From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 15:14:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 407AF1065675; Fri, 1 Apr 2011 15:14:51 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id EEE8D8FC0A; Fri, 1 Apr 2011 15:14:50 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 14B0225D3857; Fri, 1 Apr 2011 15:14:49 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 44143159C12B; Fri, 1 Apr 2011 15:14:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id iK-iJ-v-dI-V; Fri, 1 Apr 2011 15:14:48 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 0ACC8159C0EB; Fri, 1 Apr 2011 15:14:48 +0000 (UTC) Date: Fri, 1 Apr 2011 15:14:47 +0000 (UTC) From: "Bjoern A. Zeeb" To: freebsd-security@freebsd.org Message-ID: X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Mailman-Approved-At: Fri, 01 Apr 2011 15:44:40 +0000 Subject: on "BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 15:14:51 -0000 Hi, as some IPSec users might be worried about the "BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload" from http://seclists.org/fulldisclosure/2011/Apr/0 , here's some braindump: To be affected it's believed that you need to 1) manually compile in IPSEC (not done in GENERIC or the release), 2) have an entry for ipcomp in your security associations. You may also want to check what you negotiate with trusted peers if you use IKE. 3) an attacker needs to know the endpoint addresses (and the CID) to send you a nastygram. 4) if you require an outer ESP between peers, it's a matter of how much you trust your peer. FreeBSD will not panic, you may however be able to "store" packets in the network stack for IPv4 and see the netstat -s -p ipcomp packets in counter go up quickly. IPv6 has a net.inet6.ip6.hdrnestlimit of 15 by default and will throw away the packet after that many iterations. A mitigation change for the directly recursive case was just committed to HEAD: http://svn.freebsd.org/viewvc/base?view=revision&revision=220247 Similar patches for other branches (untested) are available: HEAD and STABLE/8 (include the V_irtualization): http://people.freebsd.org/~bz/20110401-02-ipcomp-head-8.diff STABLE/7: http://people.freebsd.org/~bz/20110401-03-ipcomp-7.diff STABLE/6 (KAME + FAST, where the FAST is the same as STABLE/7): http://people.freebsd.org/~bz/20110401-01-ipcomp-6.x.diff More details may follow. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.