Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Mar 2006 12:28:44 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
Cc:        FreeBSD-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
Message-ID:  <20060323112844.GA18526@garage.freebsd.pl>
In-Reply-To: <20060323110015.R99976@atlantis.atlantis.dp.ua>
References:  <200603221611.k2MGBNaj010025@freefall.freebsd.org> <20060323110015.R99976@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Thu, Mar 23, 2006 at 11:03:10AM +0200, Dmitry Pryanishnikov wrote:
+> 
+> Hello!
+> 
+> On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
+> >II.  Problem Description
+> >
+> >IPsec provides an anti-replay service which when enabled prevents an attacker
+> >from successfully executing a replay attack.  This is done through the
+> >verification of sequence numbers.  A programming error in the fast_ipsec(4)
+> >implementation results in the sequence number associated with a Security
+> >Association not being updated, allowing packets to unconditionally pass
+> >sequence number verification checks.
+> >
+> >III. Impact
+> >
+> >An attacker able to to intercept IPSec packets can replay them.  If higher
+> >level protocols which do not provide any protection against packet replays
+> >(e.g., UDP) are used, this may have a variety of effects.
+> 
+>  As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this
+> fact in the advisory?

Yes, only FAST_IPSEC and only ESP (AH is ok).

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFEIoZsForvXbEpPzQRAvBxAKDpQPMudySihZ9Du92HZAXqPeMkQACgqZfD
2QtYckz/rnD4hiPxibDY80o=
=eYK7
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060323112844.GA18526>