Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Mar 2006 12:28:44 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
Cc:        FreeBSD-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
Message-ID:  <20060323112844.GA18526@garage.freebsd.pl>
In-Reply-To: <20060323110015.R99976@atlantis.atlantis.dp.ua>
References:  <200603221611.k2MGBNaj010025@freefall.freebsd.org> <20060323110015.R99976@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 

--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Mar 23, 2006 at 11:03:10AM +0200, Dmitry Pryanishnikov wrote:
+>=20
+> Hello!
+>=20
+> On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
+> >II.  Problem Description
+> >
+> >IPsec provides an anti-replay service which when enabled prevents an at=
tacker
+> >from successfully executing a replay attack.  This is done through the
+> >verification of sequence numbers.  A programming error in the fast_ipse=
c(4)
+> >implementation results in the sequence number associated with a Security
+> >Association not being updated, allowing packets to unconditionally pass
+> >sequence number verification checks.
+> >
+> >III. Impact
+> >
+> >An attacker able to to intercept IPSec packets can replay them.  If hig=
her
+> >level protocols which do not provide any protection against packet repl=
ays
+> >(e.g., UDP) are used, this may have a variety of effects.
+>=20
+>  As far as I understood, only systems which use "options FAST_IPSEC" are=
 affected by this issue. Is it true? If so, wouldn't be wise to stress this
+> fact in the advisory?

Yes, only FAST_IPSEC and only ESP (AH is ok).

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFEIoZsForvXbEpPzQRAvBxAKDpQPMudySihZ9Du92HZAXqPeMkQACgqZfD
2QtYckz/rnD4hiPxibDY80o=
=eYK7
-----END PGP SIGNATURE-----

--pf9I7BMVVzbSWLtt--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060323112844.GA18526>