http://arstechnica.com/information-technology/2015/05/the-discovery-of-apache-zookeepers-poison-packet/
This article describes a set of four bugs that caused a serious problem for one
open source project:
"RFC 3948 tells the tale. It states that while using IPSec in NAT-T Transport
mode, the client MAY forgo the validation of the TCP/UDP checksum under the
assumption that packet integrity is already protected by ESP. ... The
assumption made by the authors is invalid, as there is clearly ample
opportunity for corruption prior to ESP/IP formation. While checksumming is a
great way to detect in-flight corruption, it can also be used as a tool to
detect corruption during the formation of the packet. It is the latter point
that was overlooked, and this optimization has come to bite us. ... We claim
this is a bug—intentional or not."
Russ
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
