Hello!
On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
II. Problem Description IPsec provides an anti-replay service which when enabled prevents an attacker from successfully executing a replay attack. This is done through the verification of sequence numbers. A programming error in the fast_ipsec(4) implementation results in the sequence number associated with a Security Association not being updated, allowing packets to unconditionally pass sequence number verification checks. III. Impact An attacker able to to intercept IPSec packets can replay them. If higher level protocols which do not provide any protection against packet replays (e.g., UDP) are used, this may have a variety of effects.
As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this
fact in the advisory? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: [EMAIL PROTECTED] nic-hdl: LYNX-RIPE _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
