ipfw queue 1 config weight 5 pipe 1 mask src-ip 0xffffffff ipfw add queue 2 ip from any to 192.168.42.0/24 via fxp0 ipfw queue 2 config weight 5 pipe 2 mask dst-ip 0xfffffff When I do a "ipfw pipe show", the output is: firewall# ipfw pipe list 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 5 pipe 1 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 q00002: weight 5 pipe 2 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 The queues are always "0". So, it seems to me like they are not getting created. What am I missing? I have looked everywhere for answers. Any help would be greatly appreciated. Cheers, Alhagie. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From owner-freebsd-security@FreeBSD.ORG Mon Oct 20 09:59:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5621116A4B3 for ; Mon, 20 Oct 2003 09:59:18 -0700 (PDT) Received: from blowfish.cyberdoom.org (ip212-226-145-17.adsl.eunet.fi [212.226.145.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CFBC43F75 for ; Mon, 20 Oct 2003 09:59:16 -0700 (PDT) (envelope-from dan.airinen@cyberdoom.org) Received: from localhost (unknown [127.0.0.1]) by blowfish.cyberdoom.org (Postfix) with ESMTP id 5DB93DCCBB; Mon, 20 Oct 2003 16:59:11 +0000 (GMT) Received: from blowfish.cyberdoom.org ([127.0.0.1]) by localhost (blowfish.cyberdoom.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27849-05; Mon, 20 Oct 2003 19:59:05 +0300 (EEST) Received: from daemon.cyberdoom.org (daemon.cyberdoom.org [212.226.145.19]) by blowfish.cyberdoom.org (Postfix) with ESMTP id B0DD1DCCBA; Mon, 20 Oct 2003 19:59:05 +0300 (EEST) Received: from daemon.cyberdoom.org (daemon.cyberdoom.org [212.226.145.19]) by daemon.cyberdoom.org (8.12.9/8.12.9) with ESMTP id h9KGx8Y1032797; Mon, 20 Oct 2003 19:59:08 +0300 (EEST) (envelope-from dan@cyberdoom.org) Date: Mon, 20 Oct 2003 19:59:08 +0300 (EEST) From: Dan Airinen To: Alhagie Puye In-Reply-To: <20031020163033.9682.qmail@web20509.mail.yahoo.com> Message-ID: <20031020195618.O32785@daemon.cyberdoom.org> References: <20031020163033.9682.qmail@web20509.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Equal bandwidth configuration among host with dummynet X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2003 16:59:18 -0000 Hi, a bit off topic here. You might want to try: freebsd-questions@freebsd.org But i should suggest that you take a look at the ALTQD project: http://www.csl.sony.co.jp/~kjc/software.html#ALTQ On Mon, 20 Oct 2003, Alhagie Puye wrote: > Hi all, > > First of all, I have spent a lot of time reading up on > it. > > Anyway, I live in a shared accomodation with 2 > roommates and a landlord and we share a cable internet > connection. It is 2Mbit/400Kbit connection. Sometimes > when one of us is downloading a song through Kazaa or > a new Linux or FreeBSD iso, the bandwidth gets hogged > and other users can't get through. > > I was trying to configure dummynet using Fair Queues > but I seem to be missing something. I tried to modify > some of the examples on Luigi Rizzo's web site > (http://info.iet.unipi.it/~luigi/ip_dummynet/) but it > doesn't seem to be working. > > It is a very simple setup. > > Private network (192.168.42.0/24)--------> FreeBSD 5.1 > firewall doing NAT (DHCP on external interface) > > My configuration file excerpt: > > ipfw pipe 1 config bw 400Kbit/s > ipfw pipe 2 config bw 1000Kbit/s > ipfw add queue 1 ip from 192.168.42.0/24 to any via > fxp0 > ipfw queue 1 config weight 5 pipe 1 mask src-ip > 0xffffffff > > ipfw add queue 2 ip from any to 192.168.42.0/24 via > fxp0 > ipfw queue 2 config weight 5 pipe 2 mask dst-ip > 0xfffffff > > When I do a "ipfw pipe show", the output is: > > firewall# ipfw pipe list > 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 > buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 > buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > q00001: weight 5 pipe 1 50 sl. 0 queues (64 buckets) > droptail > mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 > q00002: weight 5 pipe 2 50 sl. 0 queues (64 buckets) > droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > > The queues are always "0". So, it seems to me like > they are not getting created. What am I missing? I > have looked everywhere for answers. Any help would be > greatly appreciated. > > Cheers, > Alhagie. > > > > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Oct 21 20:27:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6ECE516A4B3 for ; Tue, 21 Oct 2003 20:27:41 -0700 (PDT) Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by mx1.FreeBSD.org (Postfix) with SMTP id D22FE43F3F for ; Tue, 21 Oct 2003 20:27:40 -0700 (PDT) (envelope-from unfurl@dub.net) Received: (qmail 2934 invoked by uid 1001); 22 Oct 2003 03:27:40 -0000 Date: 21 Oct 2003 20:27:40 -0700 Date: Tue, 21 Oct 2003 20:27:40 -0700 From: Bill Swingle To: security@freebsd.org Message-ID: <20031022032740.GA2605@dub.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD toxic.magnesium.net 5.1-RELEASE FreeBSD 5.1-RELEASE Subject: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 03:27:41 -0000 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Is anyone successfully using some sort of hardware crypto solution to combat the overhead of SSL in http transactions? I'd love to hear anything good or bad about this. -Bill --=20 -=3D| Bill Swingle - -=3D| Every message PGP signed -=3D| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=3D| "Computers are useless. They can only give you answers" Pablo Picasso= =20 --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/lfksUgAclY4JAiMRAovnAKClLlETWCocHG+wp88+BOB/BSwAkgCeKY6P QYaNCYP64vpORf7cNNMKS+A= =TKgU -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- From owner-freebsd-security@FreeBSD.ORG Tue Oct 21 20:40:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB66616A4B3 for ; Tue, 21 Oct 2003 20:40:44 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6B3043F75 for ; Tue, 21 Oct 2003 20:40:43 -0700 (PDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9p2/8.12.9) with ESMTP id h9M3egeW008019; Tue, 21 Oct 2003 23:40:42 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id h9M3efYI027499; Tue, 21 Oct 2003 23:40:42 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Tue, 21 Oct 2003 23:44:48 -0400 To: Bill Swingle , security@freebsd.org From: Mike Tancsa In-Reply-To: <20031022032740.GA2605@dub.net> References: <20031022032740.GA2605@dub.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 03:40:44 -0000 Dont know about http ssl, but I am using the cards from Soekris for my backup server. As long as you use 3des for encryption, it does make a big difference CPU wise. The next generation cards supposedly have AES and public key generation, but I dont think the driver will do the public key stuff. The safe driver says it does, but I dont know where to get such cards. ---Mike At 11:27 PM 21/10/2003, Bill Swingle wrote: >Is anyone successfully using some sort of hardware crypto solution to >combat the overhead of SSL in http transactions? I'd love to hear >anything good or bad about this. > >-Bill > >-- >-=| Bill Swingle - >-=| Every message PGP signed >-=| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 >-=| "Computers are useless. They can only give you answers" Pablo Picasso > > > From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 04:28:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E73BD16A4B3 for ; Wed, 22 Oct 2003 04:28:47 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB2B443F85 for ; Wed, 22 Oct 2003 04:28:46 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h9MBSjf2048547 for ; Wed, 22 Oct 2003 12:28:45 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h9MBSjSX084154 for ; Wed, 22 Oct 2003 12:28:45 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Wed, 22 Oct 2003 12:28:45 +0100 Organization: Insignia Solutions Message-ID: X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.38 Subject: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 11:28:48 -0000 I will shortly be replacing a couple of proprietary VPN boxes with a FreeBSD solution. Section 10.10 of the Handbook has a=20 detailed description of how to do this. However I remember a lot of discussion about a year ago about whether the gif interface was necessary to set up VPNs like this or whether it was just a convenience, for "getting the routing right". A number of people said that gif was not=20 needed but I've never found a step-by-step description of how to set up a lan-to-lan VPN without using it. Is the Handbook the current received wisdom on how to set this up, and is the use of the gif interface indeed necessary? I also remember that the discussions diverted into a problem with ipfw when gif was *not* used, but I haven't found any messages to indicate that it was resolved. I recall suggestions that a new interface esp0 be created so that ipfw could work correctly on both the innner and outer packets of an ESP tunnel. Was that issue ever resolved? jim hatfield From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 04:59:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B357116A4B3 for ; Wed, 22 Oct 2003 04:59:21 -0700 (PDT) Received: from k2.vol.cz (k2.vol.cz [195.250.128.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E75543FBF for ; Wed, 22 Oct 2003 04:59:20 -0700 (PDT) (envelope-from malyl@col.cz) Received: from k2.vol.cz (k2.vol.cz [195.250.128.82]) by k2.vol.cz (8.12.8p2/8.12.6) with ESMTP id h9MBxIfW086370; Wed, 22 Oct 2003 13:59:18 +0200 (CEST) (envelope-from malyl@col.cz) Date: Wed, 22 Oct 2003 13:59:16 +0200 (CEST) From: Lukas Maly X-X-Sender: malyl@k2.vol.cz To: Jim Hatfield In-Reply-To: Message-ID: <20031022135339.C76516@k2.vol.cz> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 11:59:21 -0000 On Wed, 22 Oct 2003, Jim Hatfield wrote: > Date: Wed, 22 Oct 2003 12:28:45 +0100 > From: Jim Hatfield > To: freebsd-security@freebsd.org > Subject: IPSec VPNs: to gif or not to gif > > I will shortly be replacing a couple of proprietary VPN boxes > with a FreeBSD solution. Section 10.10 of the Handbook has a > detailed description of how to do this. > > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. I use VPN with gif device. ifconfig gif0 create tunnel AA1.BB1.CC1.DD1 AA2.BB2.CC2.DD2 ifconfig gif0 inet 192.168.0.1 192.168.1.1 netmask 255.255.255.0 Create and set tunnel. Add the policy with setkey ... Start racoon server on port 500 proto UDP /usr/local/sbin/racoon -4 -l /var/log/racoon.log malyl > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? > > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. > > Was that issue ever resolved? > > jim hatfield > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 05:24:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3341A16A4B3 for ; Wed, 22 Oct 2003 05:24:45 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 283C643FCB for ; Wed, 22 Oct 2003 05:24:44 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [204.177.173.28]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h9MCOg6T045821; Wed, 22 Oct 2003 07:24:42 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3F9676FB.9020107@centtech.com> Date: Wed, 22 Oct 2003 07:24:27 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Tancsa References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> In-Reply-To: <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 12:24:45 -0000 Mike Tancsa wrote: > > Dont know about http ssl, but I am using the cards from Soekris for my > backup server. As long as you use 3des for encryption, it does make a > big difference CPU wise. The next generation cards supposedly have > AES and public key generation, but I dont think the driver will do the > public key stuff. The safe driver says it does, but I dont know where > to get such cards. > > ---Mike > > At 11:27 PM 21/10/2003, Bill Swingle wrote: > >> Is anyone successfully using some sort of hardware crypto solution to >> combat the overhead of SSL in http transactions? I'd love to hear >> anything good or bad about this. >> >> -Bill > The new VIA Eden-N processors have built in high-speed AES encryption routines - OpenBSD supports it and FreeBSD support is coming down the line soon. Note - I work for the company who designed the processor, so I am biased. But really, it IS FAST. Check this out for more info: http://www.via.com.tw/en/Digital%20Library/PR031014EdenN.jsp Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 07:04:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55E5816A4B3 for ; Wed, 22 Oct 2003 07:04:55 -0700 (PDT) Received: from tenebras.com (dnscache.tenebras.com [66.92.188.165]) by mx1.FreeBSD.org (Postfix) with SMTP id 8C17343FBF for ; Wed, 22 Oct 2003 07:04:54 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 69323 invoked from network); 22 Oct 2003 14:04:54 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 22 Oct 2003 14:04:54 -0000 Message-ID: <3F968E85.1030902@tenebras.com> Date: Wed, 22 Oct 2003 07:04:53 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: security@freebsd.org References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <3F9676FB.9020107@centtech.com> In-Reply-To: <3F9676FB.9020107@centtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 14:04:55 -0000 Eric Anderson wrote: > The new VIA Eden-N processors have built in high-speed AES encryption Forgive me, but that's really not important -- for SSL the bulk encryption algorithm is usually RC4 (oops, ARCFOUR ;-), which is efficient in software . It's the handshake and public key operations that really benefit from the use of HW crypto. In which case the currently-supported cards (either by the OpenBSD /dev/crypto scheme ported by Sam Leffler, or those directly supported in the OpenSSL engine) all work fine. IOW the current Soekris boards help quite a bit, and they also help because they have a HW RBG which actually stirs the entropy pool for /dev/random -- very helpful for not running out of random bits on machines that have no keyboard or mouse. From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 07:09:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E064C16A4B3 for ; Wed, 22 Oct 2003 07:09:19 -0700 (PDT) Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by mx1.FreeBSD.org (Postfix) with SMTP id 35D8C43F93 for ; Wed, 22 Oct 2003 07:09:19 -0700 (PDT) (envelope-from unfurl@dub.net) Received: (qmail 61547 invoked by uid 1001); 22 Oct 2003 14:09:19 -0000 Date: 22 Oct 2003 07:09:19 -0700 Date: Wed, 22 Oct 2003 07:09:19 -0700 From: Bill Swingle To: Michael Sierchio Message-ID: <20031022140919.GA61094@dub.net> References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <3F9676FB.9020107@centtech.com> <3F968E85.1030902@tenebras.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline In-Reply-To: <3F968E85.1030902@tenebras.com> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD toxic.magnesium.net 5.1-RELEASE FreeBSD 5.1-RELEASE cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 14:09:20 -0000 --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 22, 2003 at 07:04:53AM -0700, Michael Sierchio wrote: > Eric Anderson wrote: >=20 > >The new VIA Eden-N processors have built in high-speed AES encryption=20 >=20 > Forgive me, but that's really not important -- for SSL the bulk > encryption algorithm is usually RC4 (oops, ARCFOUR ;-), which > is efficient in software . It's the handshake and public key > operations that really benefit from the use of HW crypto. >=20 > In which case the currently-supported cards (either by the > OpenBSD /dev/crypto scheme ported by Sam Leffler, or those > directly supported in the OpenSSL engine) all work fine. >=20 > IOW the current Soekris boards help quite a bit, and they > also help because they have a HW RBG which actually stirs > the entropy pool for /dev/random -- very helpful for not > running out of random bits on machines that have no > keyboard or mouse. When you say that they help quite a bit, do you mean for http+SSL or some other application? What I'm getting at is this: can anyone actually confirm that using hardware crypto can increase http+SSL speeds? I've yet to find any mention of it on the web. (Basicly the problem I'm trying to solve is for a web-based app that we recently discovered is tons faster without SSL but SSL is a requirement) -Bill --=20 -=3D| Bill Swingle - -=3D| Every message PGP signed -=3D| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=3D| "Computers are useless. They can only give you answers" Pablo Picasso= =20 --/04w6evG8XlLl3ft Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/lo+PUgAclY4JAiMRAuv7AJ9Md2NrBzfZalRCyVMSbS/PP2k9GwCfb3+/ wR0Di/vxEC7nvLc8pE6CLIw= =v7dS -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 07:12:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4ACC16A4B3 for ; Wed, 22 Oct 2003 07:12:11 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8063C43F85 for ; Wed, 22 Oct 2003 07:12:10 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [204.177.173.28]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h9MEC96T057039; Wed, 22 Oct 2003 09:12:10 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3F96902A.8040203@centtech.com> Date: Wed, 22 Oct 2003 09:11:54 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Sierchio References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <3F9676FB.9020107@centtech.com> <3F968E85.1030902@tenebras.com> In-Reply-To: <3F968E85.1030902@tenebras.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 14:12:11 -0000 Michael Sierchio wrote: > Eric Anderson wrote: > >> The new VIA Eden-N processors have built in high-speed AES encryption > > > Forgive me, but that's really not important -- for SSL the bulk > encryption algorithm is usually RC4 (oops, ARCFOUR ;-), which > is efficient in software . It's the handshake and public key > operations that really benefit from the use of HW crypto. I understand - justing tossing it into the ring.. > In which case the currently-supported cards (either by the > OpenBSD /dev/crypto scheme ported by Sam Leffler, or those > directly supported in the OpenSSL engine) all work fine. > > IOW the current Soekris boards help quite a bit, and they > also help because they have a HW RBG which actually stirs > the entropy pool for /dev/random -- very helpful for not > running out of random bits on machines that have no > keyboard or mouse. FWIW, the Eden processors also have a high-speed, high-quality hardware RNG built into them too (of course). Again, just tossing that in. :) The Soekris boxes are great - I have about 70 of them in use now. Actually, I beleive they were trying to get an Eden processor on one of their upcoming models - but I'm not certain about that. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 07:19:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05D8616A4DA for ; Wed, 22 Oct 2003 07:19:03 -0700 (PDT) Received: from tenebras.com (dnscache.tenebras.com [66.92.188.165]) by mx1.FreeBSD.org (Postfix) with SMTP id 0181343FCB for ; Wed, 22 Oct 2003 07:19:02 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 69560 invoked from network); 22 Oct 2003 14:19:01 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 22 Oct 2003 14:19:01 -0000 Message-ID: <3F9691D5.4080703@tenebras.com> Date: Wed, 22 Oct 2003 07:19:01 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: security@freebsd.org References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <3F9676FB.9020107@centtech.com> <3F968E85.1030902@tenebras.com> <20031022140919.GA61094@dub.net> In-Reply-To: <20031022140919.GA61094@dub.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 14:19:03 -0000 Bill Swingle wrote: > When you say that they help quite a bit, do you mean for http+SSL or > some other application? It depends on the traffic profile -- it significantly reduces the overhead of session establishment, because that's where pubkey calculations occur. > What I'm getting at is this: can anyone actually confirm that using > hardware crypto can increase http+SSL speeds? I've yet to find any > mention of it on the web. For a first estimate, look at the claims of the manufacturers ;-) (nCipher, Hifn, etc.) From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 07:20:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42F0E16A4B3 for ; Wed, 22 Oct 2003 07:20:45 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CFAA43FDF for ; Wed, 22 Oct 2003 07:20:44 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 81437 invoked by uid 1000); 22 Oct 2003 14:20:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Oct 2003 14:20:43 -0000 Date: Wed, 22 Oct 2003 07:20:43 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: Bill Swingle In-Reply-To: <20031022140919.GA61094@dub.net> Message-ID: <20031022071611.T8440@walter> References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <3F9676FB.9020107@centtech.com> <3F968E85.1030902@tenebras.com> <20031022140919.GA61094@dub.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 14:20:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > When you say that they help quite a bit, do you mean for http+SSL or > some other application? > > What I'm getting at is this: can anyone actually confirm that using > hardware crypto can increase http+SSL speeds? I've yet to find any > mention of it on the web. So, I haven't run such boards personally, but that is the intention, yeah. I think that the way it works is that the kernel has drivers for the various crypto boards and makes access to those boards available via /dev/crypto or something, and that openssl knows to look for that interface and, if it exists, pass whatever expensive crypto functions it can off to the board. Then any app that uses openssl (eg, apache-mod_ssl) will automatically use and benefit from the crypto hardware. At least, that's the way I think it works under openbsd, and I imagine that that functionality was all imported when the openbsd crypto device stuff was imported. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/lpI7swXMWWtptckRAuBWAJ4tWIHkFSiP/Mc4w8Fs6QLqo15ZMgCfTfWL LVvlnsetqJLyki1Um3VlNAk= =njpa -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 07:32:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17A6216A4B3 for ; Wed, 22 Oct 2003 07:32:32 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 079B243F3F for ; Wed, 22 Oct 2003 07:32:31 -0700 (PDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9p2/8.12.9) with ESMTP id h9MEWReW052173; Wed, 22 Oct 2003 10:32:27 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id h9MEWSYI029281; Wed, 22 Oct 2003 10:32:29 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20031022102925.04d56660@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 22 Oct 2003 10:35:52 -0400 To: Bill Swingle , security@freebsd.org From: Mike Tancsa In-Reply-To: <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 14:32:32 -0000 At 11:44 PM 21/10/2003, Mike Tancsa wrote: >Dont know about http ssl, but I am using the cards from Soekris for my >backup server. As long as you use 3des for encryption, it does make a big >difference CPU wise. The next generation cards supposedly have AES and >public key generation, but I dont think the driver will do the public key >stuff. The safe driver says it does, but I dont know where to get such cards. Sorry, I was misspeaking about the safe driver. At the bottom, the Bugs section says, "Public key support is not implemented." I would say give the Soekris card a try. Its $80 and it will help with the SHA1 and MD5 calcs as well as provide good RNG. It wont help with RSA key generation unfortunately where much of the initial overhead comes from. ---Mike >At 11:27 PM 21/10/2003, Bill Swingle wrote: >>Is anyone successfully using some sort of hardware crypto solution to >>combat the overhead of SSL in http transactions? I'd love to hear >>anything good or bad about this. >> >>-Bill >> >>-- >>-=| Bill Swingle - >>-=| Every message PGP signed >>-=| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 >>-=| "Computers are useless. They can only give you answers" Pablo Picasso >> >> > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 09:10:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEE3016A4B3 for ; Wed, 22 Oct 2003 09:10:41 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 003C343F3F for ; Wed, 22 Oct 2003 09:10:39 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h9MGAZWL043426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 22 Oct 2003 19:10:36 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9p2/8.12.9/Submit) id h9MGAYe4043421; Wed, 22 Oct 2003 19:10:34 +0300 (EEST) (envelope-from ru) Date: Wed, 22 Oct 2003 19:10:33 +0300 From: Ruslan Ermilov To: Jim Hatfield Message-ID: <20031022161033.GB41603@sunbay.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: freebsd-security@FreeBSD.org Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 16:10:41 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 22, 2003 at 12:28:45PM +0100, Jim Hatfield wrote: > I will shortly be replacing a couple of proprietary VPN boxes > with a FreeBSD solution. Section 10.10 of the Handbook has a=20 > detailed description of how to do this. >=20 > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not=20 > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. >=20 > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? >=20 > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. >=20 > Was that issue ever resolved? >=20 The gif(4) is not required for a proper operation of IPsec VPN, but it could be of some convenience to have it. For example, our VPN is currently built on IPsec without gif(4) interfaces, and I have to add ugly "-net 192.168/16" routes through the network interface with the 192.168.x.y primary address on the IPsec gateways which also have external IP addresses, so that "ping 192.168.z.a" selects the 192.168.x.y source address, and the traffic is wrapped into IPsec. This works, but creates lot of unneeded routes (unfilled ARP routes), and you cannot easily watch the traffic by tcpdump(1) and ipfw(8). The use of the gif(4) tunnels, and securing only them with IPsec, like described in the Handbook, should fix all these problems, so I'm seriously considering adding gif(4) tunnels. Hope this is helpful. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/lqv5Ukv4P6juNwoRAnSJAJ4iZ0oMsP6FF31D1TO3yQvqclJC4gCcCI3K O7GdJ34jvosZH8HOSV+b2Hw= =01LU -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 09:14:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 368C016A4B3 for ; Wed, 22 Oct 2003 09:14:29 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 234A343FA3 for ; Wed, 22 Oct 2003 09:14:26 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 43250 invoked from network); 22 Oct 2003 16:12:20 -0000 Received: from unknown (HELO HOST-192-168-10-225.internal.secureworks.net) (209.101.212.253) by mail.secureworks.net with SMTP; 22 Oct 2003 16:12:20 -0000 Date: Wed, 22 Oct 2003 12:14:24 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: Jim Hatfield In-Reply-To: Message-ID: <20031022120340.R44441@localhost> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 16:14:29 -0000 On Wed, 22 Oct 2003, Jim Hatfield wrote: > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. > > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? I'm running fine without a gif interface ... (replaced IP addresses are the public IP's of the machines) spdadd 192.168.128.0/17[any] 192.168.0.0/17[any] any -P in ipsec esp/tunnel/a.b.c.d-w.x.y.z/require; spdadd 192.168.0.0/17[any] 192.168.128.0/17[any] any -P out ipsec esp/tunnel/w.x.y.z-a.b.c.d/require; (vice versa on the other host's setkey config) ... and then just standard remote and sainfo configs in racoon.conf > > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. > > Was that issue ever resolved? > > jim hatfield > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- Matthew George SecureWorks Technical Operations From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 10:30:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 801BF16A4B3; Wed, 22 Oct 2003 10:30:59 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76EA143FA3; Wed, 22 Oct 2003 10:30:58 -0700 (PDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9p2/8.12.9) with ESMTP id h9MHUpeW015495; Wed, 22 Oct 2003 13:30:51 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id h9MHUrYI030066; Wed, 22 Oct 2003 13:30:53 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20031022132622.081f4058@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 22 Oct 2003 13:34:38 -0400 To: Sam Leffler , Bill Swingle , security@freebsd.org From: Mike Tancsa In-Reply-To: <200310221008.30969.sam@errno.com> References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <6.0.0.22.0.20031022102925.04d56660@209.112.4.2> <200310221008.30969.sam@errno.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 17:30:59 -0000 At 01:08 PM 22/10/2003, Sam Leffler wrote: >The hifn 7955-based cards from Soekris should be available soon. Last I heard from them was some time in November the cards in theory would be available for sale, but that was not a hard date. We have about 60 of his mini PCI based cards and a half dozen of the regular PCI cards deployed and they all work as advertised. >There are still some issues to work out in the driver but between Jason and I >it should be well supported in time. The big win is that it's got AES and PK >support and should be inexpensive. That would be excellent! I am anxious to try this newer card in conjunction with PHK's encrypted file system when 5.2 comes out. Actually, the encrypted GEOM BDE would make use of the crypto card right ? ---Mike From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 11:33:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 077F016A4B3 for ; Wed, 22 Oct 2003 11:33:28 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8A9A43FBD for ; Wed, 22 Oct 2003 11:33:26 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h9MIXPaT044280; Wed, 22 Oct 2003 19:33:25 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h9MIXPNm044279; Wed, 22 Oct 2003 19:33:25 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h9MIXsWl071990; Wed, 22 Oct 2003 19:33:54 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200310221833.h9MIXsWl071990@grimreaper.grondar.org> To: Mike Tancsa From: Mark Murray In-Reply-To: Your message of "Wed, 22 Oct 2003 13:34:38 EDT." <6.0.0.22.0.20031022132622.081f4058@209.112.4.2> Date: Wed, 22 Oct 2003 19:33:54 +0100 Sender: mark@grondar.org X-Spam-Status: No, hits=-2.0 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 18:33:28 -0000 Mike Tancsa writes: > >There are still some issues to work out in the driver but between > >Jason and I it should be well supported in time. The big win is that > >it's got AES and PK support and should be inexpensive. > > That would be excellent! I am anxious to try this newer card > in conjunction with PHK's encrypted file system when 5.2 comes > out. Actually, the encrypted GEOM BDE would make use of the crypto > card right ? Not as kernel crypto is currently deployed, but the right hooks are there, and when the job is finished (I'm working on it in my Copious Free Time), _all_ kernel crypto should get the benefit of any hardware assistance. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 13:10:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C9AA16A4B3 for ; Wed, 22 Oct 2003 13:10:12 -0700 (PDT) Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5500D43FBF for ; Wed, 22 Oct 2003 13:10:10 -0700 (PDT) (envelope-from gsutter@zer0.org) Received: by mail1.zer0.org (Postfix, from userid 1001) id A0828239A0B; Wed, 22 Oct 2003 13:10:09 -0700 (PDT) Date: Wed, 22 Oct 2003 13:10:09 -0700 From: Gregory Sutter To: Bill Swingle Message-ID: <20031022201009.GC98272@klapaucius.zer0.org> References: <20031022032740.GA2605@dub.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RIYY1s2vRbPFwWeW" Content-Disposition: inline In-Reply-To: <20031022032740.GA2605@dub.net> Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster X-PGP-Fingerprint: D161 E4EA 4BFA 2427 F3F9 5B1F 2015 31D5 845D FEDD X-PGP-Key: http://zer0.org/~gsutter/gsutter.pgp X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 20:10:12 -0000 --RIYY1s2vRbPFwWeW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003-10-21 20:27 -0700, Bill Swingle wrote: > Is anyone successfully using some sort of hardware crypto solution to > combat the overhead of SSL in http transactions? I'd love to hear > anything good or bad about this. Bill, Alteon and F5, among others, both make SSL acceleration appliances. I'm sure a device like this would greatly speed the processing of your HTTPS transactions. Good stuff. Greg --=20 Gregory S. Sutter Brutalized, compromised, mailto:gsutter@zer0.org corrupted and debased. http://zer0.org/~gsutter/ --RIYY1s2vRbPFwWeW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQE/luQhIBUx1YRd/t0RArsiAJ48RscckBVZ8ueVFXOSVqri0YoFpACfdY53 SrNUWW1CVvrZWNLm/yzdWcg= =cMDh -----END PGP SIGNATURE----- --RIYY1s2vRbPFwWeW-- From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 13:30:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68CFD16A4C0 for ; Wed, 22 Oct 2003 13:30:01 -0700 (PDT) Received: from dmz2.unixjunkie.com (adsl-65-70-175-250.dsl.rcsntx.swbell.net [65.70.175.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id E017C43FDF for ; Wed, 22 Oct 2003 13:29:55 -0700 (PDT) (envelope-from strgout@unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by dmz2.unixjunkie.com (8.12.8p2/8.12.8) with ESMTP id h9MKrrk7060589 for ; Wed, 22 Oct 2003 15:53:53 -0500 (CDT) (envelope-from strgout@mail.unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by mail.unixjunkie.com (8.12.8p2/8.12.8) with ESMTP id h9MKrrlf060586 for ; Wed, 22 Oct 2003 15:53:53 -0500 (CDT) (envelope-from strgout@mail.unixjunkie.com) Received: (from strgout@localhost) by mail.unixjunkie.com (8.12.8p2/8.12.8/Submit) id h9MKrrxn060585 for freebsd-security@freebsd.org; Wed, 22 Oct 2003 15:53:53 -0500 (CDT) (envelope-from strgout) Date: Wed, 22 Oct 2003 15:53:52 -0500 From: John To: freebsd-security@freebsd.org Message-ID: <20031022205352.GA60569@mail.unixjunkie.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 20:30:01 -0000 On Wed, Oct 22, 2003 at 12:28:45PM +0100, Jim Hatfield wrote: > I will shortly be replacing a couple of proprietary VPN boxes > with a FreeBSD solution. Section 10.10 of the Handbook has a > detailed description of how to do this. > > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. > > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? > > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. > > Was that issue ever resolved? > > jim hatfield > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" I think one reason someone might want to use gif interfaces is becuase trasport mode ipsec doesn't require the peer address, if you then do a gif tunnel over the transport ipsec you have dynamic vpn based on a 509 cert or some crazy jazz like that. I however just do tunnel mode ipsec with no gif tunnel and packet filter to only allow protocol 50 and udp 500 to/from the remote peer. If any of the kame folks are watching, thanks for writing racoon! From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 13:49:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F58316A4B3 for ; Wed, 22 Oct 2003 13:49:35 -0700 (PDT) Received: from out009.verizon.net (out009pub.verizon.net [206.46.170.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 908B443FA3 for ; Wed, 22 Oct 2003 13:49:33 -0700 (PDT) (envelope-from jmb@bresler.org) Received: from gate.bresler.org ([141.156.213.237]) by out009.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20031022204932.YOYU4096.out009.verizon.net@gate.bresler.org>; Wed, 22 Oct 2003 15:49:32 -0500 Received: from ASSP-nospam (localhost [127.0.0.1]) by gate.bresler.org (Postfix) with ESMTP id 3E84A66C53; Wed, 22 Oct 2003 16:49:02 -0400 (EDT) Received: from 192.168.250.6 ([192.168.250.6] helo=bp6.bresler.org) by ASSP-nospam ; 22 Oct 03 20:49:00 -0000 Received: by bp6.bresler.org (Postfix, from userid 1000) id 7E03680; Wed, 22 Oct 2003 16:49:24 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bp6.bresler.org (Postfix) with ESMTP id 7408A9903; Wed, 22 Oct 2003 16:49:24 -0400 (EDT) Date: Wed, 22 Oct 2003 16:49:24 -0400 (EDT) From: "Jonathan M. Bresler" To: Mike Tancsa In-Reply-To: <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Assp-Spam-Prob: 0.00000 X-Authentication-Info: Submitted using SMTP AUTH at out009.verizon.net from [141.156.213.237] at Wed, 22 Oct 2003 15:49:32 -0500 cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 20:49:35 -0000 Radware makes a box called the CT100 that we are evaluating where I work. The box is supposed to perform precisely this function. Give me a shout if you are interested in hearing more about it. jmb On Tue, 21 Oct 2003, Mike Tancsa wrote: > > Dont know about http ssl, but I am using the cards from Soekris for my > backup server. As long as you use 3des for encryption, it does make a big > difference CPU wise. The next generation cards supposedly have AES and > public key generation, but I dont think the driver will do the public key > stuff. The safe driver says it does, but I dont know where to get such cards. > > ---Mike > > At 11:27 PM 21/10/2003, Bill Swingle wrote: > >Is anyone successfully using some sort of hardware crypto solution to > >combat the overhead of SSL in http transactions? I'd love to hear > >anything good or bad about this. > > > >-Bill > > > >-- > >-=| Bill Swingle - > >-=| Every message PGP signed > >-=| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 > >-=| "Computers are useless. They can only give you answers" Pablo Picasso > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 14:08:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28D2E16A4B3 for ; Wed, 22 Oct 2003 14:08:27 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3FB343FCB for ; Wed, 22 Oct 2003 14:08:25 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h9ML8ODA045722; Wed, 22 Oct 2003 22:08:24 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h9ML8OBA045721; Wed, 22 Oct 2003 22:08:24 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h9ML7qWl073385; Wed, 22 Oct 2003 22:07:52 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200310222107.h9ML7qWl073385@grimreaper.grondar.org> To: Gregory Sutter From: Mark Murray In-Reply-To: Your message of "Wed, 22 Oct 2003 13:10:09 PDT." <20031022201009.GC98272@klapaucius.zer0.org> Date: Wed, 22 Oct 2003 22:07:52 +0100 Sender: mark@grondar.org X-Spam-Status: No, hits=-2.0 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 21:08:27 -0000 Gregory Sutter writes: > On 2003-10-21 20:27 -0700, Bill Swingle wrote: > > Is anyone successfully using some sort of hardware crypto solution to > > combat the overhead of SSL in http transactions? I'd love to hear > > anything good or bad about this. > > Alteon and F5, among others, both make SSL acceleration appliances. > I'm sure a device like this would greatly speed the processing of > your HTTPS transactions. Good stuff. You will most likely not notice hardware encryption speedup (much) on a client machine if all you are doing is the usual 'net surfing. Where a hardware crypto unit _really_ shines is in a server, particularly a heavily loaded one, and they are _brilliant_ if they have BIGNUM units to make D-H, RSA, DSA etc faster. If you are a heavy consumer of crypto, and your box is bottlenecked in the CPU, then a hardware crypto unit will be of great use to you. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 04:23:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB70616A4B3 for ; Thu, 23 Oct 2003 04:23:10 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 7C58543FA3 for ; Thu, 23 Oct 2003 04:23:07 -0700 (PDT) (envelope-from greg.panula@lexisnexis.com) Received: (qmail 25877 invoked by uid 0); 23 Oct 2003 11:23:07 -0000 Received: from greg.panula@lexisnexis.com by proxy by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 1.970876 secs); 23 Oct 2003 11:23:07 -0000 X-Qmail-Scanner-Mail-From: greg.panula@lexisnexis.com via proxy X-Qmail-Scanner-Rcpt-To: security@freebsd.org X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.970876 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 23 Oct 2003 11:23:04 -0000 Received: from lexisnexis.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167) for security@freebsd.org; 23 Oct 2003 06:23:04 -0500 Message-ID: <3F97BA17.8050403@lexisnexis.com> Date: Thu, 23 Oct 2003 06:23:03 -0500 From: "G. Panula" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030918 X-Accept-Language: en-us, en MIME-Version: 1.0 To: security@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.76.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 11:23:10 -0000 Jim Hatfield wrote: > I will shortly be replacing a couple of proprietary VPN boxes > with a FreeBSD solution. Section 10.10 of the Handbook has a > detailed description of how to do this. > > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. > > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? Nope, gif interfaces aren't needed. Just use tunnel mode. > > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. > > Was that issue ever resolved? The issue was put to bed. Reference: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c?rev=1.214&content-type=text/x-cvsweb-markup http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c?rev=1.130.2.48&content-type=text/x-cvsweb-markup http://docs.freebsd.org/cgi/getmsg.cgi?fetch=132950+0+/usr/local/www/db/text/2001/freebsd-security/20010325.freebsd-security Current behavior is encrypted packet is handled by ipfw once, then after decryption it is only handled by ipfw(again) if it passes thru an interface didn't arrive on. Example. ipsec tunnel between two gateways(1.1.1.1 & 2.2.2.2) encrypts traffic between two lans(3.3.3.0/24 & 4.4.4.0/24). When 3.3.3.3 sends traffic to 4.4.4.4, 1.1.1.1 and 2.2.2.2 send esp traffic between each other. Say that traffic arrives on fxp0, the firewall rules that would handle it would be: allow esp from 1.1.1.1 to 2.2.2.2 in via fxp0 allow esp from 2.2.2.2 to 1.1.1.1 out via fxp0 Then the packets would be decrypted and passed onto the final destination, handled by the firewall rules on another nic: allow tcp from 3.3.3.3 to 4.4.4.4 out via fxp1 allow tcp from 4.4.4.4 to 3.3.3.3 in via fxp1 Filtering between 3.3.3.0/24 and 4.4.4.0/24 is done on the internal interface(fxp1 in the example). It works unless one wants to do something with the decrypted packet before it left the arriving interface. Example: ipsec tunnel between firewall(1.1.1.1) and wireless client(2.2.2.2) wireless client use ipsec in tunnel to encrypt all traffic leaving it, tunnel end-point is the firewall. Firewall then NATs the client's traffic allowing it access to the internet. Rub is the setting up of stateful rules. # allow ipsec traffic via wireless segment allow esp from any to any via fxp1 # nat internal traffic before it leaves divert natd ip from 2.2.2.0/24 to any out fxp0 # de-nat arriving traffic divert natd ip from any to 216.136.204.117 in via fxp0 # stateful rules check-state # This rule would setup a stateful rule allowing # the private address to converse with a public address # but the current behavior doesn't let the firewall # see the decrypted traffic on fxp1 allow tcp from 2.2.2.0/24 to any keep-state in via fxp1 # This rule sets up the stateful rule for allowing # the public nat-to address access allow tcp from 216.136.204.117 to any keep-state out via fxp0 The behavior with the stateful rules that would allow the above setup to work properly *if* decrypted packet were see by ipfw on the arriving interface is that the dynamic rules created by keep-state *don't* keep track of the interface they were created by... they only keep track of time, source and destination. Since traffic is nat'd before leaving the public interface(fxp0) and a stateful rule is setup for the public address, one ends up with deny messages for traffic addressed to the client arriving on the public interface. A bad kludge of a work-around is... allow tcp from any to 2.2.2.2 keep-state in via fxp0 If one uses a gif tunnel between the firewall and wireless and then runs ipsec thru that, then they can use the IPSEC_FILTERGIF option to have decrypted packets re-processed. Hope that helps, greg From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 07:29:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DF3F16A4BF for ; Thu, 23 Oct 2003 07:29:05 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7624243F3F for ; Thu, 23 Oct 2003 07:29:04 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h9NET3f2064015 for ; Thu, 23 Oct 2003 15:29:03 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h9NET2SX085053 for ; Thu, 23 Oct 2003 15:29:02 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Thu, 23 Oct 2003 15:29:02 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C3674B2FAB@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C3674B2FAB@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.38 Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 14:29:05 -0000 On Wed, 22 Oct 2003 13:34:30 +0100, in local.freebsd.security you wrote: > >I use gif interfaces for my VPN's, and it works extremely well. The=20 >only other solution I think I would even try, is mpd, but that uses a=20 >much weaker protocol from what I know (PPTP).=20 > >It's so easy to use gif, I'm not sure why you wouldn't. Looking at the Handbook again, I'm even more confused now! I had decided that the IPSec processing must be using Transport mode, since the tunnelling was handled by the gif interface. But not so. The diagram right at the bottom of that section of the Handbook clearly shows that the original packet is encapsulated twice, once by IPSec Tunnel mode and once by the gif interface. To me, this just feels wrong. The packet only needs to be=20 encapsulated once, so why do it twice? It's an unnecessary use of bandwidth and processor time. From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 10:57:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6451416A4B3 for ; Thu, 23 Oct 2003 10:57:31 -0700 (PDT) Received: from breeze.hq.office1.bg (hq.office1.nat.panda.bg [217.75.134.56]) by mx1.FreeBSD.org (Postfix) with SMTP id BEA4C43F3F for ; Thu, 23 Oct 2003 10:57:27 -0700 (PDT) (envelope-from mailinglists@hq.panda.bg) Received: (qmail 59710 invoked by uid 85); 23 Oct 2003 17:57:26 -0000 Received: from unknown (HELO nik.panda) (192.168.2.113) by breeze.hq.office1.bg with SMTP; 23 Oct 2003 17:57:25 -0000 Date: Thu, 23 Oct 2003 21:00:20 +0300 From: Nikolay Petrov X-Mailer: The Bat! (v2.00.6) CD5BF9353B3B7091 Organization: Office 1 Superstore - Bulgaria X-Priority: 3 (Normal) Message-ID: <182543033578.20031023210020@hq.panda.bg> To: freebsd-security@freebsd.org In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned-breeze: by Nik's Monitoring Daemon (parser4: AMaViS perl-11i - 23 Sep 2003 9:56:33 EEST) X-Virus-Scanner-Info-breeze: Scan Engine v4.2.40, DAT files v4299 created Oct 22 2003 Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nikolay Petrov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 17:57:31 -0000 Hello Jim, Wednesday, October 22, 2003, 2:28:45 PM, you wrote: JH> I will shortly be replacing a couple of proprietary VPN boxes JH> with a FreeBSD solution. Section 10.10 of the Handbook has a JH> detailed description of how to do this. JH> However I remember a lot of discussion about a year ago about JH> whether the gif interface was necessary to set up VPNs like JH> this or whether it was just a convenience, for "getting the JH> routing right". A number of people said that gif was not JH> needed but I've never found a step-by-step description of how JH> to set up a lan-to-lan VPN without using it. I use gif interface and tunneling mode, but can see any advantage of this, because i can not see packets that pass through gif interface. I try different configuration of ip addresses to the interface, but nothing change. This i maybe a error in the configuration but i see encapsulated packets and packets that pass through IPSec tunnel on my network card. JH> Is the Handbook the current received wisdom on how to set this JH> up, and is the use of the gif interface indeed necessary? JH> I also remember that the discussions diverted into a problem JH> with ipfw when gif was *not* used, but I haven't found any JH> messages to indicate that it was resolved. I recall suggestions JH> that a new interface esp0 be created so that ipfw could work JH> correctly on both the innner and outer packets of an ESP tunnel. JH> Was that issue ever resolved? JH> jim hatfield JH> _______________________________________________ JH> freebsd-security@freebsd.org mailing list JH> http://lists.freebsd.org/mailman/listinfo/freebsd-security JH> To unsubscribe, send any mail to JH> "freebsd-security-unsubscribe@freebsd.org" -- Best regards, Nikolay mailinglists@hq.panda.bg From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 15:48:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4BB816A4B3 for ; Thu, 23 Oct 2003 15:48:46 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B696F43FB1 for ; Thu, 23 Oct 2003 15:48:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA14750; Thu, 23 Oct 2003 16:48:34 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031023162326.04c1e008@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 23 Oct 2003 16:41:21 -0600 To: security@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 22:48:47 -0000 All: I'm posting this to FreeBSD-security (rather than FreeBSD-net) because the problems I'm seeing appear to have been caused by spyware, and because they constitute a possible avenue for denial of service on FreeBSD machines with default installs of the operating system. Several of the FreeBSD machines on our network began to act strangely during the past week. Some have started to refuse mail; in other cases, important daemons have died without warning. All of the machines are running 4.x releases of FreeBSD with all recent patches installed, and all are running the version of BIND supplied with FreeBSD. The "top" command, when run on these machines, showed that BIND is consuming very large amounts of CPU time, but this by itself couldn't explain all of the symptoms we were seeing. This afternoon, I examined the machines and discovered the problem: full /var partitions caused by huge /var/log/messages files. Inspection of the files reveals hundreds of thousands of messages of the form: Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns0.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns1.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns3.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns4.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns6.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns7.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns8.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns11.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns10.opennic.glue) Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS (ns11.opennic.glue) The references to OpenNIC have caused me to suspect (though I have not verified it yet) that the problem is due to the New.Net spyware, which causes Windows machines to query OpenNIC's name servers. From what I've read so far, it appears that New.Net is "foistware" -- that is, it can be installed on innocent users' Windows machines without their consent via holes in Internet Explorer. But if New.Net is not what's responsible, SOMETHING certainly seems to be generating bogus DNS queries, which in turn are causing these messages. FreeBSD currently comes configured, in the default install, to check /var/messages only once a day, and to rotate the log file if it's above a certain size. Unfortunately, these messages accumulate so rapidly that this is not sufficient; the /var partition in the default install can easily be overflowed long before the log is rotated, causing malfunctions. I've temporarily changed /etc/crontab so that newsyslog is run every 5 minutes instead of once a day (which may be a good idea to prevent other denials of service via this sort of overflow as well). But it also makes sense to patch the system so that it does not fill so many verbose messages -- and/or to ignore the bogus queries generated by the spyware. It may also pay to patch BIND to limit the overhead that is incurred when such queries occur. Ideas? --Brett Glass From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 17:01:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE18A16A4B3 for ; Thu, 23 Oct 2003 17:01:13 -0700 (PDT) Received: from smtp1.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEBC143F85 for ; Thu, 23 Oct 2003 17:01:12 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp1.server.rpi.edu (8.12.10/8.12.9) with ESMTP id h9O018Lg029690; Thu, 23 Oct 2003 20:01:08 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <6.0.0.22.2.20031023162326.04c1e008@localhost> References: <6.0.0.22.2.20031023162326.04c1e008@localhost> Date: Thu, 23 Oct 2003 20:01:07 -0400 To: Brett Glass , security@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: CanIt (www . canit . ca) Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 00:01:14 -0000 At 4:41 PM -0600 10/23/03, Brett Glass wrote: > >FreeBSD currently comes configured, in the default install, >to check /var/messages only once a day, and to rotate the >log file if it's above a certain size. My /etc/newsyslog.conf indicates that /var/log/messages should be rotated whenever it gets over 100K. >I've temporarily changed /etc/crontab so that newsyslog is >run every 5 minutes instead of once a day (which may be a >good idea to prevent other denials of service via this sort >of overflow as well). On both my 4.x and 5.x systems, /etc/crontab will run newsyslog once per hour. I'm pretty sure that at least some of the code in newsyslog assumes that the program is run only once per hour. Running it more frequently than that may cause some problems. I'm sure that /var can fill up even if /var/log/messages is rotated every hour, if the error messages are coming in fast enough. But the file should be getting rotated once per hour in the default install, not once per day. I do not think that the correct solution is to rotate the files at an even faster rate. Just how large is /var on the machine where you're seeing this problem? -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 17:41:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BB3A16A4B3 for ; Thu, 23 Oct 2003 17:41:32 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F04B43F93 for ; Thu, 23 Oct 2003 17:41:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA16053; Thu, 23 Oct 2003 18:41:13 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031023183427.04e18d10@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 23 Oct 2003 18:41:12 -0600 To: Garance A Drosihn , security@freebsd.org From: Brett Glass In-Reply-To: References: <6.0.0.22.2.20031023162326.04c1e008@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 00:41:32 -0000 At 06:01 PM 10/23/2003, Garance A Drosihn wrote: >My /etc/newsyslog.conf indicates that /var/log/messages >should be rotated whenever it gets over 100K. Absolutely correct. And the default /etc/crontab doesn't run newsyslog often enough to catch it before it overflows the entire disk -- at least when there's a storm of these messages. (By the way, I've received a note via private e-mail suggesting that the QHosts worm could be the cuplrit, but it doesn't have these symptoms.) >I'm sure that /var can fill up even if /var/log/messages is >rotated every hour, if the error messages are coming in fast >enough. But the file should be getting rotated once per hour >in the default install, not once per day. Actually, you're correct. newsyslog runs once per hour in the default install. This shows just how fast the messages can accumulate. And when it DID finally run, it didn't have room to compress the old file, so the log remained uncompressed and the disk remained full. >I do not think that the correct solution is to rotate the >files at an even faster rate. Running newsyslog doesn't ALWAYS rotate the log. In the case of /var/messages, it checks to see whether the log needs it. >Just how large is /var on the >machine where you're seeing this problem? On the machine from which I took those messages, it's 256M. --Brett From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 19:41:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 091E116A4B3 for ; Thu, 23 Oct 2003 19:41:19 -0700 (PDT) Received: from smtp1.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F0C243F3F for ; Thu, 23 Oct 2003 19:41:18 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp1.server.rpi.edu (8.12.10/8.12.9) with ESMTP id h9O1cCLg008253; Thu, 23 Oct 2003 21:38:12 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <6.0.0.22.2.20031023183427.04e18d10@localhost> References: <6.0.0.22.2.20031023162326.04c1e008@localhost> <6.0.0.22.2.20031023183427.04e18d10@localhost> Date: Thu, 23 Oct 2003 21:38:11 -0400 To: Brett Glass , security@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: CanIt (www . canit . ca) Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 02:41:19 -0000 At 6:41 PM -0600 10/23/03, Brett Glass wrote: >At 06:01 PM 10/23/2003, Garance A Drosihn wrote: > > > I do not think that the correct solution is to rotate > > the files at an even faster rate. > >Running newsyslog doesn't ALWAYS rotate the log Uh, yeah, I know. I'm the one who has been writing updates to newsyslog for the past year. I am pretty familiar with it. What I meant was that in circumstances where "once per hour" is not fast enough, then I do not believe the right solution is to rotate files every five minutes. Just MO. The main point of my message was just to say that you're going to cause other problems by running newsyslog so often, so you need to come up with some better solution. > > Just how large is /var on the machine where you're > > seeing this problem? > >On the machine from which I took those messages, it's 256M. Well, it is certainly a problem if you're getting enough messages to fill that up that quickly. From the details you gave in your original message, it *may* be that the thing to do is to change bind so: sysquery: no addrs found for root NS (ns0.opennic.glue) sysquery: no addrs found for root NS (ns1.opennic.glue) sysquery: no addrs found for root NS (ns2.opennic.glue) is collapsed into: sysquery: no addrs found for root NS (ns*.opennic.glue) and then syslogd's standard handling of "multiple lines" would come into play. Of course, that isn't really a great solution either. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 19:46:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0078C16A4B3 for ; Thu, 23 Oct 2003 19:46:48 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3783643FDF for ; Thu, 23 Oct 2003 19:46:47 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id h9O2kkLj062740; Thu, 23 Oct 2003 20:46:46 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id h9O2kkDU062739; Thu, 23 Oct 2003 20:46:46 -0600 (MDT) Date: Thu, 23 Oct 2003 20:46:46 -0600 From: "David G. Andersen" To: Garance A Drosihn Message-ID: <20031023204646.A61063@cs.utah.edu> References: <6.0.0.22.2.20031023162326.04c1e008@localhost> <6.0.0.22.2.20031023183427.04e18d10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from drosih@rpi.edu on Thu, Oct 23, 2003 at 09:38:11PM -0400 cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 02:46:48 -0000 Garance A Drosihn just mooed: > newsyslog for the past year. I am pretty familiar with it. > > What I meant was that in circumstances where "once per hour" > is not fast enough, then I do not believe the right solution > is to rotate files every five minutes. Just MO. the problem is very obviously an excess of messages from bind. This bug report should go to the ISC folks. No daemon should be spewing out log messages at the _incredible_ rate that bind does when it decides it doesn't like what it's getting in this context. The same bug can be triggered by using a forwarding nameserver that bind doesn't like. The immediate question to ask is, "is this fixed in bind9?" If it is, you're not likely to get an answer other than "please upgrade." ... which seems like a pretty reasonable thing to do, if that's the case. Bret, try upgrading to bind9 and see if it still happens. If it does, then reduce it to the simplest test case you can and report it to the bind people. If it doesn't, then call yourself happy and let the rest of us know that it's a good way to avoid the problem. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 21:18:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25FDA16A4B3 for ; Thu, 23 Oct 2003 21:18:54 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1ACE643FBF for ; Thu, 23 Oct 2003 21:18:53 -0700 (PDT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA18032; Thu, 23 Oct 2003 22:18:35 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031023221633.03a53358@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 23 Oct 2003 22:18:35 -0600 To: "David G. Andersen" , Garance A Drosihn From: Brett Glass In-Reply-To: <20031023204646.A61063@cs.utah.edu> References: <6.0.0.22.2.20031023162326.04c1e008@localhost> <6.0.0.22.2.20031023183427.04e18d10@localhost> <20031023204646.A61063@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 04:18:54 -0000 At 08:46 PM 10/23/2003, David G. Andersen wrote: >the problem is very obviously an excess of messages from bind. >This bug report should go to the ISC folks. Indeed. Or perhaps we can integrate a patch into FreeBSD and then forward it up to ISC. >No daemon should >be spewing out log messages at the _incredible_ rate that >bind does when it decides it doesn't like what it's getting >in this context. The same bug can be triggered by using a >forwarding nameserver that bind doesn't like. Interesting. What does BIND "not like" about certain forwarders? >The immediate question to ask is, "is this fixed in bind9?" That's only the immediate question if FreeBSD moves to BIND 9. Otherwise, the question (at least in this forum) is, how does FreeBSD patch it until or unless it goes to BIND 9? --Brett From owner-freebsd-security@FreeBSD.ORG Fri Oct 24 04:40:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9041716A4B3 for ; Fri, 24 Oct 2003 04:40:15 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A36443FB1 for ; Fri, 24 Oct 2003 04:40:12 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h9OBeBf2076327 for ; Fri, 24 Oct 2003 12:40:11 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h9OBeBSX086937 for ; Fri, 24 Oct 2003 12:40:11 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Fri, 24 Oct 2003 12:40:11 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C3674B4927@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C3674B4927@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.38 Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 11:40:15 -0000 On Thu, 23 Oct 2003 12:23:03 +0100, in local.freebsd.security you wrote: >The issue was put to bed. >Reference: >http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c?rev=3D1= .2 >14&content-type=3Dtext/x-cvsweb-markup >http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c?rev=3D1= .1 >30.2.48&content-type=3Dtext/x-cvsweb-markup >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D132950+0+/usr/local/www/d= b/ >text/2001/freebsd-security/20010325.freebsd-security > >Current behavior is encrypted packet is handled by ipfw once, then after > >decryption it is only handled by ipfw(again) if it passes thru an=20 >interface didn't arrive on. Many thanks, that's very helpful. Jim From owner-freebsd-security@FreeBSD.ORG Fri Oct 24 05:45:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB10916A4B3 for ; Fri, 24 Oct 2003 05:45:33 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id E948543F85 for ; Fri, 24 Oct 2003 05:45:32 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [204.177.173.28]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h9OCjW6T078666; Fri, 24 Oct 2003 07:45:32 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3F991EDB.6080706@centtech.com> Date: Fri, 24 Oct 2003 07:45:15 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass References: <6.0.0.22.2.20031023162326.04c1e008@localhost> <6.0.0.22.2.20031023183427.04e18d10@localhost> In-Reply-To: <6.0.0.22.2.20031023183427.04e18d10@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 12:45:34 -0000 Brett Glass wrote: >>Just how large is /var on the >>machine where you're seeing this problem? >> >> > >On the machine from which I took those messages, it's 256M. > Personally, on all the machines I build, I have the luxury of having decent sized hard drives in them, and I never have a /var partition that small. 256M can be swallowed by all sorts of crazy things that spam to /var/log/messages. I typically make my /var partition at least 1gb, but never smaller. Making the /var partition larger doesn't *fix* the problem, but it gives you more time to be aware of a problem and react to it. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Fri Oct 24 06:27:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B23D016A4B3 for ; Fri, 24 Oct 2003 06:27:39 -0700 (PDT) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 514B943FBD for ; Fri, 24 Oct 2003 06:27:36 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id XAA16432; Fri, 24 Oct 2003 23:27:07 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 24 Oct 2003 23:27:07 +1000 (EST) From: Ian Smith To: Brett Glass In-Reply-To: <6.0.0.22.2.20031023221633.03a53358@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 13:27:39 -0000 On Thu, 23 Oct 2003, Brett Glass wrote: > At 08:46 PM 10/23/2003, David G. Andersen wrote: > > >the problem is very obviously an excess of messages from bind. > >This bug report should go to the ISC folks. > > Indeed. Or perhaps we can integrate a patch into FreeBSD and > then forward it up to ISC. Perhaps bind is sending an excess of error messages because there are an excess of errors? Surely it's easier to fix the problem by disabling or disallowing whatever or whoever is hitting bind with invalid requests? > >No daemon should > >be spewing out log messages at the _incredible_ rate that > >bind does when it decides it doesn't like what it's getting > >in this context. The same bug can be triggered by using a > >forwarding nameserver that bind doesn't like. > > Interesting. What does BIND "not like" about certain forwarders? Why not just enable debug logging and find the heck out? Still using bind 4 here :) but I'm sure that two, three at most, of # kill -USR1 `cat /var/run/named.pid` (ono) will provide copious blow by blow request/response logging. These get big even faster, but you only need enough for analysis of who or what's generating this unexpected traffic. ipfw deny works a treat. > >The immediate question to ask is, "is this fixed in bind9?" Is it bind that's broken for saying too much, or something actually generating those requests and thus error responses, needing fixing? Cheers, Ian From owner-freebsd-security@FreeBSD.ORG Fri Oct 24 09:02:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 301E616A4B3 for ; Fri, 24 Oct 2003 09:02:55 -0700 (PDT) Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B30643FD7 for ; Fri, 24 Oct 2003 09:02:54 -0700 (PDT) (envelope-from ph1@cogeco.ca) Received: from cogeco.ca (d141-223-207.home.cgocable.net [24.141.223.207]) by fep3.cogeco.net (Postfix) with ESMTP id 5FCA51C95; Fri, 24 Oct 2003 12:02:53 -0400 (EDT) Message-ID: <3F994D6E.5080409@cogeco.ca> Date: Fri, 24 Oct 2003 12:03:58 -0400 From: David User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20030925 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass References: <6.0.0.22.2.20031023162326.04c1e008@localhost> In-Reply-To: <6.0.0.22.2.20031023162326.04c1e008@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 16:02:55 -0000 Brett Glass wrote: [snip] > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns11.opennic.glue) > > The references to OpenNIC have caused me to suspect (though I have not > verified it yet) that the problem is due to the New.Net spyware, which Seeing how nobody else has noted it, OpenNIC is *not* New.net [snip]