Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- From: Dmitry Pryanishnikov <dmitry@xxxxxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 11:03:10 +0200 (EET)
Hello!
On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
II. Problem Description
IPsec provides an anti-replay service which when enabled prevents an attacker
from successfully executing a replay attack. This is done through the
verification of sequence numbers. A programming error in the fast_ipsec(4)
implementation results in the sequence number associated with a Security
Association not being updated, allowing packets to unconditionally pass
sequence number verification checks.
III. Impact
An attacker able to to intercept IPSec packets can replay them. If higher
level protocols which do not provide any protection against packet replays
(e.g., UDP) are used, this may have a variety of effects.
As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this
fact in the advisory?
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry@xxxxxxxxxxxxxx
nic-hdl: LYNX-RIPE
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- From: Pawel Jakub Dawidek
- Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- From: Colin Percival
- Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- Prev by Date: Re: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail
- Next by Date: Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- Previous by thread: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- Next by thread: Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- Index(es):
Relevant Pages
|
|
