FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Thu Mar 23 09:03:34 UTC 2006
Hello!
On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
> II. Problem Description
>
> IPsec provides an anti-replay service which when enabled prevents an attacker
> from successfully executing a replay attack. This is done through the
> verification of sequence numbers. A programming error in the fast_ipsec(4)
> implementation results in the sequence number associated with a Security
> Association not being updated, allowing packets to unconditionally pass
> sequence number verification checks.
>
> III. Impact
>
> An attacker able to to intercept IPSec packets can replay them. If higher
> level protocols which do not provide any protection against packet replays
> (e.g., UDP) are used, this may have a variety of effects.
As far as I understood, only systems which use "options FAST_IPSEC" are
affected by this issue. Is it true? If so, wouldn't be wise to stress this
fact in the advisory?
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-security
mailing list