From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 01:26:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3642C16A4CE; Mon, 5 Apr 2004 01:26:15 -0700 (PDT) Received: from mail.butovo-online.ru (mail.b-o.ru [212.5.78.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 721DB43D1F; Mon, 5 Apr 2004 01:26:14 -0700 (PDT) (envelope-from resident@b-o.ru) Received: from [192.168.92.185] (helo=priv-92-185.butovo-online.ru) by mail.butovo-online.ru with esmtp (Exim 4.24) id 1BAPSU-000E8t-PW; Mon, 05 Apr 2004 12:27:54 +0400 Date: Mon, 5 Apr 2004 12:28:26 +0400 From: Andrew Riabtsev X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <1912849257.20040405122826@b-o.ru> To: Adrian Penisoara In-Reply-To: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> References: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrew Riabtsev List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 08:26:15 -0000 Hi Adrian, Sunday, April 4, 2004, 10:22:33 PM, you wrote: AP> We have thought about using static MAC entries per port on managed AP> switches installed at the client endpoints, but that would require a AP> overwhelming budget. We are also thinking about L2TP and PPPoE, but I AP> am uncertain about compatibility. AP> What would you recommand ? Are there any other elegant solutions ? VPN (pptp) solution work just fine both potop and mpd on server side and with any win box on client side, even win'95 with patch from microsoft.com. There is could be problem with MAC OS - i didn't find pptp-client for it but it should be, i think. Also FreeBSD and Linux has pptp-clients. And the last, you can use cheap hardware pptp-clients in situations like with MAC OS for example Allied Telesyn AR-221E. -- Andrew mailto:resident@b-o.ru From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 03:10:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9209E16A4CE for ; Mon, 5 Apr 2004 03:10:05 -0700 (PDT) Received: from katase.netgrup.ro (netcom.suceava.astral.ro [213.164.255.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB8C943D5C for ; Mon, 5 Apr 2004 03:10:03 -0700 (PDT) (envelope-from ady@freebsd.ady.ro) Received: from freebsd.ady.ro (ady.obcini.netgrup.ro [192.168.10.206]) by katase.netgrup.ro (8.12.10/8.12.10) with ESMTP id i35A9pPs001188 for ; Mon, 5 Apr 2004 13:09:53 +0300 (EEST) (envelope-from ady@freebsd.ady.ro) Date: Mon, 5 Apr 2004 13:09:52 +0300 Mime-Version: 1.0 (Apple Message framework v553) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Adrian Penisoara To: freebsd-security@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <611C2010-86E9-11D8-A962-000A95776E22@freebsd.ady.ro> X-Mailer: Apple Mail (2.553) Subject: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 10:10:05 -0000 Hi, I am searching for a solution that will enable me to control the access of clients to a Ethernet network that spans over about an entire quorter; most of the connected stations are running MS Windows. We are facing service theft through impersonation, either solely IP or both IP and Ethernet MAC address. Securing IP access was solved using a static ARP scheme (we used "staticarp" for the internal gateway interface and tied to it a fixed list of IP/MAC tuples), but some of the clients learnt how to change both the IP and the MAC. We have thought about using static MAC entries per port on managed switches installed at the client endpoints, but that would require a overwhelming budget. We are also thinking about L2TP and PPPoE, but I am uncertain about compatibility. What would you recommand ? Are there any other elegant solutions ? I also heard about 802.1x technology and seems to be an interesting and professional alternative; I just don't know how well supported is on the server side, namely FreeBSD. Thank you. -- Ady (@freebsd.ady.ro) From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 06:54:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 251A316A4CE for ; Mon, 5 Apr 2004 06:54:24 -0700 (PDT) Received: from mail.xensia.net (colo1.xensia.net [217.158.173.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DABD43D41 for ; Mon, 5 Apr 2004 06:54:23 -0700 (PDT) (envelope-from listsucker@ipv5.net) Received: from 81-174-6-80.f5.ngi.it ([81.174.6.80] helo=godzilla) by mail.xensia.net with asmtp (TLSv1:DES-CBC3-SHA:168) id 1BAUYE-0000fe-00; Mon, 05 Apr 2004 14:54:10 +0100 Date: Mon, 5 Apr 2004 15:48:17 +0200 From: Frankye - ML To: freebsd-security@freebsd.org Message-Id: <20040405154817.3e37904a@godzilla> In-Reply-To: <1912849257.20040405122826@b-o.ru> References: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> <1912849257.20040405122826@b-o.ru> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.9) X-Face: =3I@Jvohf91[b8M]~KUNFaCt}pnTO2K^E#_P4`uCU]D"pHw List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 13:54:24 -0000 On Mon, 5 Apr 2004 12:28:26 +0400 Andrew Riabtsev wrote: | VPN (pptp) solution work just fine both potop and mpd on server side | and with any win box on client side, even win'95 with patch from | microsoft.com. There is could be problem with MAC OS - i didn't find | pptp-client for it but it should be, i think. Also FreeBSD and Linux | has pptp-clients. And the last, you can use cheap hardware | pptp-clients in situations like with MAC OS for example Allied Telesyn | AR-221E. FWIW, MacOSX includes a pptp client in the base system, I don't know how good however. For MacOS classic (i.e.: <=9) there _was_ a (commercial) pptp client called "tunnel builder", but the producer seems to no longer exist and/or not support the thing anymore. I've found a website which still offers it at http://www.macadsl.com/logiciels/?cat=client%20de%20connexion but it's priced at USD 99 (!). Hope that helps Frankye From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 09:08:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EA4716A4CE for ; Mon, 5 Apr 2004 09:08:57 -0700 (PDT) Received: from smtp.wan.no (smtp.wan.no [80.86.128.91]) by mx1.FreeBSD.org (Postfix) with SMTP id 102BC43D46 for ; Mon, 5 Apr 2004 09:08:56 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) Received: (qmail 581 invoked from network); 5 Apr 2004 16:23:25 -0000 Received: from unknown (HELO exchange.wan.no) (10.30.1.52) by smtp.wan.no with SMTP; 5 Apr 2004 16:23:25 -0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Mon, 5 Apr 2004 18:08:49 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Controlling access at the Ethernet level thread-index: AcQaciZ1G29JmJftQrKOK6VZ7nBzCgAtN7kg From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Adrian Penisoara" , cc: freebsd-isp@freebsd.org Subject: RE: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 16:08:57 -0000 =20 > What would you recommand ? Are there any other elegant solutions ? >=20 How about using 802.1Q vlan's and dedicate a vlan to each port. If more than 4000 users then add more gateways. Just be sure to go for switches that allow you to deny incoming already=20 tagged packets on the user side as some switches passes already tagged = packets. For a wireless environment i would suggest PPPoE and VLANs (separating = them). > I also heard about 802.1x technology and seems to be an=20 > interesting and professional alternative; I just don't know=20 > how well supported is on the server side, namely FreeBSD. >=20 802.1x is fairly new and not very well supported yet, expect bugs. _// Sten Daniel S=F8rsdal From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 09:14:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE94A16A4CE for ; Mon, 5 Apr 2004 09:14:55 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5847743D31 for ; Mon, 5 Apr 2004 09:14:55 -0700 (PDT) (envelope-from rkim@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2657.72) id ; Mon, 5 Apr 2004 12:14:50 -0400 Message-ID: From: Richy Kim To: "'freebsd-security@freebsd.org'" Date: Mon, 5 Apr 2004 12:14:41 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 16:14:56 -0000 The builtin pptp client in Mac OS X does the job. However, if you want to conviniently setup different routes (to separate corporate and personal internet traffic) DigiTunnel PPTP VPN client for Mac OS X has an easy to configure alternate routing options tab. www.gracion.com/vpn/ -r. -----Original Message----- From: Frankye - ML [mailto:listsucker@ipv5.net] Sent: Monday, April 05, 2004 9:48 AM To: freebsd-security@freebsd.org Subject: Re: Q: Controlling access at the Ethernet level On Mon, 5 Apr 2004 12:28:26 +0400 Andrew Riabtsev wrote: | VPN (pptp) solution work just fine both potop and mpd on server side | and with any win box on client side, even win'95 with patch from | microsoft.com. There is could be problem with MAC OS - i didn't find | pptp-client for it but it should be, i think. Also FreeBSD and Linux | has pptp-clients. And the last, you can use cheap hardware | pptp-clients in situations like with MAC OS for example Allied Telesyn | AR-221E. FWIW, MacOSX includes a pptp client in the base system, I don't know how good however. For MacOS classic (i.e.: <=9) there _was_ a (commercial) pptp client called "tunnel builder", but the producer seems to no longer exist and/or not support the thing anymore. I've found a website which still offers it at http://www.macadsl.com/logiciels/?cat=client%20de%20connexion but it's priced at USD 99 (!). Hope that helps Frankye _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 12:18:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0DD716A4CE for ; Mon, 5 Apr 2004 12:18:16 -0700 (PDT) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id D26F043D39 for ; Mon, 5 Apr 2004 12:18:16 -0700 (PDT) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 67D3F153882; Mon, 5 Apr 2004 09:18:16 -1000 (HST) Date: Mon, 5 Apr 2004 09:18:16 -1000 From: Clifton Royston To: freebsd-security@freebsd.org Message-ID: <20040405191815.GB17961@lava.net> Mail-Followup-To: freebsd-security@freebsd.org, Adrian Penisoara References: <20040405190109.A9FB416A4D0@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040405190109.A9FB416A4D0@hub.freebsd.org> User-Agent: Mutt/1.4.2i cc: Adrian Penisoara Subject: Re: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 19:18:17 -0000 > Message: 4 > Date: Mon, 5 Apr 2004 18:08:49 +0200 > From: Sten Daniel S?rsdal > Subject: RE: Controlling access at the Ethernet level > To: "Adrian Penisoara" , > Cc: freebsd-isp@freebsd.org > > > > What would you recommand ? Are there any other elegant solutions ? > > > How about using 802.1Q vlan's and dedicate a vlan to each port. > If more than 4000 users then add more gateways. > > Just be sure to go for switches that allow you to deny incoming > already tagged packets on the user side as some switches passes > already tagged packets. While this sounds theoretically like a good solution, in my experience many midrange switches (e.g. HP Procurve 25xx and 40xx- series) do not handle large numbers of VLANs well; they seem to consume RAM and CPU roughly proportional to number of active VLANs, and past some threshold you see packet loss. As one of the constraints mentioned was "can't pay to add managed switches" I would be cautious about this solution unless you *know* that all the switches handle large numbers of VLANs well, or you'll be trying to troubleshoot a network with unexplained and intermittent packet loss. Just a warning from experience, FWIW. -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 02:59:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEBE816A4CE; Mon, 5 Apr 2004 02:59:49 -0700 (PDT) Received: from nildram.net (vmailw2k45b.trinitevisp.co.uk [195.38.80.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E85D43D6E; Mon, 5 Apr 2004 02:59:48 -0700 (PDT) (envelope-from dan.ros@nildram.net) Received: from exchange1.office.nildram.net [195.149.27.210] by VMAILW2K45B.trinitevisp.co.uk with ESMTP; Mon, 5 Apr 2004 10:59:41 Received: by exchange1.office.nildram.net with Internet Mail Service (5.5.2653.19) id ; Mon, 5 Apr 2004 10:59:40 +0100 Message-ID: From: Dan Ros To: 'Adrian Penisoara' , "'freebsd-security@freebsd.org'" Date: Mon, 5 Apr 2004 10:59:40 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain X-Mailman-Approved-At: Tue, 06 Apr 2004 04:26:39 -0700 cc: "'freebsd-isp@freebsd.org'" Subject: RE: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 09:59:49 -0000 > -----Original Message----- > From: Adrian Penisoara [mailto:ady@freebsd.ady.ro] > Sent: 04 April 2004 19:23 > To: freebsd-security@freebsd.org > Cc: freebsd-isp@freebsd.org > Subject: Q: Controlling access at the Ethernet level > > > We are facing service theft through impersonation, either > solely IP > or both IP and Ethernet MAC address. Securing IP access was solved > using a static ARP scheme (we used "staticarp" for the > internal gateway > interface and tied to it a fixed list of IP/MAC tuples), but some of > the clients learnt how to change both the IP and the MAC. ... This sounds like a university residential halls network, am I right? For what it's worth, the university I attend has tried both DHCP by mac address, static arp and so on. Eventually now they have given up and the cost of the network connection is simply included in the rent for the room. That way they do not have to worry about unauthorised access. From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 06:33:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7F4E16A4CE; Tue, 6 Apr 2004 06:33:03 -0700 (PDT) Received: from xsb.com (mail.portjeff.net [216.168.142.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id F222143D60; Tue, 6 Apr 2004 06:33:02 -0700 (PDT) (envelope-from c.rued@xsb.com) Received: from xsb.com [129.49.16.170] by xsb.com with ESMTP (SMTPD32-7.15) id A06E102A0098; Tue, 06 Apr 2004 09:28:14 -0400 Message-ID: <4072B148.20303@xsb.com> Date: Tue, 06 Apr 2004 09:31:52 -0400 From: Christopher Rued User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7a) Gecko/20040219 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: Dan Ros References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: "'freebsd-isp@freebsd.org'" cc: "'freebsd-security@freebsd.org'" cc: 'Adrian Penisoara' Subject: Re: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 13:33:03 -0000 Dan Ros wrote: >> -----Original Message----- >> From: Adrian Penisoara [mailto:ady@freebsd.ady.ro] >> >> We are facing service theft through impersonation, either >> solely IP >> or both IP and Ethernet MAC address. Securing IP access was solved >> using a static ARP scheme (we used "staticarp" for the >> internal gateway >> interface and tied to it a fixed list of IP/MAC tuples), but some of >> the clients learnt how to change both the IP and the MAC. > ... > > This sounds like a university residential halls network, am I right? > > For what it's worth, the university I attend has tried both DHCP by mac > address, static arp and so on. Eventually now they have given up and the > cost of the network connection is simply included in the rent for the room. > That way they do not have to worry about unauthorised access. I just had a simple thought: can you just physically unplug the network cable for the particular room from your router? You can't steal service w/out link. Not as nice as a programmatic solution, but probably as effective; I guess you'd just have to make sure each cable is labeled. Of course, this wouldn't prevent people from giving access to the friends next door if they have their own router. And, I suppose, if someone *really* wanted to steal internet access, they could open the wall and access the incoming cable to the room next door, and install a router secretly. --Chris From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 06:59:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4681E16A4CE for ; Tue, 6 Apr 2004 06:59:56 -0700 (PDT) Received: from ns8.vianetworks.com.ar (ns8.via-net-works.net.ar [200.61.12.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 6EB1043D2D for ; Tue, 6 Apr 2004 06:59:54 -0700 (PDT) (envelope-from hnunez@vianetworks.com.ar) Received: (qmail 57737 invoked from network); 6 Apr 2004 10:10:30 -0300 Received: from admin-red1.via-net-works.net.ar (HELO pchnunez) (nunezh@200.61.12.51) by ns8.vianetworks.com.ar with SMTP; 6 Apr 2004 10:10:30 -0300 Message-ID: <01b501c41bd8$71df1df0$330c3dc8@ms.vianetworks.net.ar> From: =?iso-8859-1?Q?Hernan_Nu=F1ez?= To: References: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> Date: Tue, 6 Apr 2004 10:09:44 -0300 Organization: Vianetworks Argentina MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?iso-8859-1?Q?Hernan_Nu=F1ez?= List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 13:59:56 -0000 QWRyaWFuLA0KDQogICAgaXBmdzIgZW5hYmxlcyB5b3UgdG8gY29udHJvbCBhY2Nlc3MgZnJvbSBl dGhlcl9kZW11eCgpIGFuZCBldGhlcl9vdXRwdXRfZnJhbWUoKSBbaXBmdyg4KV0uIFNvbWUgaXBm dzIgb3B0aW9ucyBhcmUgZHN0LW1hYyBzcmMtbWFjIG1hYy10eXBlLg0KDQpSZWdhcmRzLA0KSGVy bmFuDQoNCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0gDQpGcm9tOiAiQWRyaWFuIFBlbmlz b2FyYSIgPGFkeUBmcmVlYnNkLmFkeS5ybz4NClRvOiA8ZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNk Lm9yZz4NCkNjOiA8ZnJlZWJzZC1pc3BAZnJlZWJzZC5vcmc+DQpTZW50OiBTdW5kYXksIEFwcmls IDA0LCAyMDA0IDM6MjIgUE0NClN1YmplY3Q6IFE6IENvbnRyb2xsaW5nIGFjY2VzcyBhdCB0aGUg RXRoZXJuZXQgbGV2ZWwNCg0KDQo+IEhpLA0KPiANCj4gICAgIEkgYW0gc2VhcmNoaW5nIGZvciBh IHNvbHV0aW9uIHRoYXQgd2lsbCBlbmFibGUgbWUgdG8gY29udHJvbCB0aGUgDQo+IGFjY2VzcyBv ZiBjbGllbnRzIHRvIGEgRXRoZXJuZXQgbmV0d29yayB0aGF0IHNwYW5zIG92ZXIgYWJvdXQgYW4g ZW50aXJlIA0KPiBxdW9ydGVyOyBtb3N0IG9mIHRoZSBjb25uZWN0ZWQgc3RhdGlvbnMgYXJlIHJ1 bm5pbmcgTVMgV2luZG93cy4NCj4gDQo+ICAgICBXZSBhcmUgZmFjaW5nIHNlcnZpY2UgdGhlZnQg dGhyb3VnaCBpbXBlcnNvbmF0aW9uLCBlaXRoZXIgc29sZWx5IElQIA0KPiBvciBib3RoIElQIGFu ZCBFdGhlcm5ldCBNQUMgYWRkcmVzcy4gU2VjdXJpbmcgSVAgYWNjZXNzIHdhcyBzb2x2ZWQgDQo+ IHVzaW5nIGEgc3RhdGljIEFSUCBzY2hlbWUgKHdlIHVzZWQgInN0YXRpY2FycCIgZm9yIHRoZSBp bnRlcm5hbCBnYXRld2F5IA0KPiBpbnRlcmZhY2UgYW5kIHRpZWQgdG8gaXQgYSBmaXhlZCBsaXN0 IG9mIElQL01BQyB0dXBsZXMpLCBidXQgc29tZSBvZiANCj4gdGhlIGNsaWVudHMgbGVhcm50IGhv dyB0byBjaGFuZ2UgYm90aCB0aGUgSVAgYW5kIHRoZSBNQUMuDQo+IA0KPiAgICBXZSBoYXZlIHRo b3VnaHQgYWJvdXQgdXNpbmcgc3RhdGljIE1BQyBlbnRyaWVzIHBlciBwb3J0IG9uIG1hbmFnZWQg DQo+IHN3aXRjaGVzIGluc3RhbGxlZCBhdCB0aGUgY2xpZW50IGVuZHBvaW50cywgYnV0IHRoYXQg d291bGQgcmVxdWlyZSBhIA0KPiBvdmVyd2hlbG1pbmcgYnVkZ2V0LiBXZSBhcmUgYWxzbyB0aGlu a2luZyBhYm91dCBMMlRQIGFuZCBQUFBvRSwgYnV0IEkgDQo+IGFtIHVuY2VydGFpbiBhYm91dCBj b21wYXRpYmlsaXR5Lg0KPiANCj4gICAgV2hhdCB3b3VsZCB5b3UgcmVjb21tYW5kID8gQXJlIHRo ZXJlIGFueSBvdGhlciBlbGVnYW50IHNvbHV0aW9ucyA/DQo+IA0KPiAgICBJIGFsc28gaGVhcmQg YWJvdXQgODAyLjF4IHRlY2hub2xvZ3kgYW5kIHNlZW1zIHRvIGJlIGFuIGludGVyZXN0aW5nIA0K PiBhbmQgcHJvZmVzc2lvbmFsIGFsdGVybmF0aXZlOyBJIGp1c3QgZG9uJ3Qga25vdyBob3cgd2Vs bCBzdXBwb3J0ZWQgaXMgDQo+IG9uIHRoZSBzZXJ2ZXIgc2lkZSwgbmFtZWx5IEZyZWVCU0QuDQo+ IA0KPiAgIFRoYW5rIHlvdS4NCj4gDQo+IC0tDQo+IEFkeSAoQGZyZWVic2QuYWR5LnJvKQ0KPiAN Cj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gZnJl ZWJzZC1pc3BAZnJlZWJzZC5vcmcgbWFpbGluZyBsaXN0DQo+IGh0dHA6Ly9saXN0cy5mcmVlYnNk Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2QtaXNwDQo+IFRvIHVuc3Vic2NyaWJlLCBzZW5k IGFueSBtYWlsIHRvICJmcmVlYnNkLWlzcC11bnN1YnNjcmliZUBmcmVlYnNkLm9yZyINCj4= From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 10:04:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C60D16A4CE; Tue, 6 Apr 2004 10:04:57 -0700 (PDT) Received: from smtp29.singnet.com.sg (smtp29.singnet.com.sg [165.21.101.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C45F43D53; Tue, 6 Apr 2004 10:04:56 -0700 (PDT) (envelope-from spades@galaxynet.org) Received: from bryanuptrvb0jc (bb-203-125-35-50.singnet.com.sg [203.125.35.50])i36H1sjC016214; Wed, 7 Apr 2004 01:01:55 +0800 Message-ID: <000d01c41bf8$dd24eac0$fa10fea9@bryanuptrvb0jc> From: "Spades" To: References: <6.1.0.5.2.20040406112456.00ab6ab8@localhost><49707.192.168.0.105.1081269392.squirrel@webmail.thilelli.net> <200404061152.08455.algould@datawok.com> Date: Wed, 7 Apr 2004 01:01:53 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: SYN attacks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Spades List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 17:04:57 -0000 Heya, FREEBSD 4.9-STABLE Is there anyway to block SYN attacks and prevent it from bring down my server? Its been attacking for sometime. From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 17:57:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBB6416A4CE for ; Tue, 6 Apr 2004 17:57:48 -0700 (PDT) Received: from smtp02.syd.iprimus.net.au (smtp02.syd.iprimus.net.au [210.50.76.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ED1443D54 for ; Tue, 6 Apr 2004 17:57:48 -0700 (PDT) (envelope-from wts666@iprimus.com.au) Received: from pionig (203.134.143.143) by smtp02.syd.iprimus.net.au (7.0.024) id 402CF87001173F5D for freebsd-security@freebsd.org; Wed, 7 Apr 2004 10:56:55 +1000 Message-ID: <402CF87001173F5D@> (added by postmaster@iprimus.com.au) From: "Mark Picone" To: Date: Wed, 7 Apr 2004 10:56:33 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <000d01c41bf8$dd24eac0$fa10fea9@bryanuptrvb0jc> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcQb+W/RxJhDjRLCTl24Fog+Er7hzAAQY0qw Subject: RE: SYN attacks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 00:57:49 -0000 You could try adding this to /etc/sysctl.conf sysctl net.inet.tcp.drop_synfin=1 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Spades Sent: Wednesday, 7 April 2004 3:02 am To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: SYN attacks Heya, FREEBSD 4.9-STABLE Is there anyway to block SYN attacks and prevent it from bring down my server? Its been attacking for sometime. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 18:31:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36DA116A4CE for ; Tue, 6 Apr 2004 18:31:14 -0700 (PDT) Received: from smtp02.syd.iprimus.net.au (smtp02.syd.iprimus.net.au [210.50.76.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01DA543D55 for ; Tue, 6 Apr 2004 18:31:14 -0700 (PDT) (envelope-from wts666@iprimus.com.au) Received: from pionig (203.134.143.143) by smtp02.syd.iprimus.net.au (7.0.024) id 402CF87001176A54 for freebsd-security@freebsd.org; Wed, 7 Apr 2004 11:30:12 +1000 Message-ID: <402CF87001176A54@> (added by postmaster@iprimus.com.au) From: "Mark Picone" To: Date: Wed, 7 Apr 2004 11:29:51 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcQb+W/RxJhDjRLCTl24Fog+Er7hzAAQY0qwAAEo1yA= In-Reply-To: <402CF87001173F5D@> (added by postmaster@iprimus.com.au) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: RE: SYN attacks (correction) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 01:31:14 -0000 you should add net.inet.tcp.drop_synfin=1 to /etc/sysctl.conf so it gets piped into sysctl on boot or just run sysctl net.inet.tcp.drop_synfin=1 as root -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Mark Picone Sent: Wednesday, 7 April 2004 10:57 am To: freebsd-security@freebsd.org Subject: RE: SYN attacks You could try adding this to /etc/sysctl.conf sysctl net.inet.tcp.drop_synfin=1 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Spades Sent: Wednesday, 7 April 2004 3:02 am To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: SYN attacks Heya, FREEBSD 4.9-STABLE Is there anyway to block SYN attacks and prevent it from bring down my server? Its been attacking for sometime. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 19:09:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2E2E16A4CE for ; Tue, 6 Apr 2004 19:09:35 -0700 (PDT) Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BF4C43D46 for ; Tue, 6 Apr 2004 19:09:35 -0700 (PDT) (envelope-from ph1@cogeco.ca) Received: from cogeco.ca (d141-218-183.home.cgocable.net [24.141.218.183]) by fep3.cogeco.net (Postfix) with ESMTP id 121DB53AB for ; Tue, 6 Apr 2004 22:08:29 -0400 (EDT) Message-ID: <40736392.8060708@cogeco.ca> Date: Tue, 06 Apr 2004 22:12:34 -0400 From: David User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <402CF87001176A54@> (added by postmaster@iprimus.com.au) In-Reply-To: <402CF87001176A54@> (added by postmaster@iprimus.com.au) Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: SYN attacks (correction) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 02:09:35 -0000 Mark Picone wrote: > you should add > net.inet.tcp.drop_synfin=1 to /etc/sysctl.conf so it gets piped into sysctl > on boot > or just run sysctl net.inet.tcp.drop_synfin=1 as root Unlikely the attacks will have both the SYN and FIN flags set. Perhaps verifying net.inet.tcp.syncookies is set to 1 and use ipfw+dummynet to rate limit incoming SYN packets. > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Mark Picone > Sent: Wednesday, 7 April 2004 10:57 am > To: freebsd-security@freebsd.org > Subject: RE: SYN attacks > > You could try adding this to /etc/sysctl.conf > > sysctl net.inet.tcp.drop_synfin=1 > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Spades > Sent: Wednesday, 7 April 2004 3:02 am > To: freebsd-questions@freebsd.org > Cc: freebsd-security@freebsd.org > Subject: SYN attacks > > Heya, > > FREEBSD 4.9-STABLE > > Is there anyway to block SYN attacks and prevent it from bring down my > server? > > Its been attacking for sometime. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 22:18:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FE6C16A4CE for ; Tue, 6 Apr 2004 22:18:03 -0700 (PDT) Received: from mail.spenneberg.net (p15097491.pureserver.info [217.160.128.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 520A443D4C for ; Tue, 6 Apr 2004 22:18:02 -0700 (PDT) (envelope-from ralf@spenneberg.net) Received: from proxy.integrata.net (iD4CC17BB.versanet.de [212.204.23.187]) by mail.spenneberg.net (Postfix) with ESMTP id C60B88C26C; Wed, 7 Apr 2004 07:15:03 +0200 (CEST) From: Ralf Spenneberg To: security@freebsd.org, security@netbsd.org, security@apple.com Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-hLigAB+aOuKdFsHCocjH" Message-Id: <1081314902.1942.11.camel@kermit> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.3 (1.4.3-3) Date: 07 Apr 2004 07:15:03 +0200 X-Mailman-Approved-At: Wed, 07 Apr 2004 02:09:08 -0700 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Possible security hole in racoon verified on FreeBSD using racoon-20030711 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 05:18:03 -0000 --=-hLigAB+aOuKdFsHCocjH Content-Type: multipart/mixed; boundary="=-1hAf2v3ari2YoMTtDRtW" --=-1hAf2v3ari2YoMTtDRtW Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hi, while testing racoon on Linux (based on the ported ipsec-tools) the following issue appeared: Racoon did not verify the RSA Signatures during Phase 1 in either main or aggressive mode. Authentication was possible using a correct certificate and a wrong private key. I have verified the below problem using racoon-20030711 on FreeBSD 4.9. I w= ill test it using the SNAP Kit but suspect it to be vulnerable, too. Probably other implementations like racoon and MacOSX are vulnerable, too. On Linux the issue was resolved with the attached patch. Could you look into this? I would like to publish a Bugtraq report after the weekend, provided that y= ou have confirmed that either your racoon is not vulnerable or you have patches available. Regards, Ralf --=20 Ralf Spenneberg UNIX/Linux Trainer and Consultant, RHCE, RHCX Waldring 34 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757 Mobil: +49(0)177 567 27 40 =20 Markt+Technik Buch: Intrusion Detection f=FCr Linux Ser= ver Addison-Wesley Buch: VPN mit Linux IPsec-Howto: http://www.ipsec-howto.org IPsec/PPTP Kernels for Red Hat Linux: http://www.spenneberg.com/.net/.org= /.de Honeynet Project Mirror: http://honeynet.spenneberg.org Snort Mirror: http://snort.spenneberg.org --=-1hAf2v3ari2YoMTtDRtW-- --=-hLigAB+aOuKdFsHCocjH Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQBAc45WbQ9NVvVkhHcRAjThAJ9/D2k3XUe48SKr0QAZShGJCd2PGACfb+hV MF6xvytj+70zB9wP+u7g4Y4= =4L7e -----END PGP SIGNATURE----- --=-hLigAB+aOuKdFsHCocjH-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 03:14:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB7D216A4CE for ; Wed, 7 Apr 2004 03:14:19 -0700 (PDT) Received: from smtp3.euronet.nl (smtp3.euronet.nl [194.134.35.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DF5A43D4C for ; Wed, 7 Apr 2004 03:14:19 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com (zp-c-13e65.mxs.adsl.euronet.nl [81.69.92.101]) by smtp3.euronet.nl (Postfix) with ESMTP id 902723A21E; Wed, 7 Apr 2004 12:13:47 +0200 (MEST) Message-ID: <4073D380.9020607@sitetronics.com> Date: Wed, 07 Apr 2004 12:10:08 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ralf Spenneberg References: <1081314902.1942.11.camel@kermit> In-Reply-To: <1081314902.1942.11.camel@kermit> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@netbsd.org cc: security@apple.com cc: security@freebsd.org Subject: Re: Possible security hole in racoon verified on FreeBSD using racoon-20030711 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 10:14:19 -0000 Ralf Spenneberg wrote: [snip] > On Linux the issue was resolved with the attached patch. Hey Ralf, The patch didn't make it to our (FreeBSD) list; I suspect the others have not received the patch as well. Additionally, this (security@freebsd.org) is a public mailing list, so you just disclosed the problem ;) Kind regards, Devon H. O'Dell From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 03:35:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A07AD16A4CE for ; Wed, 7 Apr 2004 03:35:47 -0700 (PDT) Received: from meitner.wh.uni-dortmund.de (meitner.wh.uni-dortmund.de [129.217.129.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6391343D2F for ; Wed, 7 Apr 2004 03:35:47 -0700 (PDT) (envelope-from michaelnottebrock@gmx.net) Received: from lofi.dyndns.org (pc2-105.intern.meitner [10.3.12.105]) by meitner.wh.uni-dortmund.de (Postfix) with ESMTP id 3FC131677CB; Wed, 7 Apr 2004 12:35:00 +0200 (CEST) Received: from [192.168.8.4] (kiste.my.domain [192.168.8.4]) (authenticated bits=0) by lofi.dyndns.org (8.12.10/8.12.10) with ESMTP id i37AYxan050949 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 7 Apr 2004 12:34:59 +0200 (CEST) (envelope-from michaelnottebrock@gmx.net) From: Michael Nottebrock To: freebsd-security@freebsd.org Date: Wed, 7 Apr 2004 12:34:55 +0200 User-Agent: KMail/1.6.1 References: <1081314902.1942.11.camel@kermit> <4073D380.9020607@sitetronics.com> In-Reply-To: <4073D380.9020607@sitetronics.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_Tl9cAR/kxt2o9Z2"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200404071234.59149.michaelnottebrock@gmx.net> X-Virus-Scanned: by amavisd-new cc: Ralf Spenneberg cc: security@netbsd.org cc: security@apple.com Subject: Re: Possible security hole in racoon verified on FreeBSD using racoon-20030711 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 10:35:47 -0000 --Boundary-02=_Tl9cAR/kxt2o9Z2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 07 April 2004 12:10, Devon H. O'Dell wrote: > Ralf Spenneberg wrote: > [snip] > > > On Linux the issue was resolved with the attached patch. > > Hey Ralf, > > The patch didn't make it to our (FreeBSD) list; I suspect the others > have not received the patch as well. The FreeBSD.org lists discard most attachments - make sure attached patches= =20 are marked as text/plain (rather than text/x-patch or text/x-diff for=20 example). =2D-=20 ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --Boundary-02=_Tl9cAR/kxt2o9Z2 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAc9lTXhc68WspdLARAjJYAJ4wUfz/DBn3H90DMbLisciXFi9gegCfS0Tt wqKOsodI/fAwdxDATNBwCyg= =WcvN -----END PGP SIGNATURE----- --Boundary-02=_Tl9cAR/kxt2o9Z2-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 04:16:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31F0716A4CE for ; Wed, 7 Apr 2004 04:16:58 -0700 (PDT) Received: from smtp3.euronet.nl (smtp3.euronet.nl [194.134.35.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id C163E43D31 for ; Wed, 7 Apr 2004 04:16:57 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com (zp-c-13e65.mxs.adsl.euronet.nl [81.69.92.101]) by smtp3.euronet.nl (Postfix) with ESMTP id 090883A228; Wed, 7 Apr 2004 12:54:49 +0200 (MEST) Message-ID: <4073DD1D.6050708@sitetronics.com> Date: Wed, 07 Apr 2004 12:51:09 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Nottebrock References: <1081314902.1942.11.camel@kermit> <4073D380.9020607@sitetronics.com> <200404071234.59149.michaelnottebrock@gmx.net> In-Reply-To: <200404071234.59149.michaelnottebrock@gmx.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: Ralf Spenneberg cc: security@netbsd.org cc: security@apple.com Subject: Re: Possible security hole in racoon verified on FreeBSD using racoon-20030711 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 11:16:58 -0000 Michael Nottebrock wrote: > On Wednesday 07 April 2004 12:10, Devon H. O'Dell wrote: > >>Ralf Spenneberg wrote: >>[snip] >> >> >>>On Linux the issue was resolved with the attached patch. >> >>Hey Ralf, >> >>The patch didn't make it to our (FreeBSD) list; I suspect the others >>have not received the patch as well. > > > The FreeBSD.org lists discard most attachments - make sure attached patches > are marked as text/plain (rather than text/x-patch or text/x-diff for > example). > Fixes appear to have been applied in the KAME repo and in our ports. Thanks for the heads up, Ralf. --Devon From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 06:10:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A9B716A4CE for ; Wed, 7 Apr 2004 06:10:58 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 048C543D3F for ; Wed, 7 Apr 2004 06:10:58 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))verified)) by gw.celabo.org (Postfix) with ESMTP id DBDD75486E for ; Wed, 7 Apr 2004 08:09:31 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 876D76D452; Wed, 7 Apr 2004 08:09:31 -0500 (CDT) Date: Wed, 7 Apr 2004 08:09:31 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20040407130931.GA62723@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i Subject: Note to Racoon users (IKE/ISAKMP daemon) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 13:10:58 -0000 As was accidently posted here earlier by Ralf :-), you should be aware of this issue: http://vuxml.freebsd.org/d8769838-8814-11d8-90d1-0020ed76ef5a.html racoon fails to verify signature during Phase 1 Affected packages racoon < 20040407b Details VuXML ID d8769838-8814-11d8-90d1-0020ed76ef5a Discovery 2004-04-05 Entry 2004-04-07 Ralf Spenneberg discovered a serious flaw in racoon. When using Phase 1 main or aggressive mode, racoon does not verify the client's RSA signature. Any installations using X.509 authentication are strongly urged to upgrade. Installations using pre-shared keys are believed to be unaffected. References CVE CAN-2004-0155 Name URL http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/ crypto_openssl.c?rev=1.84&content-type=text/x-cvsweb-markup -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 08:43:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B79AE16A4CE for ; Wed, 7 Apr 2004 08:43:34 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7736D43D53 for ; Wed, 7 Apr 2004 08:43:34 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))verified)) by gw.celabo.org (Postfix) with ESMTP id 672C25487F for ; Wed, 7 Apr 2004 10:42:21 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 0BDE76D455; Wed, 7 Apr 2004 10:42:21 -0500 (CDT) Date: Wed, 7 Apr 2004 10:42:20 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20040407154220.GA5651@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i Subject: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 15:43:34 -0000 Hello Folks, The official email address for this list is `freebsd-security@freebsd.org'. Due to convention, there is an email alias for this list: security@freebsd.org, just as there is for hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. The security@freebsd.org alias has been the source of occassional problems. Several times in the past, postings have been made to that address under the assumption that address was directed to security response personnnel, and not a public mailing list. Of course, this was a reasonable assumption. Practically every vendor in the universe uses security@ for that purpose, largely because RFC 2142 strongly recommends it for that purpose. And sometimes one just makes a typo. It has not been too uncommon for people to forget the `-officer' part of `security-officer@freebsd.org'. (Yours truly has been guilty of this.) Mistaken early disclosure of a vulnerability can have consequences from the merely embarrasing to catastrophic. Therefore, I am proposing that `security@freebsd.org' be re-routed to the Security Officer. I imagine this will have some significant impact: there must be many references to security@freebsd.org as a public list out there. So, I thought I'd air the issue here before sending any request to postmaster@. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 09:13:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 282F316A4CE for ; Wed, 7 Apr 2004 09:13:09 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id A207643D41 for ; Wed, 7 Apr 2004 09:13:08 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 47448 invoked from network); 7 Apr 2004 16:12:19 -0000 Received: from unknown (HELO HOST-192-168-8-243.internal.secureworks.net) (209.101.212.253) by mail.secureworks.net with SMTP; 7 Apr 2004 16:12:19 -0000 Date: Wed, 7 Apr 2004 12:12:20 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: "Jacques A. Vidrine" In-Reply-To: <20040407154220.GA5651@madman.celabo.org> Message-ID: <20040407120854.A55775@localhost> References: <20040407154220.GA5651@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 16:13:09 -0000 On Wed, 7 Apr 2004, Jacques A. Vidrine wrote: > Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer. > perhaps re-routing to security-team@ would be better? just out of curiosity, how large is that group? are there any security response guidelines (etc) that have been published? -- Matthew George SecureWorks Technical Operations From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 09:27:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 640DC16A4CE for ; Wed, 7 Apr 2004 09:27:23 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 7ED3B43D5C for ; Wed, 7 Apr 2004 09:27:21 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 14163 invoked from network); 7 Apr 2004 16:21:14 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 7 Apr 2004 16:21:14 -0000 Received: (qmail 39097 invoked by uid 1000); 7 Apr 2004 16:26:28 -0000 Date: Wed, 7 Apr 2004 19:26:28 +0300 From: Peter Pentchev To: "Jacques A. Vidrine" Message-ID: <20040407162628.GA942@straylight.m.ringlet.net> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org References: <20040407154220.GA5651@madman.celabo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="k+w/mQv8wyuph6w0" Content-Disposition: inline In-Reply-To: <20040407154220.GA5651@madman.celabo.org> User-Agent: Mutt/1.5.6i cc: freebsd-security@FreeBSD.org Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 16:27:23 -0000 --k+w/mQv8wyuph6w0 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote: > Hello Folks, >=20 > The official email address for this list is > `freebsd-security@freebsd.org'. Due to convention, there is an email > alias for this list: security@freebsd.org, just as there is for > hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. [snip] > Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer. And before you get a flood of nay-sayers, here's a "Go for it!" from at least one semi-lurker :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. --k+w/mQv8wyuph6w0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAdCu07Ri2jRYZRVMRAqAqAJ0XtkIcwCHCf3l6aahZXAaZJyqqgwCgo30F NcgpgJDXcmDmCYqTml6tvDc= =UT4V -----END PGP SIGNATURE----- --k+w/mQv8wyuph6w0-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 14:58:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F7D016A4CE; Wed, 7 Apr 2004 14:58:41 -0700 (PDT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FF4543D45; Wed, 7 Apr 2004 14:58:41 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Wed, 7 Apr 2004 16:58:44 -0500 Message-ID: <40747968.2030902@daleco.biz> Date: Wed, 07 Apr 2004 16:58:00 -0500 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Pentchev References: <20040407154220.GA5651@madman.celabo.org> <20040407162628.GA942@straylight.m.ringlet.net> In-Reply-To: <20040407162628.GA942@straylight.m.ringlet.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 07 Apr 2004 21:58:44.0656 (UTC) FILETIME=[7EFC1B00:01C41CEB] cc: "Jacques A. Vidrine" cc: freebsd-security@freebsd.org Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 21:58:41 -0000 Peter Pentchev wrote: >On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote: > > >>Hello Folks, >> >>The official email address for this list is >>`freebsd-security@freebsd.org'. Due to convention, there is an email >>alias for this list: security@freebsd.org, just as there is for >>hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. >> >> >[snip] > > >>Mistaken early disclosure of a vulnerability can have consequences >>from the merely embarrasing to catastrophic. Therefore, I am >>proposing that `security@freebsd.org' be re-routed to the Security >>Officer. >> >> > >And before you get a flood of nay-sayers, here's a "Go for it!" from at >least one semi-lurker :) > >G'luck, >Peter > > Not a nay sayer, but probably worse, here. Build a better bikeshed: how difficult would it be to add an autoresponder that says something like: "Thanks for your email to the security team. We will act upon your information ASAP. In case you were attempting to contact the security <> mailing list at freebsd.org, please resend your mail to: ..." ?? Don't know that it's a need; thought it might save security-officer@ the trouble of either returning those mails manually or else Fw:'ing them to the real list .... It may not matter; this list is certainly much quieter than it used to be (with the possible exception of this post ;-) and therefore that may happen very little. A visual diff of the most recently posted items to freebsd-security shows little use, but the point is rather obvious.... Kevin Kinsey From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 15:09:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 547BA16A4CE; Wed, 7 Apr 2004 15:09:43 -0700 (PDT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C16243D41; Wed, 7 Apr 2004 15:09:43 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (IDENT:brdavis@localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.12.10/8.12.3) with ESMTP id i37M8gT7031699; Wed, 7 Apr 2004 15:08:42 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.12.10/8.12.3/Submit) id i37M8gYJ031698; Wed, 7 Apr 2004 15:08:42 -0700 Date: Wed, 7 Apr 2004 15:08:41 -0700 From: Brooks Davis To: "Kevin D. Kinsey, DaleCo, S.P." Message-ID: <20040407220841.GF20636@Odin.AC.HMC.Edu> References: <20040407154220.GA5651@madman.celabo.org> <20040407162628.GA942@straylight.m.ringlet.net> <40747968.2030902@daleco.biz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ChQOR20MqfxkMJg9" Content-Disposition: inline In-Reply-To: <40747968.2030902@daleco.biz> User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) on odin.ac.hmc.edu cc: "Jacques A. Vidrine" cc: freebsd-security@freebsd.org Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 22:09:43 -0000 --ChQOR20MqfxkMJg9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2004 at 04:58:00PM -0500, Kevin D. Kinsey, DaleCo, S.P. wro= te: > Not a nay sayer, but probably worse, here. >=20 > Build a better bikeshed: how difficult would it be > to add an autoresponder that says something like: >=20 > "Thanks for your email to the security team. > We will act upon your information ASAP. >=20 > In case you were attempting to contact the > security <> mailing list at > freebsd.org, please resend your mail to: ..." On today's Internet with mass mailing e-mail worms everywhere, autoresponders on well-known addresses should be avoided at all cost. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --ChQOR20MqfxkMJg9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAdHvoXY6L6fI4GtQRAm1pAJ0Riql+YyZeIoRz41wbYX7pC3w3dACeJU0s eh28GkKp1i+rCSu8cF+NjzE= =MMZX -----END PGP SIGNATURE----- --ChQOR20MqfxkMJg9-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 17:38:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 614B016A4D4; Wed, 7 Apr 2004 17:38:11 -0700 (PDT) Received: from pear.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACA7D43D48; Wed, 7 Apr 2004 17:38:10 -0700 (PDT) (envelope-from lists-freebsd@silverwraith.com) Received: from avleen by pear.silverwraith.com with local (Exim 4.30; FreeBSD) id 1BBNYY-00028h-1Z; Wed, 07 Apr 2004 17:38:10 -0700 Date: Wed, 7 Apr 2004 17:38:09 -0700 From: Avleen Vig To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Message-ID: <20040408003809.GA593@silverwraith.com> References: <20040407154220.GA5651@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040407154220.GA5651@madman.celabo.org> User-Agent: Mutt/1.5.6i Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 00:38:11 -0000 On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote: > Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer. A serious problem, with a good solution. A "yes" vote from me! -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet: irc.mindspring.com (Earthlink user access only) From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 17:53:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F96B16A4D1 for ; Wed, 7 Apr 2004 17:53:17 -0700 (PDT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC7AC43D1D for ; Wed, 7 Apr 2004 17:53:16 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Wed, 7 Apr 2004 19:53:57 -0500 Message-ID: <4074A27A.3020207@daleco.biz> Date: Wed, 07 Apr 2004 19:53:14 -0500 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brooks Davis References: <20040407154220.GA5651@madman.celabo.org> <20040407162628.GA942@straylight.m.ringlet.net> <40747968.2030902@daleco.biz> <20040407220841.GF20636@Odin.AC.HMC.Edu> In-Reply-To: <20040407220841.GF20636@Odin.AC.HMC.Edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 08 Apr 2004 00:53:58.0140 (UTC) FILETIME=[F98273C0:01C41D03] cc: freebsd-security@freebsd.org Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 00:53:17 -0000 Brooks Davis wrote: >On Wed, Apr 07, 2004 at 04:58:00PM -0500, Kevin D. Kinsey, DaleCo, S.P. wrote: > > >>Not a nay sayer, but probably worse, here. >> >>Build a better bikeshed: how difficult would it be >>to add an autoresponder that says something like: >> >> >> > >On today's Internet with mass mailing e-mail worms everywhere, >autoresponders on well-known addresses should be avoided at all cost. > >-- Brooks > > > Hmm, yah; I can see a problem there... KDK From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 10:28:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C45116A4CE for ; Wed, 7 Apr 2004 10:28:33 -0700 (PDT) Received: from bitch.inducedreality.net (adsl-67-124-144-35.dsl.pltn13.pacbell.net [67.124.144.35]) by mx1.FreeBSD.org (Postfix) with SMTP id DBB4543D3F for ; Wed, 7 Apr 2004 10:28:32 -0700 (PDT) (envelope-from david@inducedreality.net) Received: (qmail 29466 invoked by uid 1000); 7 Apr 2004 17:27:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Apr 2004 17:27:40 -0000 Date: Wed, 7 Apr 2004 10:27:40 -0700 (PDT) From: David To: freebsd-security@FreeBSD.org In-Reply-To: <20040407162628.GA942@straylight.m.ringlet.net> Message-ID: <20040407102646.V788@bitch.inducedreality.net> References: <20040407154220.GA5651@madman.celabo.org> <20040407162628.GA942@straylight.m.ringlet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Thu, 08 Apr 2004 02:22:08 -0700 Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 17:28:33 -0000 On Wed, 7 Apr 2004, Peter Pentchev wrote: > On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote: > > Hello Folks, > > > > The official email address for this list is > > `freebsd-security@freebsd.org'. Due to convention, there is an email > > alias for this list: security@freebsd.org, just as there is for > > hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. > [snip] > > Mistaken early disclosure of a vulnerability can have consequences > > from the merely embarrasing to catastrophic. Therefore, I am > > proposing that `security@freebsd.org' be re-routed to the Security > > Officer. > > And before you get a flood of nay-sayers, here's a "Go for it!" from at > least one semi-lurker :) > > G'luck, > Peter > I agree. Yeah, there may be a transition time, but in the long run I think it will be better overall. David From owner-freebsd-security@FreeBSD.ORG Wed Apr 7 16:14:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C50D16A4CE for ; Wed, 7 Apr 2004 16:14:07 -0700 (PDT) Received: from farside.isc.org (farside.isc.org [204.152.187.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F98843D5E for ; Wed, 7 Apr 2004 16:14:07 -0700 (PDT) (envelope-from Mark_Andrews@isc.org) Received: from drugs.dv.isc.org (localhost [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by farside.isc.org (Postfix) with ESMTP id 024ECA82B for ; Wed, 7 Apr 2004 23:13:04 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.10/8.12.10) with ESMTP id i37LePqW097611 for ; Thu, 8 Apr 2004 07:40:25 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200404072140.i37LePqW097611@drugs.dv.isc.org> To: freebsd-security@FreeBSD.org From: Mark Andrews Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org In-reply-to: Your message of "Wed, 07 Apr 2004 19:26:28 +0300." <20040407162628.GA942@straylight.m.ringlet.net> Date: Thu, 08 Apr 2004 07:40:25 +1000 Sender: Mark_Andrews@isc.org X-Mailman-Approved-At: Thu, 08 Apr 2004 02:22:08 -0700 Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 23:14:07 -0000 > On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote: > > Hello Folks, > >=20 > > The official email address for this list is > > `freebsd-security@freebsd.org'. Due to convention, there is an email > > alias for this list: security@freebsd.org, just as there is for > > hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. > [snip] > > Mistaken early disclosure of a vulnerability can have consequences > > from the merely embarrasing to catastrophic. Therefore, I am > > proposing that `security@freebsd.org' be re-routed to the Security > > Officer. > > And before you get a flood of nay-sayers, here's a "Go for it!" from at > least one semi-lurker :) Seconded. > G'luck, > Peter > > --=20 > Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 > Nostalgia ain't what it used to be. > > --k+w/mQv8wyuph6w0 > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (FreeBSD) > > iD8DBQFAdCu07Ri2jRYZRVMRAqAqAJ0XtkIcwCHCf3l6aahZXAaZJyqqgwCgo30F > NcgpgJDXcmDmCYqTml6tvDc= > =UT4V > -----END PGP SIGNATURE----- > > --k+w/mQv8wyuph6w0-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 06:58:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3481016A4D5 for ; Thu, 8 Apr 2004 06:58:22 -0700 (PDT) Received: from bewilderbeast.blackhelicopters.org (bewilderbeast.blackhelicopters.org [198.22.63.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FACC43D4C for ; Thu, 8 Apr 2004 06:58:21 -0700 (PDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (smmsp@localhost [127.0.0.1])i38DwJJc082904 for ; Thu, 8 Apr 2004 09:58:21 -0400 (EDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: (from mwlucas@localhost)i38BsEvb081891 for security@freebsd.org; Thu, 8 Apr 2004 07:54:14 -0400 (EDT) (envelope-from mwlucas) Date: Thu, 8 Apr 2004 07:54:14 -0400 From: "Michael W. Lucas" To: security@freebsd.org Message-ID: <20040408115414.GA81875@bewilderbeast.blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Spam-Score: (0) X-Scanned-By: MIMEDefang 2.39 Subject: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 13:58:22 -0000 Hi, I'm pondering building my own SSL accelerator out of a multi-CPU FreeBSD system and a crypto accelerator. What's the recommended hardware crypto accelerator card these days? Thanks, ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org Today's chance of throwing it all away to start a goat farm: 49.1% http://www.BlackHelicopters.org/~mwlucas/ From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 07:14:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D65516A4CE for ; Thu, 8 Apr 2004 07:14:38 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F51B43D49 for ; Thu, 8 Apr 2004 07:14:35 -0700 (PDT) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.11/8.12.11) with ESMTP id i38EER1H026107; Thu, 8 Apr 2004 16:14:27 +0200 (CEST) (envelope-from phk@phk.freebsd.dk) To: "Michael W. Lucas" From: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 08 Apr 2004 07:54:14 EDT." <20040408115414.GA81875@bewilderbeast.blackhelicopters.org> Date: Thu, 08 Apr 2004 16:14:27 +0200 Message-ID: <26106.1081433667@critter.freebsd.dk> cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 14:14:38 -0000 In message <20040408115414.GA81875@bewilderbeast.blackhelicopters.org>, "Michae l W. Lucas" writes: > >Hi, > >I'm pondering building my own SSL accelerator out of a multi-CPU >FreeBSD system and a crypto accelerator. > >What's the recommended hardware crypto accelerator card these >days? Look at VPN14x1 from www.soekris.com, it's darn cheap too. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 07:25:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED7BE16A4CE for ; Thu, 8 Apr 2004 07:25:08 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9018C43D60 for ; Thu, 8 Apr 2004 07:25:08 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by smtp3.sentex.ca (8.12.11/8.12.10) with ESMTP id i38EP5CO066442; Thu, 8 Apr 2004 10:25:05 -0400 (EDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id 3FE5959CA7; Thu, 8 Apr 2004 10:25:07 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 42417-11; Thu, 8 Apr 2004 10:25:07 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (Postfix) with ESMTP id 10CE259CA6; Thu, 8 Apr 2004 10:25:07 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i38EP581094243; Thu, 8 Apr 2004 10:25:05 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040408102521.0948ea58@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Thu, 08 Apr 2004 10:25:59 -0400 To: "Poul-Henning Kamp" , "Michael W. Lucas" From: Mike Tancsa In-Reply-To: <26106.1081433667@critter.freebsd.dk> References: <26106.1081433667@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at (avscan2) sentex.ca cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 14:25:09 -0000 At 10:14 AM 08/04/2004, Poul-Henning Kamp wrote: >Look at VPN14x1 from www.soekris.com, it's darn cheap too. The driver is broken in both RELENG_4 and CURRENT however. ---Mike From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 07:28:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC67816A4CE for ; Thu, 8 Apr 2004 07:28:40 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BB2143D2D for ; Thu, 8 Apr 2004 07:28:40 -0700 (PDT) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.11/8.12.11) with ESMTP id i38ESbAZ026216; Thu, 8 Apr 2004 16:28:37 +0200 (CEST) (envelope-from phk@phk.freebsd.dk) To: Mike Tancsa From: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 08 Apr 2004 10:25:59 EDT." <6.0.3.0.0.20040408102521.0948ea58@209.112.4.2> Date: Thu, 08 Apr 2004 16:28:37 +0200 Message-ID: <26215.1081434517@critter.freebsd.dk> cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 14:28:41 -0000 In message <6.0.3.0.0.20040408102521.0948ea58@209.112.4.2>, Mike Tancsa writes: >At 10:14 AM 08/04/2004, Poul-Henning Kamp wrote: > >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. > >The driver is broken in both RELENG_4 and CURRENT however. It is not clear to me exactly what is broken. I have seen problems reported but as far as I know they were all IPSEC related, and I have not seen a trace of trouble in my use with GBDE. I'm not saying that the driver is _not_ broken, but it is certainly not known to me to be broken for the use Michael asked about. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 07:41:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D962D16A4CE for ; Thu, 8 Apr 2004 07:41:41 -0700 (PDT) Received: from cray.e-card.bg (mjak.e-card.bg [212.91.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3940043D2D for ; Thu, 8 Apr 2004 07:41:40 -0700 (PDT) (envelope-from altares@cray.e-card.bg) Received: from cray.e-card.bg (localhost [127.0.0.1]) by cray.e-card.bg (8.12.9/8.12.9) with ESMTP id i38Efc5k015426; Thu, 8 Apr 2004 17:41:38 +0300 (EEST) (envelope-from altares@cray.e-card.bg) Received: (from altares@localhost) by cray.e-card.bg (8.12.9/8.12.9/Submit) id i38EfZx9015425; Thu, 8 Apr 2004 17:41:35 +0300 (EEST) Date: Thu, 8 Apr 2004 17:41:35 +0300 From: Rumen Telbizov To: "Michael W. Lucas" Message-ID: <20040408144135.GQ293@e-card.bg> References: <20040408115414.GA81875@bewilderbeast.blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040408115414.GA81875@bewilderbeast.blackhelicopters.org> User-Agent: Mutt/1.4.2.1i cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 14:41:42 -0000 I would recommend you to take a look at www.rainbow.com and www.nchipher.com The hardware seems nice, but I am not sure about the driver support in FreeBSD. I spoke with rainbow ( about cryptoswift) a month ago. Initially they told me there are drivers ... then they changed their minds .. and told me that FreeBSD is unsupported. I didn't clear the issue anyway. I'll be glad to hear any successful installations of cryptocards in FreeBSD. Rumen Telbizov On Thu, Apr 08, 2004 at 07:54:14AM -0400, Michael W. Lucas wrote: > > Hi, > > I'm pondering building my own SSL accelerator out of a multi-CPU > FreeBSD system and a crypto accelerator. > > What's the recommended hardware crypto accelerator card these > days? > > Thanks, > > ==ml > > -- > Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org > > Today's chance of throwing it all away to start a goat farm: 49.1% > http://www.BlackHelicopters.org/~mwlucas/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 07:42:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA6EF16A4CE for ; Thu, 8 Apr 2004 07:42:59 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C0BF43D31 for ; Thu, 8 Apr 2004 07:42:59 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by smtp3.sentex.ca (8.12.11/8.12.10) with ESMTP id i38Eguan071765; Thu, 8 Apr 2004 10:42:56 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.10/8.12.10) with ESMTP id i38Egv3x019642; Thu, 8 Apr 2004 10:42:57 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i38EguX8094314; Thu, 8 Apr 2004 10:42:56 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040408103201.0949ba98@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Thu, 08 Apr 2004 10:43:39 -0400 To: "Poul-Henning Kamp" From: Mike Tancsa In-Reply-To: <26215.1081434517@critter.freebsd.dk> References: <26215.1081434517@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 14:42:59 -0000 At 10:28 AM 08/04/2004, Poul-Henning Kamp wrote: >It is not clear to me exactly what is broken. I have seen problems >reported but as far as I know they were all IPSEC related, and I >have not seen a trace of trouble in my use with GBDE. >I'm not saying that the driver is _not_ broken, but it is certainly >not known to me to be broken for the use Michael asked about. Actually, I have found it to wedge when using it in conjunction with openssl. Here again are the steps to reproduce the bug. The same can be done in OpenBSD BTW. I tried it with 3 different 1401 cards. * Login with an non accelerated ssh session (e.g. blowfish as the cipher) * Make a file called big. dd if=/dev/urandom of=big bs=1024k count=768 * In another session, login with using 3des (ie. one that will get offloaded to the Hifn card * In the blowfish session, start an encryption process, pipe it through ssh to dump to another machine e.g /usr/bin/openssl enc -des3 -in big -k passphrase | ssh -c 3des mdtancsa@192.168.43.26 "cat - > /home/mdtancsa/targetfile.enc" At random periods, the process will get "stuck" * In the 3des session, just hit the enter key. The ssl | ssh commands will become "unstuck." Basically, you just need to do something else that touches the crypto card. e.g. If you are on the console, head /dev/urandom | openssl 3des -out /dev/null -k pass will do the trick. When I had the releng5/CURRENT box up it would hang the same way as RELENG4 releng5-test# ps -p 647 -auxjwwww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND PPID PGID JOBC mdtancsa 647 0.0 0.4 2668 2008 p1 I+ 2:27PM 0:05.17 /usr/bin/openssl 635 647 2 releng5-test# releng5-test# ps -p 648 -auwwww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND mdtancsa 648 0.0 0.5 3328 2756 p1 D+ 2:27PM 0:12.03 ssh -c 3des mdtancsa@192.168.43.26 cat - > /home/mdtancsa/targetfile.enc releng5-test# PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 648 mdtancsa 8 0 3328K 2756K crydev 0:12 0.00% 0.00% ssh 647 mdtancsa -8 0 2668K 2008K pipdwt 0:05 0.00% 0.00% openssl From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 07:43:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E557916A4CE for ; Thu, 8 Apr 2004 07:43:23 -0700 (PDT) Received: from bewilderbeast.blackhelicopters.org (bewilderbeast.blackhelicopters.org [198.22.63.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98DC343D2D for ; Thu, 8 Apr 2004 07:43:23 -0700 (PDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (mwlucas@localhost [127.0.0.1])i38EhMJQ083492; Thu, 8 Apr 2004 10:43:22 -0400 (EDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: (from mwlucas@localhost)i38EhM9e083491; Thu, 8 Apr 2004 10:43:22 -0400 (EDT) (envelope-from mwlucas) Date: Thu, 8 Apr 2004 10:43:22 -0400 From: "Michael W. Lucas" To: Poul-Henning Kamp Message-ID: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> References: <6.0.3.0.0.20040408102521.0948ea58@209.112.4.2> <26215.1081434517@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <26215.1081434517@critter.freebsd.dk> User-Agent: Mutt/1.4.1i X-Spam-Score: (0) X-Scanned-By: MIMEDefang 2.39 cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 14:43:24 -0000 On Thu, Apr 08, 2004 at 04:28:37PM +0200, Poul-Henning Kamp wrote: > >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. Thanks, phk! For $79, it's cheap enough that I could put a whole stack of them in a machine. Can FreeBSD take advantage of multiple cards like that? (Yes, that's a serious concern; I'm looking at 15,000 simultaneous users on a SSL Web site, and would prefer to avoid spending the big bucks on a so-called "hardware SSL accelerator.") ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org Today's chance of throwing it all away to start a goat farm: 49.1% http://www.BlackHelicopters.org/~mwlucas/ From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 08:15:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F343816A4CE for ; Thu, 8 Apr 2004 08:15:14 -0700 (PDT) Received: from snootles.jimz.net (snootles.jimz.net [69.55.224.55]) by mx1.FreeBSD.org (Postfix) with SMTP id A239643D1F for ; Thu, 8 Apr 2004 08:15:14 -0700 (PDT) (envelope-from jim@jimz.net) Received: (qmail 48971 invoked from network); 8 Apr 2004 15:15:01 -0000 Received: from unknown (HELO ?141.211.183.93?) (jamesez@141.211.183.93) by snootles.jimz.net with (RC4-SHA encrypted) SMTP; 8 Apr 2004 15:15:01 -0000 Mime-Version: 1.0 (Apple Message framework v613) In-Reply-To: <20040408144135.GQ293@e-card.bg> References: <20040408115414.GA81875@bewilderbeast.blackhelicopters.org> <20040408144135.GQ293@e-card.bg> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <8114E86C-896F-11D8-B637-000A95DA58FE@jimz.net> Content-Transfer-Encoding: 7bit From: Jim Zajkowski Date: Thu, 8 Apr 2004 11:15:00 -0400 To: security@freebsd.org X-Mailer: Apple Mail (2.613) X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on snootles.jimz.net X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.61 Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 15:15:15 -0000 On Apr 8, 2004, at 10:41 AM, Rumen Telbizov wrote: > I spoke with rainbow ( about cryptoswift) > a month ago. Initially they told > me there are drivers ... then they > changed their minds .. and told > me that FreeBSD is unsupported. > I didn't clear the issue anyway. I had the worst ever tech phone conversation with Rainbow support about the CSwift and FreeBSD. The box says FreeBSD, the manual says FreeBSD, the website said FreeBSD. The call went similar to this: Me: I need to get the FreeBSD drivers for this card, please send them to me. Them: We don't support FreeBSD anymore. I have old drivers. Me: I don't care that you don't "support" it, I need the drivers you have. Them: They're not supported. Me: I got that. Send them to me anyway, I'll try and make it work. Them: Well the drivers aren't supported. Me: Look, the box, documentation, and website all say you have or had some support for this. Them: Where in the manual does it say that? I bet you can't find it. Me: (shouting) Page 11-153 (whatever it was, I don't have the manual anymore) says this card is supported under FreeBSD, AIX, [etc] Them: The drivers aren't supported. Me: I UNDERSTAND THAT, SEND THEM TO ME ANYWAY. Them: I'm letting you know they're not supported. In the end the drivers didn't work and I didn't have enough time to play around, so I unfortunately installed Dead Rat. If I were to do it over again, I'd buy the nCipher. --Jim -- Jim Zajkowski OpenPGP 0x21135C3 http://www.jimz.net/pgp.asc System Administrator 8A9E 1DDF 944D 83C3 AEAB 8F74 8697 A823 2113 5C53 UM Life Sciences Institute From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 08:18:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E14EF16A4CE for ; Thu, 8 Apr 2004 08:18:38 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18BBC43D45 for ; Thu, 8 Apr 2004 08:18:38 -0700 (PDT) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.11/8.12.11) with ESMTP id i38FIXTD026487; Thu, 8 Apr 2004 17:18:33 +0200 (CEST) (envelope-from phk@phk.freebsd.dk) To: "Michael W. Lucas" From: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 08 Apr 2004 10:43:22 EDT." <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> Date: Thu, 08 Apr 2004 17:18:33 +0200 Message-ID: <26486.1081437513@critter.freebsd.dk> cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 15:18:39 -0000 In message <20040408144322.GA83448@bewilderbeast.blackhelicopters.org>, "Michae l W. Lucas" writes: >On Thu, Apr 08, 2004 at 04:28:37PM +0200, Poul-Henning Kamp wrote: >> >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. > >Thanks, phk! > >For $79, it's cheap enough that I could put a whole stack of them in a >machine. Can FreeBSD take advantage of multiple cards like that? I think so, but I am not sure the code currently does load-sharing or just "try to find a card which can do this job" sharing. Maybe sam@ would know, you should probably ask him. >(Yes, that's a serious concern; I'm looking at 15,000 simultaneous >users on a SSL Web site, and would prefer to avoid spending the big >bucks on a so-called "hardware SSL accelerator.") Whee :-) -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 08:26:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F9D216A4CE for ; Thu, 8 Apr 2004 08:26:15 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C94F43D55 for ; Thu, 8 Apr 2004 08:26:15 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by smtp3.sentex.ca (8.12.11/8.12.10) with ESMTP id i38FQ706086067; Thu, 8 Apr 2004 11:26:07 -0400 (EDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id C3DDC59C96; Thu, 8 Apr 2004 11:26:09 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 54324-13; Thu, 8 Apr 2004 11:26:09 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (Postfix) with ESMTP id AB2AA59C95; Thu, 8 Apr 2004 11:26:09 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i38FQ8OI094573; Thu, 8 Apr 2004 11:26:08 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Thu, 08 Apr 2004 11:26:38 -0400 To: "Poul-Henning Kamp" , "Michael W. Lucas" From: Mike Tancsa In-Reply-To: <26486.1081437513@critter.freebsd.dk> References: <26486.1081437513@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at (avscan2) sentex.ca cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 15:26:15 -0000 At 11:18 AM 08/04/2004, Poul-Henning Kamp wrote: >In message <20040408144322.GA83448@bewilderbeast.blackhelicopters.org>, >"Michae >l W. Lucas" writes: > >(Yes, that's a serious concern; I'm looking at 15,000 simultaneous > >users on a SSL Web site, and would prefer to avoid spending the big > >bucks on a so-called "hardware SSL accelerator.") > >Whee :-) Although the chip does asymetric transformations, the driver does not. Check the man page The hifn driver registers itself to accelerate DES, Triple-DES, AES (7955 and 7956 only), ARC4, MD5, MD5-HMAC, SHA1, and SHA1-HMAC operations for And even then, openssl is not necessarily tied to the card's functions. For sure des and aes do work, but in my limited tests against a server with apache-ssl installed, it doesnt seem to make use of the card. Looking at a box with a crypto card installed, % hifnstats input 351328 bytes 4760 packets output 351328 bytes 4760 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 ... I then connect via https to that machine % !hi input 351328 bytes 4760 packets output 351328 bytes 4760 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 So it appears out of the box it doesnt make use of the card's capabilities. ---Mike From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 10:57:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A60A216A4CE for ; Thu, 8 Apr 2004 10:57:30 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94BA343D3F for ; Thu, 8 Apr 2004 10:57:30 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i38HvU7j018101 for ; Thu, 8 Apr 2004 10:57:30 -0700 (PDT) Received: from [10.1.1.193] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0) by mac.com (Xserve/smtpin01/MantshX 3.0) with ESMTP id i38HvTZ2016638 for ; Thu, 8 Apr 2004 10:57:29 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v613) In-Reply-To: <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Thu, 8 Apr 2004 13:57:23 -0400 X-Mailer: Apple Mail (2.613) cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 17:57:30 -0000 On Apr 8, 2004, at 11:26 AM, Mike Tancsa wrote: > The hifn driver registers itself to accelerate DES, Triple-DES, AES > (7955 > and 7956 only), ARC4, MD5, MD5-HMAC, SHA1, and SHA1-HMAC > operations for > > And even then, openssl is not necessarily tied to the card's > functions. For sure des and aes do work, but in my limited tests > against a server with apache-ssl installed, it doesnt seem to make use > of the card. I can second/confirm Mike's observations here. I've got a pair of HI/FN 7951 cards which gets used by SSH if I select 3DES, but there is no sign that Apache attempts to use it for either the public-key RSA/DSA crypto during HTTPS session startup, nor later for the symmetric crypto. -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 11:58:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B99716A4CF for ; Thu, 8 Apr 2004 11:58:33 -0700 (PDT) Received: from seven.Alameda.net (seven.alameda.net [64.81.53.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53A7343D49 for ; Thu, 8 Apr 2004 11:58:33 -0700 (PDT) (envelope-from ulf@Alameda.net) Received: by seven.Alameda.net (Postfix, from userid 1000) id 23B023A201; Thu, 8 Apr 2004 11:58:33 -0700 (PDT) Date: Thu, 8 Apr 2004 11:58:33 -0700 From: Ulf Zimmermann To: "Michael W. Lucas" Message-ID: <20040408185832.GS89845@seven.alameda.net> References: <6.0.3.0.0.20040408102521.0948ea58@209.112.4.2> <26215.1081434517@critter.freebsd.dk> <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> User-Agent: Mutt/1.4.1i Organization: Alameda Networks, Inc. X-Operating-System: FreeBSD 4.8-RELEASE-p5 cc: Poul-Henning Kamp cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ulf@Alameda.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 18:58:33 -0000 On Thu, Apr 08, 2004 at 10:43:22AM -0400, Michael W. Lucas wrote: > On Thu, Apr 08, 2004 at 04:28:37PM +0200, Poul-Henning Kamp wrote: > > >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. > > Thanks, phk! > > For $79, it's cheap enough that I could put a whole stack of them in a > machine. Can FreeBSD take advantage of multiple cards like that? > > (Yes, that's a serious concern; I'm looking at 15,000 simultaneous > users on a SSL Web site, and would prefer to avoid spending the big > bucks on a so-called "hardware SSL accelerator.") > > ==ml > > -- > Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org > A cheap solution would also be to buy used Alteon iSD-100, they go for like $100-300 on ebay. Each can handle 7,000 connections and you can put together a cluster of 32 of them. I personal do like them although they are based on LinSux. Haven't tried to get FreeBSD on them (its an industrial cpu board with a 64MB compact flash). -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 17:23:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4B6B16A4CE for ; Thu, 8 Apr 2004 17:23:27 -0700 (PDT) Received: from hotmail.com (bay15-f49.bay15.hotmail.com [65.54.185.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD9AB43D5A for ; Thu, 8 Apr 2004 17:23:27 -0700 (PDT) (envelope-from slimmybaddog@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 8 Apr 2004 17:23:27 -0700 Received: from 213.5.19.78 by by15fd.bay15.hotmail.msn.com with HTTP; Fri, 09 Apr 2004 00:23:27 GMT X-Originating-IP: [213.5.19.78] X-Originating-Email: [slimmybaddog@hotmail.com] X-Sender: slimmybaddog@hotmail.com From: "slimmy baddog" To: freebsd-security@freebsd.org Date: Fri, 09 Apr 2004 00:23:27 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 09 Apr 2004 00:23:27.0762 (UTC) FILETIME=[E0EEAF20:01C41DC8] Subject: RE: SYN attacks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 00:23:28 -0000 I am afraid that if you cut off all syn packages from ports like 80 that apache uses you might have problems ... Better write a line on your firewall in order you setup a limit per hour for the syn packets a host can transmit ... Regards >From: "Spades" >Reply-To: Spades >To: >CC: freebsd-security@freebsd.org >Subject: SYN attacks >Date: Wed, 7 Apr 2004 01:01:53 +0800 >MIME-Version: 1.0 >Received: from mx2.freebsd.org ([216.136.204.119]) by mc3-f13.hotmail.com >with Microsoft SMTPSVC(5.0.2195.6824); Tue, 6 Apr 2004 10:09:14 -0700 >Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18])by >mx2.freebsd.org (Postfix) with ESMTPid 8699156FD3; Tue, 6 Apr 2004 >10:05:26 -0700 (PDT)(envelope-from owner-freebsd-security@freebsd.org) >Received: from hub.freebsd.org (localhost [127.0.0.1])by hub.freebsd.org >(Postfix) with ESMTPid CDC6D16A51E; Tue, 6 Apr 2004 10:05:12 -0700 (PDT) >Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])by >hub.freebsd.org (Postfix) with ESMTPid 4C60D16A4CE; Tue, 6 Apr 2004 >10:04:57 -0700 (PDT) >Received: from smtp29.singnet.com.sg (smtp29.singnet.com.sg >[165.21.101.249])by mx1.FreeBSD.org (Postfix) with ESMTPid 2C45F43D53; Tue, > 6 Apr 2004 10:04:56 -0700 (PDT)(envelope-from spades@galaxynet.org) >Received: from bryanuptrvb0jc >(bb-203-125-35-50.singnet.com.sg[203.125.35.50])i36H1sjC016214; Wed, 7 Apr >2004 01:01:55 +0800 >X-Message-Info: JGTYoYF78jGSc2zcGoa7pUWP13FUwyhK >Delivered-To: freebsd-security@freebsd.org >Message-ID: <000d01c41bf8$dd24eac0$fa10fea9@bryanuptrvb0jc> >References:<6.1.0.5.2.20040406112456.00ab6ab8@localhost><49707.192.168.0.105.1081269392.squirrel@webmail.thilelli.net><200404061152.08455.algould@datawok.com> >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2800.1158 >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 >X-BeenThere: freebsd-security@freebsd.org >X-Mailman-Version: 2.1.1 >Precedence: list >List-Id: Security issues [members-only >posting] >List-Unsubscribe: >, >List-Archive: >List-Post: >List-Help: >List-Subscribe: >, >Errors-To: owner-freebsd-security@freebsd.org >Return-Path: owner-freebsd-security@freebsd.org >X-OriginalArrivalTime: 06 Apr 2004 17:09:17.0007 (UTC) >FILETIME=[E4A56DF0:01C41BF9] > >Heya, > >FREEBSD 4.9-STABLE > >Is there anyway to block SYN attacks and prevent it from bring down >my server? > >Its been attacking for sometime. >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 21:41:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E92CD16A4CE for ; Thu, 8 Apr 2004 21:41:34 -0700 (PDT) Received: from phobos.osem.com (phobos.osem.com [66.92.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E6A343D1D for ; Thu, 8 Apr 2004 21:41:34 -0700 (PDT) (envelope-from andy@lewman.com) Received: by phobos.osem.com (Postfix, from userid 1001) id 1EF4F29D; Fri, 9 Apr 2004 00:41:34 -0400 (EDT) Date: Fri, 9 Apr 2004 00:41:34 -0400 From: andy@lewman.com To: security@freebsd.org Message-ID: <20040409044134.GA40379@phobos.osem.com> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> User-Agent: Mutt/1.4.2.1i X-phase_of_moon: The Moon is Waning Gibbous (82% of Full) Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 04:41:35 -0000 In my completely unscientific tests just now before heading off to bed, The 4.9 kernel without hifn in it, apache-ssl is clearly using main cpu under artificial heavy load. Put back in hifn, same test, cpu is hovering at 90% idle, and apache-ssl is cranking away. This is with the Soekris 14xx card, reported as: hifn0: Hifn 7955, rev 0, 32KB dram, 64 sessions I know the 7955 is the latest chipset and supports more than the older 7951 cards. : : I can second/confirm Mike's observations here. : : I've got a pair of HI/FN 7951 cards which gets used by SSH if I select : 3DES, but there is no sign that Apache attempts to use it for either : the public-key RSA/DSA crypto during HTTPS session startup, nor later : for the symmetric crypto. : : -- : -Chuck : : _______________________________________________ -- Andrew From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 02:06:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E92E916A4CE for ; Fri, 9 Apr 2004 02:06:30 -0700 (PDT) Received: from cray.e-card.bg (mjak.e-card.bg [212.91.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id A271843D31 for ; Fri, 9 Apr 2004 02:06:29 -0700 (PDT) (envelope-from altares@cray.e-card.bg) Received: from cray.e-card.bg (localhost [127.0.0.1]) by cray.e-card.bg (8.12.9/8.12.9) with ESMTP id i399775k031491; Fri, 9 Apr 2004 12:07:07 +0300 (EEST) (envelope-from altares@cray.e-card.bg) Received: (from altares@localhost) by cray.e-card.bg (8.12.9/8.12.9/Submit) id i39975C2031490; Fri, 9 Apr 2004 12:07:05 +0300 (EEST) Date: Fri, 9 Apr 2004 12:07:05 +0300 From: Rumen Telbizov To: Charles Swiger Message-ID: <20040409090705.GS293@e-card.bg> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> User-Agent: Mutt/1.4.2.1i cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 09:06:31 -0000 Hi > I can second/confirm Mike's observations here. > > I've got a pair of HI/FN 7951 cards which gets used by SSH if I select > 3DES, but there is no sign that Apache attempts to use it for either > the public-key RSA/DSA crypto during HTTPS session startup, nor later > for the symmetric crypto. Excuse my ignorance but I think it would be appropriate to clearify the architecture of using cryptocards with openssl. Sorry if this has been discussed. I assume the following: 1. We have an ssl library - openssl. 2. We have a crypto card(s) installed. 3. We have applications using openssl functions say mod_ssl, ssh. If the crypto card is supported, then openssl should be able to use its registered functions - say 3DES. If both ssh and mod_ssl use the same library - openssl - and its functions (3DES), how come that one application benefits from the hardware acceleration and the other one does not?! If there are other details that I'm missing in this picture I'll be glad to know them. Thank you Rumen Telbizov From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 02:36:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4274116A4CE for ; Fri, 9 Apr 2004 02:36:30 -0700 (PDT) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE27343D48 for ; Fri, 9 Apr 2004 02:36:29 -0700 (PDT) (envelope-from vlm@netli.com) Received: (qmail 24051 invoked by uid 84); 9 Apr 2004 09:36:30 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.183761 secs); 09 Apr 2004 09:36:30 -0000 Received: from unknown (HELO netli.com) (172.17.1.12) by mx01-pal-lan.netli.lan with SMTP; 9 Apr 2004 09:36:29 -0000 Message-ID: <40766EE2.9040708@netli.com> Date: Fri, 09 Apr 2004 02:37:38 -0700 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040307 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Rumen Telbizov References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> In-Reply-To: <20040409090705.GS293@e-card.bg> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 09:36:30 -0000 Rumen Telbizov wrote: > Hi > > >>I can second/confirm Mike's observations here. >> >>I've got a pair of HI/FN 7951 cards which gets used by SSH if I select >>3DES, but there is no sign that Apache attempts to use it for either >>the public-key RSA/DSA crypto during HTTPS session startup, nor later >>for the symmetric crypto. > > > > Excuse my ignorance but I think it would be appropriate > to clearify the architecture of using cryptocards with > openssl. > Sorry if this has been discussed. > > I assume the following: > 1. We have an ssl library - openssl. > 2. We have a crypto card(s) installed. > 3. We have applications using > openssl functions say mod_ssl, ssh. > > If the crypto card is supported, then > openssl should be able to use its registered > functions - say 3DES. A small correction here: the main thing to accelerate in SSL is usually not a symmetric cipher (3DES, AES, etc), but an asymmetric one (i.e., RSA), where the typical application waste most of the CPU time. > If both ssh and mod_ssl use the same > library - openssl - and its functions (3DES), > how come that one application benefits > from the hardware acceleration and > the other one does not?! In order to take advantage of the underlying hardware, openssl either uses their own code for dealing with hardware, or contains a wrapper which in turn employs the vendor-provided library installed on that host (typically, a shared library which will be attached by openssl during its initialization/setting up sequence). However, as 1) the host machine may have several hardware accelerators, and/or 2) it is not generally known whether requesting application really WANTS to accelerate things, the openssl needs to be explicitly initialized by the application to take advantage of additional hardware. Typically, it may done by either specifying the type of hardware at that application's configuration level, or an application itself may contain some defaults or "use first available crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, so the fact that every application on your host use openssl does not automatically mean that they'll use the accelerators. It well may be so that one application uses one crypto card, and another one uses a completely separate one, all being on a single machine. Further reading: man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe > If there are other details that I'm missing > in this picture I'll be glad to know them. > > Thank you > > Rumen Telbizov > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Lev Walkin vlm@netli.com From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 03:10:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2A2D16A4CE for ; Fri, 9 Apr 2004 03:10:46 -0700 (PDT) Received: from cray.e-card.bg (mjak.e-card.bg [212.91.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD79743D41 for ; Fri, 9 Apr 2004 03:10:45 -0700 (PDT) (envelope-from altares@cray.e-card.bg) Received: from cray.e-card.bg (localhost [127.0.0.1]) by cray.e-card.bg (8.12.9/8.12.9) with ESMTP id i39ABO5k032389; Fri, 9 Apr 2004 13:11:24 +0300 (EEST) (envelope-from altares@cray.e-card.bg) Received: (from altares@localhost) by cray.e-card.bg (8.12.9/8.12.9/Submit) id i39ABLE4032388; Fri, 9 Apr 2004 13:11:21 +0300 (EEST) Date: Fri, 9 Apr 2004 13:11:21 +0300 From: Rumen Telbizov To: Lev Walkin Message-ID: <20040409101121.GT293@e-card.bg> References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> <40766EE2.9040708@netli.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40766EE2.9040708@netli.com> User-Agent: Mutt/1.4.2.1i cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 10:10:47 -0000 First of all, thank you for your reply! > >If the crypto card is supported, then > >openssl should be able to use its registered > >functions - say 3DES. > > A small correction here: the main thing to accelerate in SSL is usually not > a symmetric cipher (3DES, AES, etc), but an asymmetric one (i.e., RSA), > where the typical application waste most of the CPU time. Absolutely !!! > >If both ssh and mod_ssl use the same > >library - openssl - and its functions (3DES), > >how come that one application benefits > >from the hardware acceleration and > >the other one does not?! > > In order to take advantage of the underlying hardware, openssl > either uses their own code for dealing with hardware, or contains > a wrapper which in turn employs the vendor-provided library installed > on that host (typically, a shared library which will be attached by openssl > during its initialization/setting up sequence). > > However, as > 1) the host machine may have several hardware accelerators, and/or > 2) it is not generally known whether requesting application really > WANTS to accelerate things, > the openssl needs to be explicitly initialized by the application to > take advantage of additional hardware. Typically, it may done by either > specifying the type of hardware at that application's configuration level, > or an application itself may contain some defaults or "use first available > crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, > so the fact that every application on your host use openssl does not > automatically mean that they'll use the accelerators. It well may be so that > one application uses one crypto card, and another one uses a completely > separate one, all being on a single machine. Thanks. I didn't know that. So it seems that mod_ssl does NOT tell the openssl to try to use ANY of the crypto cards right? What possible may be the reason that one application would not want to use the hardware acceleration!? To leave resourses for other? I couldn't find any options for mod_ssl to enable usage of crypto cards anyway. > > Further reading: > > man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe Thanks Rumen Telbizov From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 03:24:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6507016A4CE for ; Fri, 9 Apr 2004 03:24:30 -0700 (PDT) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1819143D6A for ; Fri, 9 Apr 2004 03:24:30 -0700 (PDT) (envelope-from vlm@netli.com) Received: (qmail 26767 invoked by uid 84); 9 Apr 2004 10:24:30 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.181891 secs); 09 Apr 2004 10:24:30 -0000 Received: from unknown (HELO netli.com) (172.17.1.12) by mx01-pal-lan.netli.lan with SMTP; 9 Apr 2004 10:24:30 -0000 Message-ID: <40767A22.7020900@netli.com> Date: Fri, 09 Apr 2004 03:25:38 -0700 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040307 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Rumen Telbizov References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> <40766EE2.9040708@netli.com> <20040409101121.GT293@e-card.bg> In-Reply-To: <20040409101121.GT293@e-card.bg> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 10:24:30 -0000 Rumen Telbizov wrote: > >>>If both ssh and mod_ssl use the same >>>library - openssl - and its functions (3DES), >>>how come that one application benefits >> >>>from the hardware acceleration and >> >>>the other one does not?! >> >>In order to take advantage of the underlying hardware, openssl >>either uses their own code for dealing with hardware, or contains >>a wrapper which in turn employs the vendor-provided library installed >>on that host (typically, a shared library which will be attached by openssl >>during its initialization/setting up sequence). >> >>However, as >> 1) the host machine may have several hardware accelerators, and/or >> 2) it is not generally known whether requesting application really >> WANTS to accelerate things, >>the openssl needs to be explicitly initialized by the application to >>take advantage of additional hardware. Typically, it may done by either >>specifying the type of hardware at that application's configuration level, >>or an application itself may contain some defaults or "use first available >>crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, >>so the fact that every application on your host use openssl does not >>automatically mean that they'll use the accelerators. It well may be so that >>one application uses one crypto card, and another one uses a completely >>separate one, all being on a single machine. > > > Thanks. I didn't know that. > So it seems that mod_ssl does NOT tell the openssl to try to > use ANY of the crypto cards right? What possible may be > the reason that one application would not want to use > the hardware acceleration!? To leave resourses for other? > > I couldn't find any options for mod_ssl to enable > usage of crypto cards anyway. Option names are: for www/apache13-ssl port: SSLEngineID for www/apache13-modssl: SSLCryptoDevice By the way, Google is very helpful in finding the SSLEngineID. It shows over four documents in return %-) >>Further reading: >> >>man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe > > Thanks > > Rumen Telbizov -- Lev Walkin vlm@netli.com From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 09:29:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77F7216A4CE for ; Fri, 9 Apr 2004 09:29:45 -0700 (PDT) Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0323443D31 for ; Fri, 9 Apr 2004 09:29:45 -0700 (PDT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (matahari.sarenet.es [192.148.167.18]) by orhi.sarenet.es (Postfix) with ESMTP id 993DF7A49DD for ; Fri, 9 Apr 2004 18:29:41 +0200 (MEST) Mime-Version: 1.0 (Apple Message framework v613) In-Reply-To: <611C2010-86E9-11D8-A962-000A95776E22@freebsd.ady.ro> References: <611C2010-86E9-11D8-A962-000A95776E22@freebsd.ady.ro> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <241D3934-8A43-11D8-863D-000393C94468@sarenet.es> Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Fri, 9 Apr 2004 18:29:58 +0200 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.613) Subject: Re: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 16:29:45 -0000 > We have thought about using static MAC entries per port on managed > switches installed at the client endpoints, but that would require a > overwhelming budget. We are also thinking about L2TP and PPPoE, but I > am uncertain about compatibility. > > What would you recommand ? Are there any other elegant solutions ? > > I also heard about 802.1x technology and seems to be an interesting > and professional alternative; I just don't know how well supported is > on the server side, namely FreeBSD. 802.1x needs switch support. A switch supporting 802.1x will probably support MAC address filtering at the port level. The same can be said about using VLANs; you would need a switch with multi-VLAN port support, something quite variable between manufacturers. Anyway, stackable switches in the $600 - $1000 price range would do it. Look at Cisco Catalyst or HP ProCurve. (Look at the low end of both, not the high-end models) Borja. From owner-freebsd-security@FreeBSD.ORG Sat Apr 10 05:11:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2AEF16A4CE for ; Sat, 10 Apr 2004 05:11:24 -0700 (PDT) Received: from wildwind.hq.panda.bg (wildwind.hq.panda.bg [217.75.134.65]) by mx1.FreeBSD.org (Postfix) with SMTP id D829643D39 for ; Sat, 10 Apr 2004 05:11:23 -0700 (PDT) (envelope-from mailinglists@hq.panda.bg) Received: (qmail 42100 invoked by uid 89); 10 Apr 2004 12:11:23 -0000 Received: from unknown (HELO NIK) (192.168.5.100) by wildwind.hq.panda.bg with SMTP; 10 Apr 2004 12:11:21 -0000 Date: Sat, 10 Apr 2004 15:12:33 +0300 From: Nikolay Petrov Organization: Office 1 Superstore - Bulgaria X-Priority: 3 (Normal) Message-ID: <1185611253.20040410151233@hq.panda.bg> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned-wildwind: by Nik's Monitoring Daemon (parser4: AMaViS perl-11j - 23 Feb 2004 11:22:15 EET) X-Virus-Scanner-Info-wildwind: Scan Engine v4.1.60, DAT files v4350 created Apr 08 2004 Subject: IPSec debug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nikolay Petrov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Apr 2004 12:11:25 -0000 Hi, I have FreeBSD box with network interface having y.y.y.y ip address. On same box i configure next ipsec ploicys to process trafic from hardware ipsec enabled device. spdadd 0.0.0.0/0 x.x.x.x/24 any -P out ipsec esp/tunnel/y.y.y.y-z.z.z.z/require; spdadd x.x.x.x/24 0.0.0.0/0 any -P in ipsec esp/tunnel/z.z.z.z-y.y.y.y/require; Is it possible to see decrypted incoming packets, and outgoing packets before are they encrypted -- Best regards, Nikolay mailinglists@hq.panda.bg From owner-freebsd-security@FreeBSD.ORG Sat Apr 10 05:32:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08E1216A4CE for ; Sat, 10 Apr 2004 05:32:55 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A00F43D31 for ; Sat, 10 Apr 2004 05:32:54 -0700 (PDT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 8D4321FF931; Sat, 10 Apr 2004 14:32:52 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 8BC311FF91D; Sat, 10 Apr 2004 14:32:50 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 70D8C154DB; Sat, 10 Apr 2004 12:32:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 665EA154DA; Sat, 10 Apr 2004 12:32:36 +0000 (UTC) Date: Sat, 10 Apr 2004 12:32:36 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Nikolay Petrov In-Reply-To: <1185611253.20040410151233@hq.panda.bg> Message-ID: References: <1185611253.20040410151233@hq.panda.bg> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-security@freebsd.org Subject: Re: IPSec debug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Apr 2004 12:32:55 -0000 On Sat, 10 Apr 2004, Nikolay Petrov wrote: Hi, > I have FreeBSD box with network interface having y.y.y.y ip address. > On same box i configure next ipsec ploicys to process trafic from > hardware ipsec enabled device. > > spdadd 0.0.0.0/0 x.x.x.x/24 any -P out ipsec esp/tunnel/y.y.y.y-z.z.z.z/require; > spdadd x.x.x.x/24 0.0.0.0/0 any -P in ipsec esp/tunnel/z.z.z.z-y.y.y.y/require; > > Is it possible to see decrypted incoming packets, and outgoing packets > before are they encrypted IMHO no. I think OpenBSD has if_enc(4) for this. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Sat Apr 10 06:18:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AFCC16A4CF for ; Sat, 10 Apr 2004 06:18:59 -0700 (PDT) Received: from wildwind.hq.panda.bg (wildwind.hq.panda.bg [217.75.134.65]) by mx1.FreeBSD.org (Postfix) with SMTP id 0E92E43D3F for ; Sat, 10 Apr 2004 06:18:58 -0700 (PDT) (envelope-from mailinglists@hq.panda.bg) Received: (qmail 43563 invoked by uid 89); 10 Apr 2004 13:18:55 -0000 Received: from unknown (HELO NIK) (192.168.5.100) by wildwind.hq.panda.bg with SMTP; 10 Apr 2004 13:18:53 -0000 Date: Sat, 10 Apr 2004 16:20:06 +0300 From: Nikolay Petrov Organization: Office 1 Superstore - Bulgaria X-Priority: 3 (Normal) Message-ID: <16305093.20040410162006@hq.panda.bg> To: "Bjoern A. Zeeb" In-Reply-To: References: <1185611253.20040410151233@hq.panda.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned-wildwind: by Nik's Monitoring Daemon (parser4: AMaViS perl-11j - 23 Feb 2004 11:22:15 EET) X-Virus-Scanner-Info-wildwind: Scan Engine v4.1.60, DAT files v4350 created Apr 08 2004 cc: freebsd-security@freebsd.org Subject: Re[2]: IPSec debug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nikolay Petrov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Apr 2004 13:18:59 -0000 Hello Bjoern, Saturday, April 10, 2004, 3:32:36 PM, you wrote: BAZ> On Sat, 10 Apr 2004, Nikolay Petrov wrote: BAZ> Hi, >> I have FreeBSD box with network interface having y.y.y.y ip address. >> On same box i configure next ipsec ploicys to process trafic from >> hardware ipsec enabled device. >> >> spdadd 0.0.0.0/0 x.x.x.x/24 any -P out ipsec >> esp/tunnel/y.y.y.y-z.z.z.z/require; >> spdadd x.x.x.x/24 0.0.0.0/0 any -P in ipsec >> esp/tunnel/z.z.z.z-y.y.y.y/require; >> >> Is it possible to see decrypted incoming packets, and outgoing packets >> before are they encrypted BAZ> IMHO no. I think OpenBSD has if_enc(4) for this. Have this some relation to KAME project, because enc(4) interface is only available in OpenBSD. NetBSD also have same limitation. -- Best regards, Nikolay mailinglists@hq.panda.bg From owner-freebsd-security@FreeBSD.ORG Sat Apr 10 20:40:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5611916A4CE for ; Sat, 10 Apr 2004 20:40:35 -0700 (PDT) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id B712B43D48 for ; Sat, 10 Apr 2004 20:40:34 -0700 (PDT) (envelope-from freebsd-security@m.gmane.org) Received: from root by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1BCVph-0006ub-00 for ; Sun, 11 Apr 2004 05:40:33 +0200 Received: from rivendell.silverdream.org ([62.3.223.135]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 11 Apr 2004 05:40:33 +0200 Received: from jamie+gmane by rivendell.silverdream.org with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 11 Apr 2004 05:40:33 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: "Jamie L. Penman-Smithson" Date: Sat, 10 Apr 2004 03:27:59 +0100 Organization: Silverdream I.S. Lines: 27 Message-ID: References: <20040407154220.GA5651@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: rivendell.silverdream.org User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table (Debian GNU/Linux)) Sender: news Subject: Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jamie+gmane@silverdream.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2004 03:40:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 07 Apr 2004 10:42:20 -0500, Jacques A. Vidrine scribbled down: > Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer. [...] I wholeheartedly agree! Go for it! :) -- -jamie | spamtrap: spam@silverdream.org w: http://www.silverdream.org | p: sms@silverdream.org pgp key @ http://silverdream.org/~jps/pub.key 02:30:01 up 5 days, 3:34, 11 users, load average: 0.03, 0.13, 0.16 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAd1ugx2omo/Dc/KgRAskwAKCh2DAhPT2f9qwKa7Dinm3UCQUC6gCfYPpx j0akV22BkvYbD6fjY8hxNs4= =aNu3 -----END PGP SIGNATURE-----