From owner-freebsd-security Sat Jul 7 12:13:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id 9687C37B403 for ; Sat, 7 Jul 2001 12:13:38 -0700 (PDT) (envelope-from jono@stuart.microshaft.org) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id MAA93848; Sat, 7 Jul 2001 12:13:35 -0700 (PDT) (envelope-from jono) Date: Sat, 7 Jul 2001 12:13:34 -0700 From: "Jon O ." To: Michael Nottebrock Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC & TCP sequence number generation Message-ID: <20010707121334.A85498@networkcommand.com> Reply-To: "jono@networkcommand.com" References: <1199.994531932@www25.gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <1199.994531932@www25.gmx.net>; from MichaelNottebrock@gmx.net on Sat, Jul 07, 2001 at 08:52:12PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is very interesting, but let's make sure the test enviroment is not providing this type of result. I tested this with: nmap -sT -O -v -v Can you provide the full nmap args you are using? The machine I nmap'ed has IPSEC turned on and running. It gave me all 9's. Now, I'm thinking lots of these home DSL/Cable modem gateways use pathetic tcp sequence algorithms. Could it be the nmap you used got data from this device instead of your FreeBSD box? Are you using an Alcatel DSL modem or something similar that runs in *Bridge* mode? Thanks, Jon On 07-Jul-2001, Michael Nottebrock wrote: > I recently recompiled my FreeBSD 4.3-STABLE kernel with > > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG > > in order to experiment with a IPSEC-VPN. > > When I scanned myself from a few remote machines today, I noticed that > nmap -O reports a tcp sequence prediction class "trivial time dependency", > difficulty=0 (trivial joke), before enabling IPSEC it used to be all 9's. > Has anyone else experienced this? Have I overlooked something or is this > normal behaviour? > > > Greetings, > > Michael Nottebrock > > -- > GMX - Die Kommunikationsplattform im Internet. > http://www.gmx.net > > GMX Tipp: > > Machen Sie Ihr Hobby zu Geld bei unserem Partner 1&1! > http://profiseller.de/info/index.php3?ac=OM.PS.PS003K00596T0409a To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message