On Thu, Mar 23, 2006 at 11:03:10AM +0200, Dmitry Pryanishnikov wrote: +> +> Hello! +> +> On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote: +> >II. Problem Description +> > +> >IPsec provides an anti-replay service which when enabled prevents an attacker +> >from successfully executing a replay attack. This is done through the +> >verification of sequence numbers. A programming error in the fast_ipsec(4) +> >implementation results in the sequence number associated with a Security +> >Association not being updated, allowing packets to unconditionally pass +> >sequence number verification checks. +> > +> >III. Impact +> > +> >An attacker able to to intercept IPSec packets can replay them. If higher +> >level protocols which do not provide any protection against packet replays +> >(e.g., UDP) are used, this may have a variety of effects. +> +> As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this +> fact in the advisory?
Yes, only FAST_IPSEC and only ESP (AH is ok). -- Pawel Jakub Dawidek http://www.wheel.pl [EMAIL PROTECTED] http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am!
pgpwCcs1mT79o.pgp
Description: PGP signature
