FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec

Dmitry Pryanishnikov dmitry at atlantis.dp.ua
Thu Mar 23 09:03:34 UTC 2006


Hello!

On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
> II.  Problem Description
>
> IPsec provides an anti-replay service which when enabled prevents an attacker
> from successfully executing a replay attack.  This is done through the
> verification of sequence numbers.  A programming error in the fast_ipsec(4)
> implementation results in the sequence number associated with a Security
> Association not being updated, allowing packets to unconditionally pass
> sequence number verification checks.
>
> III. Impact
>
> An attacker able to to intercept IPSec packets can replay them.  If higher
> level protocols which do not provide any protection against packet replays
> (e.g., UDP) are used, this may have a variety of effects.

  As far as I understood, only systems which use "options FAST_IPSEC" are 
affected by this issue. Is it true? If so, wouldn't be wise to stress this
fact in the advisory?


Sincerely, Dmitry
-- 
Atlantis ISP, System Administrator
e-mail:  dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE


More information about the freebsd-security mailing list