Re: Anyone using IPcomp and/or PPP-deflate?
On Fri, Apr 1, 2011 at 11:01 AM, Matthew Dempsky matt...@dempsky.org wrote: For the time being, I'd suggest anyone concerned ensure ipcomp processing is disabled; i.e., make sure sysctl net.inet.ipcomp.enable is set to 0. (And like I said, it's disabled by default.) If there are any IPComp users out there, markus@ has just committed the following diff to prevent IPComp-induced workq loops: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ipsec_input.c.diff? r1=1.101;r2=1.102;f=h I also suggest that if you're configuring IPComp on a host with IP forwarding enabled (on any platform, not just OpenBSD), that you should only use IPComp in conjunction with IPsec (i.e., ESP or AH). Otherwise there's a risk of routing loops.
Re: Anyone using IPcomp and/or PPP-deflate?
On Thu, Mar 31, 2011 at 05:42:21PM -0700, Matthew Dempsky wrote: Does anyone use IPcomp and/or PPP-deflate? Would anyone be sad to see these go? They seem pretty busted right now (e.g., no userspace support for enabling IPcomp, and sys/net/zlib.c is broken on 64-bit arches), and there's some doubt as to whether they're even worth the effort to fix. I'm not sure if you were aware of http://seclists.org/fulldisclosure/2011/Apr/0? In any case, it might be worth looking into. (A casual reading suggests that OpenBSD may use lots of memory to handle compressed-in-compressed packets.) Joachim -- PotD: www/p5-HTML-Template-JIT - just-in-time compiler for HTML::Template http://www.joachimschipper.nl/
Re: Anyone using IPcomp and/or PPP-deflate?
On 2011-04-01, Joachim Schipper joac...@joachimschipper.nl wrote: On Thu, Mar 31, 2011 at 05:42:21PM -0700, Matthew Dempsky wrote: Does anyone use IPcomp and/or PPP-deflate? Would anyone be sad to see these go? They seem pretty busted right now (e.g., no userspace support for enabling IPcomp, and sys/net/zlib.c is broken on 64-bit arches), and there's some doubt as to whether they're even worth the effort to fix. I'm not sure if you were aware of http://seclists.org/fulldisclosure/2011/Apr/0? Seeing as Matthew is specifically thanked in Tavis' advisory, I think that is a fairly safe bet (-:
Re: Anyone using IPcomp and/or PPP-deflate?
On Fri, Apr 1, 2011 at 4:16 AM, Joachim Schipper joac...@joachimschipper.nl wrote: I'm not sure if you were aware of http://seclists.org/fulldisclosure/2011/Apr/0? In any case, it might be worth looking into. Yeah. There are multiple reasons why we're not particularly at risk: 1. We disable IPComp processing by default. 2. Even if IPComp processing is enabled, you need to have an IPComp Association setup in the kernel. 3. We don't have userspace tool support for setting up IPCAs. 4. Our kernel zlib code is broken on 64-bit architectures. Also, the vulnerability is 'just' a DOS, not a potential remote root exploit like on NetBSD/OS X. For the time being, I'd suggest anyone concerned ensure ipcomp processing is disabled; i.e., make sure sysctl net.inet.ipcomp.enable is set to 0. (And like I said, it's disabled by default.)
Re: Anyone using IPcomp and/or PPP-deflate?
On 2011-04-01, Matthew Dempsky matt...@dempsky.org wrote: Does anyone use IPcomp and/or PPP-deflate? Would anyone be sad to see these go? you can be more specific here actually - kernel ppp(4) deflate; userland ppp(8) is a separate implementation. They seem pretty busted right now (e.g., no userspace support for enabling IPcomp, and sys/net/zlib.c is broken on 64-bit arches), and there's some doubt as to whether they're even worth the effort to fix. the only zlib in sys/ that I use is the one for booting compressed kernels.
Anyone using IPcomp and/or PPP-deflate?
Does anyone use IPcomp and/or PPP-deflate? Would anyone be sad to see these go? They seem pretty busted right now (e.g., no userspace support for enabling IPcomp, and sys/net/zlib.c is broken on 64-bit arches), and there's some doubt as to whether they're even worth the effort to fix.