Date: Thu, 23 Mar 2006 11:03:10 +0200 (EET) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: FreeBSD-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec Message-ID: <20060323110015.R99976@atlantis.atlantis.dp.ua> In-Reply-To: <200603221611.k2MGBNaj010025@freefall.freebsd.org> References: <200603221611.k2MGBNaj010025@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote: > II. Problem Description > > IPsec provides an anti-replay service which when enabled prevents an attacker > from successfully executing a replay attack. This is done through the > verification of sequence numbers. A programming error in the fast_ipsec(4) > implementation results in the sequence number associated with a Security > Association not being updated, allowing packets to unconditionally pass > sequence number verification checks. > > III. Impact > > An attacker able to to intercept IPSec packets can replay them. If higher > level protocols which do not provide any protection against packet replays > (e.g., UDP) are used, this may have a variety of effects. As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this fact in the advisory? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060323110015.R99976>