IPSEC with MAC/MLS support crack



Hi, When I use FreeBSD-6.0 Release (also FreeBSD-5.4),
I found
IPSEC can't coexists with MAC.

When the IpSec is setup, and we connects the TCP
server with IPSEC and MAC support, the server
innevitably crack. Because the m_pkthdr of some mbuf
is mangled by unknown reasons.

Following is my kernel configuration:
options MAC
options MAC_DEBUG
options UFS_EXTATTR
options UFS_EXTATTR_AUTOSTART
options MAC_MLS
# uncomment to put sebsd to kernel, but better to
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG


Following is the kernel dump backtrace:
#0 0xc0668f0b in kdb_enter (msg=0x12 <Address 0x12
out of bounds>) at cpufunc.h:60
#1 0xc06509ab in panic (fmt=0xc08e6470
"mac_mls_dominate_element: b->mme_type invalid")
at ../../../kern/kern_shutdown.c:545
#2 0xc07be3da in mac_mls_dominate_element
(a=0xc14dfebc, b=0xc1b5eee4)
at ../../../security/mac_mls/mac_mls.c:216
#3 0xc07be4e2 in mac_mls_effective_in_range
(effective=0xc1b5eee0, range=0xc14dfe70)
at ../../../security/mac_mls/mac_mls.c:266
#4 0xc07bf8de in mac_mls_check_ifnet_transmit
(ifnet=0xc1646400, ifnetlabel=0x12, m=0xc16e5600,
mbuflabel=0x12) at
../../../security/mac_mls/mac_mls.c:1564
#5 0xc07b49fb in mac_check_ifnet_transmit
(ifnet=0xc1646400, mbuf=0xc16e5600)
at ../../../security/mac/mac_net.c:409
#6 0xc06bfb46 in ether_output (ifp=0xc1646400,
m=0xc16e5600, dst=0xc1a16330, rt0=0xc1816840)
at ../../../net/if_ethersubr.c:161
#7 0xc06f3662 in ip_output (m=0xc16e5600,
opt=0xc16e56ec, ro=0xc1a1632c, flags=0, imo=0x0,
inp=0xc186d654)
at ../../../netinet/ip_output.c:778
#8 0xc06fca6a in tcp_output (tp=0xc186fac8) at
../../../netinet/tcp_output.c:1080
#9 0xc0704bbc in tcp_disconnect (tp=0xc186fac8) at
../../../netinet/tcp_usrreq.c:1253
#10 0xc07034c0 in tcp_usr_disconnect (so=0x12) at
../../../netinet/tcp_usrreq.c:443
#11 0xc0689822 in sodisconnect (so=0x0) at
../../../kern/uipc_socket.c:576
#12 0xc0689490 in soclose (so=0xc19ec164) at
../../../kern/uipc_socket.c:457
#13 0xc0678d17 in soo_close (fp=0xc1736c60,
td=0xc1730c00) at ../../../kern/sys_socket.c:317
#14 0xc062e818 in fdrop_locked (fp=0xc1736c60,
td=0xc1730c00) at file.h:289
#15 0xc062e769 in fdrop (fp=0xc1736c60, td=0xc1730c00)
at ../../../kern/kern_descrip.c:2112
#16 0xc062cd97 in closef (fp=0xc1736c60,
td=0xc1730c00) at ../../../kern/kern_descrip.c:1932
#17 0xc062a175 in close (td=0xc1730c00, uap=0x12) at
../../../kern/kern_descrip.c:1008
#18 0xc086576f in syscall (frame=

The failing point is not always the same and my system
is:
FreeBSD zzy.ios 6.0-RELEASE FreeBSD 6.0-RELEASE #13:
Fri Mar 17 17:11:04 UTC 2006
root@xxxxxxx:/root/Earth/earth/sys/i386/compile/earth
i386


Thanks very much


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: MAC Filtering Part II
    ... IPSec you will need to consider any network attached devices which do not ... connected to the internet i.e. server acting as a gateway, ... I thought that finding a way to permit only certain MAC addresses ...
    (microsoft.public.windows.server.general)
  • Re: security dhcp server
    ... What you could try is to configure your scope to only have reservations. ... specific mac address. ... accessing a computer with an ipsec require policy. ... certificate server, and an IAS server. ...
    (microsoft.public.security)
  • Am I understanding this right?
    ... I decided that I wanted to use a Linux server for a VPN. ... With IPSec built in to the new kernel, can I some how configure some ...
    (alt.os.linux)
  • IPSEC with MAC/MLS support crack
    ... IPSEC can't coexists with MAC. ... When the IpSec is setup, ... server with IPSEC and MAC support, ... Following is my kernel configuration: ...
    (FreeBSD-Security)
  • Re: Kernel hiding files
    ... Search for Kernel Mode Trojans. ... > half way through the installation it says ipsec.sys can ... > into the server, ipsec.sys is invisible. ... > ipsec.* files I had been renaming from the remote machine. ...
    (microsoft.public.win2000.security)