From owner-freebsd-security Sun Oct 24 20:39:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id A044B15187 for ; Sun, 24 Oct 1999 20:39:21 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id UAA32711; Sun, 24 Oct 1999 20:38:47 -0700 (PDT) From: Archie Cobbs Message-Id: <199910250338.UAA32711@bubba.whistle.com> Subject: Re: GRE/IP 47/PPTP In-Reply-To: <38114983.15EEE676@bellsouth.net> from Bert Kellerman at "Oct 23, 1999 05:37:08 am" To: bertke@bellsouth.net (Bert Kellerman) Date: Sun, 24 Oct 1999 20:38:47 -0700 (PDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bert Kellerman writes: > > True in general.. however, if all you're using GRE for is PPTP, then > > you can multiplex on the call identifier in the PPTP/GRE header. > > > > -Archie > > > > Are you referring to the optional 32 bit key field in the GRE > header? Won't the packet on the way back in have a different key > field, as this is used for authenticating the sender, and change? > The natd implementation would then need a way to calculate the > expected return key field to differentiate between connections. > However, since there is a 32 bit sequence number in the GRE header > like TCP, I wonder if it would be possible for the router to recreate > the internal sequence numbers and assign each internal client a > limited pool out of the 32 bit outside sequence block. Could this > be possible? I mean how many times has a single TCP session used > all 4 million sequence numbers? RFC 1701 states that this sequence > number field is also optional so this might not work for all vendors. No, read the PPTP RFC and look for the call ID. PPTP has it's own custom version of the GRE header. http://www.es.net/pub/rfcs/rfc2637.txt You spoof the Call ID just like normal natd spoof's TCP/UDP port numbers. You would also have to swizzle the data inside the control stream, to spoof the Call ID there as well. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message