From owner-freebsd-security@FreeBSD.ORG Mon Apr 26 01:28:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFE2F16A4CE for ; Mon, 26 Apr 2004 01:28:43 -0700 (PDT) Received: from ux1.ibb.net (ux1.ibb.net [64.215.98.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0840A43D53 for ; Mon, 26 Apr 2004 01:28:43 -0700 (PDT) (envelope-from mipam@ibb.net) Received: from localhost (mipam@localhost) by ux1.ibb.net (8.9.3/8.9.3/UX1TT) with ESMTP id JAA13143; Mon, 26 Apr 2004 09:18:05 +0200 X-Authentication-Warning: ux1.ibb.net: mipam owned process doing -bs Date: Mon, 26 Apr 2004 09:18:05 +0200 (MET DST) From: Mipam To: Peter Pentchev In-Reply-To: <20040423144422.GD961@straylight.m.ringlet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: use keep state(strict) to mitigate tcp issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 08:28:44 -0000 On Fri, 23 Apr 2004, Peter Pentchev wrote: > On Fri, Apr 23, 2004 at 03:17:32PM +0200, Mipam wrote: > > Hi, > > > > When deploying a BSD with IPF in at the network perimeter > > and using rules like these: > > > > pass in .. proto tcp ... keep state(strict) > > > > it's possible to refuse tcp packets which arrive out of order. > > This would increase the difficulty doing blind attack resets and blind > > data injection attack, cause then you'd have to "guess" the exact expected > > number. Checpoint has a similar feature (is that right?) which is > > described here as the answer to the mentioned attacks: > > > > http://www.checkpoint.com/techsupport/alerts/tcp_dos.html > > > > Allthough this is nice, there is also the risk of breaking > > connection because it's not unlikely that packets arrive out of order. > > At least, that's what i think, any thoughts upon this? > > IMHO, in the world of multihomed ISP's, BGP and multipath routing, no, > it is definitely *not* unlikely that packets should arrive out of order. I have no statistics and didnt check it out more closely, but in practise, let's say just daily life, in how many connecties would packets be arriving out of order? Of course, if strict is being used, and out of order packets would be denied, tcp on the other site would resent all the packets within the window size (or any packets or packet stream upon which no ack has been received), but if they would be arriving out of order again, or at least one of them, no progress has been made. Don't take me wrong here, i think keep state(strict) is a cool feature, but i just wonder in how many cases in bussy networks it would cause a certain amount of traffic lose (eventhough tcp should be able to remedy this and send the same packets several times, but it has no control about fast changing path's to it's destination) and how large would that certain amount be? Maybe i'm a little bit to paranoia in thinking to many connecties are dealing with out of order arriving packets? Bye, Mipam. From owner-freebsd-security@FreeBSD.ORG Mon Apr 26 02:13:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A24D16A4CE for ; Mon, 26 Apr 2004 02:13:46 -0700 (PDT) Received: from mail008.syd.optusnet.com.au (mail008.syd.optusnet.com.au [211.29.132.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0C7C43D1D for ; Mon, 26 Apr 2004 02:13:44 -0700 (PDT) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i3Q9DWS15944; Mon, 26 Apr 2004 19:13:32 +1000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])i3Q9DWRu097442; Mon, 26 Apr 2004 19:13:32 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.12.10/8.12.10/Submit) id i3Q9DW2L097441; Mon, 26 Apr 2004 19:13:32 +1000 (EST) (envelope-from peter) Date: Mon, 26 Apr 2004 19:13:32 +1000 From: Peter Jeremy To: Mipam Message-ID: <20040426091332.GA97422@server.vk2pj.dyndns.org> References: <20040423144422.GD961@straylight.m.ringlet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: use keep state(strict) to mitigate tcp issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 09:13:46 -0000 On Mon, Apr 26, 2004 at 09:18:05AM +0200, Mipam wrote: >I have no statistics and didnt check it out more closely, but in practise, >let's say just daily life, in how many connecties would packets be >arriving out of order? My ISP speed-limits my connection if I exceed my monthly data volume. I'm not sure how they do the speed limiting but it seems to fairly consistently result in the last data packet arriving after the FIN packet. I don't have statistics for when my connection is running normally. Peter From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 16:20:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3745616A4CE; Fri, 23 Apr 2004 16:20:00 -0700 (PDT) Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3DBB43D39; Fri, 23 Apr 2004 16:19:59 -0700 (PDT) (envelope-from jayanth@yahoo-inc.com) Received: from milk.yahoo.com (milk.yahoo.com [216.145.52.137]) i3NNJbrW001427; Fri, 23 Apr 2004 16:19:37 -0700 (PDT) Received: (from root@localhost) by milk.yahoo.com (8.12.9/8.12.9) id i3NNJaVx025227; Fri, 23 Apr 2004 16:19:36 -0700 (PDT) (envelope-from jayanth) Date: Fri, 23 Apr 2004 16:19:36 -0700 From: jayanth To: Mike Silbersack Message-ID: <20040423231936.GC21555@yahoo-inc.com> References: <200404231041.i3NAfR7E051507@gw.catspoiler.org> <20040423182801.G5436@odysseus.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040423182801.G5436@odysseus.silby.com> User-Agent: Mutt/1.4.1i X-Mailman-Approved-At: Mon, 26 Apr 2004 02:54:05 -0700 cc: freebsd-security@FreeBSD.org cc: Don Lewis cc: avalon@caligula.anu.edu.au cc: jayanth@yahoo-inc.com cc: kernel@yahoo-inc.com Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2004 23:20:00 -0000 Mike Silbersack (silby@silby.com) wrote: > > On Fri, 23 Apr 2004, Don Lewis wrote: > > > > What type of packet was causing the Alteons to emit the RST? SYN, FIN, > > > normal data? > > > > > > Also, has Alteon fixed the problem or do their load balancers still > > > exhibit the behavior? > > > > The link I posted showed it was a FIN, and after the RST was sent (and > > ignored by the FreeBSD stack because of the strict sequence number > > check), the Alteon (or whatever it was) did not respond to the > > retransmissions of the FIN packet. > > > > Maybe we can get by with the strict check by default and add a sysctl to > > revert to the permissive check. > > I think Darren's suggestion would be a reasonable compromise; use the > strict check in the ESTABLISHED state, and the permissive check otherwise. > Established connections are what would be attacked, so we need the > security there, but the closing states are where oddities seem to pop up, > so we can use the permissive check there. > > If this is acceptable, I'd like to get it committed this weekend so that > we can still get it into 4.10. > sure, that sounds reasonable. The sysctl should be good for yahoo. thanks, jayanth From owner-freebsd-security@FreeBSD.ORG Tue Apr 27 11:44:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C11016A4CE for ; Tue, 27 Apr 2004 11:44:26 -0700 (PDT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEEFD43D53 for ; Tue, 27 Apr 2004 11:44:25 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (rwcrmhc12) with ESMTP id <2004042718442401400i59vse>; Tue, 27 Apr 2004 18:44:24 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id i3RIiN8B088612; Tue, 27 Apr 2004 11:44:23 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id i3RIiMxc088611; Tue, 27 Apr 2004 11:44:22 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Tue, 27 Apr 2004 11:44:22 -0700 From: "Crist J. Clark" To: Greg Troxel Message-ID: <20040427184422.GA88369@blossom.cjclark.org> References: <40885ECF.22456.1C68F42E@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@FreeBSD.org cc: Dan Langille Subject: Re: IPsec - got ESP going, but not AH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2004 18:44:26 -0000 On Fri, Apr 23, 2004 at 08:02:15AM -0400, Greg Troxel wrote: > While this should probably work, it's more straightforward to use ESP > with integrity protection. That is, use a -A hmac-sha1 argument also > to ESP. (hmac-md5 is probably still fine, but sha1 goes better > strength-wise with rijndael-cbc.) > > I believe that in tunnel mode AH and ESP integrity are essentially > identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you > really want to understand. Not true. ESP integrity does not cover the IP header, only the ESP payload. Look at the diagrams in section 3.1 of RFC2406. > In transport mode, AH protects parts of > the original (and only) IP header. Not true. AH protects the entire datagram, including payload. Again hop down to section 3.1 of RFC2402 for that RFC-ASCII art we all love so much. As for the original problem. I've seen AH problems before. Follow the "Single IP host and IPsec tunnel mode experience" thread from -hackers from last year about this time. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Tue Apr 27 18:13:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7651016A4CE for ; Tue, 27 Apr 2004 18:13:36 -0700 (PDT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A27443D5A for ; Tue, 27 Apr 2004 18:13:35 -0700 (PDT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 279133D3D for ; Tue, 27 Apr 2004 21:13:31 -0400 (EDT) From: "Dan Langille" To: freebsd-security@FreeBSD.org Date: Tue, 27 Apr 2004 21:13:31 -0400 MIME-Version: 1.0 Message-ID: <408ECCFB.2846.3587C13A@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: IPsec works, but racoon/IKE does not X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2004 01:13:36 -0000 I have no idea whatsoever as to why racoon/IKE does not work here. I've tried various how-to documents but found nothing that works for me. Gateway (10.0.0.1) running 4.9-stable. Laptop (10.0.0.10) running 5.2.1-release. Both running racoon-20040408a On the gateway 10.0.0.1 # cat /etc/ipsec.conf add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/10.0.0.10- 10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.0.1- 10.0.0.10/require; On the laptop (10.0.0.10): add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10- 10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1- 10.0.0.10/require; With this setup, IPsec works just fine between the two boxes. If comment out the two "add" lines in each /etc/ipsec.conf, and keep the "spdadd" lines, and do this on both machines: setkey -F setkey -FP setkey -f /etc/ipsec.conf /usr/local/sbin/racoon -F -v I see this on the gateway. Does this mean anything to anyone? Thanks. Foreground mode. 2004-04-27 20:52:14: INFO: main.c:172:main(): @(#)package version freebsd-20040408a 2004-04-27 20:52:14: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2004-04-27 20:52:14: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c-p1 30 Sep 2003 (http://www.openssl.org/) 2004-04-27 20:52:14: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2004-04-27 20:52:14: DEBUG: pfkey.c:2379:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't suppo rt it. 2004-04-27 20:52:14: INFO: isakmp.c:1368:isakmp_open(): 10.0.0.1[500] used as isakmp port (fd=5) 2004-04-27 20:52:14: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2004-04-27 20:52:14: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2004-04-27 20:52:14: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff958: 0.0.0.0/0[0] 10.0.0.0/24[0] proto=any dir=out 2004-04-27 20:52:14: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2004-04-27 20:52:18: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:52:18: DEBUG: pfkey.c:1620:pk_recvacquire(): suitable outbound SP found: 0.0.0.0/0[0] 10.0.0.0/24[0] proto=any dir=ou t. 2004-04-27 20:52:18: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff944: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2004-04-27 20:52:18: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2004-04-27 20:52:18: DEBUG: pfkey.c:1636:pk_recvacquire(): suitable inbound SP found: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in. 2004-04-27 20:52:18: DEBUG: pfkey.c:1675:pk_recvacquire(): new acquire 0.0.0.0/0[0] 10.0.0.0/24[0] proto=any dir=out 2004-04-27 20:52:18: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected. 2004-04-27 20:52:18: DEBUG: proposal.c:828:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqi d=0:0) 2004-04-27 20:52:18: DEBUG: proposal.c:862:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-sha) 2004-04-27 20:52:18: DEBUG: proposal.c:862:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5) 2004-04-27 20:52:18: DEBUG: proposal.c:862:printsatrns(): (trns_id=BLOWFISH encklen=448 authtype=hmac-sha) 2004-04-27 20:52:18: DEBUG: proposal.c:862:printsatrns(): (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 2004-04-27 20:52:18: DEBUG: proposal.c:862:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha) 2004-04-27 20:52:18: DEBUG: proposal.c:862:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=hmac-md5) 2004-04-27 20:52:18: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for 10.0.0.10. 2004-04-27 20:52:18: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec- SA request for 10.0.0.10 queued due to no phase1 found. 2004-04-27 20:52:18: DEBUG: isakmp.c:803:isakmp_ph1begin_i(): === 2004-04-27 20:52:18: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.10[500] 2004-04-27 20:52:18: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode. 2004-04-27 20:52:18: DEBUG: isakmp.c:2006:isakmp_newcookie(): new cookie: 055c6e2d1a6f5cf0 2004-04-27 20:52:18: DEBUG: ipsec_doi.c:3238:ipsecdoi_setid1(): use ID type of IPv4_address 2004-04-27 20:52:19: DEBUG: oakley.c:300:oakley_dh_generate(): compute DH's private. 2004-04-27 20:52:19: DEBUG: plog.c:193:plogdump(): 6e308efc dd12bb8c 43b3870d 470f6826 b75dcfed 51e9a827 7bfc9fb6 104e5038 ad255135 511f1047 029ebff4 059f5a66 3950f8df 1cf256d9 cae1b8a3 b72834de 8e0e440e aa85a078 70a283ba ea50c4c4 91004723 05892a7a 39694b9f 289e24e9 8931c02e 42830d85 91393b1d e67c6654 6a07a1ea 14929170 5c670bdd 3314cfea 2004-04-27 20:52:19: DEBUG: oakley.c:302:oakley_dh_generate(): compute DH's public. 2004-04-27 20:52:19: DEBUG: plog.c:193:plogdump(): 740d9432 471292e7 904d632f 29a2f3a5 aebdac90 1890488c ed630ccc a630afea 2c12c7c7 5f33aee7 8cab687d e03c0f84 28267175 3674acaf 3105339b 0796e4df 737fcac3 1e3cbdf7 34d1fe6d 0d65c16c 7f0125e6 7a71e10d 55473f4f 6ec53f95 b4d786bd a6656857 a377e251 bedcea49 05cd8477 ff460c16 fbfcd342 aea5ac79 2004-04-27 20:52:19: DEBUG: isakmp_agg.c:161:agg_i1send(): authmethod is pre-shared key 2004-04-27 20:52:19: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 52, next type 1 2004-04-27 20:52:19: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 128, next type 4 2004-04-27 20:52:19: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 16, next type 10 2004-04-27 20:52:19: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 8, next type 5 2004-04-27 20:52:19: DEBUG: isakmp.c:2295:isakmp_printpacket(): begin. 52:19.544602 10.0.0.1:500 -> 10.0.0.10:500: isakmp 1.0 msgid 00000000 cookie 055c6e2d1a6f5cf0->0000000000000000: phase 1 I agg: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration len=4 value=00015180)(type=enc value=3des)(type=auth value=pr eshared)(type=hash value=sha1)(type=group desc value=modp1024)))) (ke: key len=128) (nonce: n len=16) (id: idtype=IPv4 protoid=udp port=500 len=4 10.0.0.1) 2004-04-27 20:52:19: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.1[500] 2004-04-27 20:52:19: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.1[500] 2004-04-27 20:52:19: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.0.10[500] 2004-04-27 20:52:19: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 248 bytes message will be sent to 10.0.0.10[500] 2004-04-27 20:52:19: DEBUG: plog.c:193:plogdump(): 055c6e2d 1a6f5cf0 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0a000084 740d9432 471292e7 904d632f 29a2f3a5 aebdac90 1890488c ed630ccc a630afea 2c12c7c7 5f33aee7 8cab687d e03c0f84 28267175 3674acaf 3105339b 0796e4df 737fcac3 1e3cbdf7 34d1fe6d 0d65c16c 7f0125e6 7a71e10d 55473f4f 6ec53f95 b4d786bd a6656857 a377e251 bedcea49 05cd8477 ff460c16 fbfcd342 aea5ac79 05000014 bf9a051a 8cbfbef6 30991dd7 190ff373 0000000c 011101f4 0a000001 2004-04-27 20:52:19: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 055c6e2d1a6f5cf0:0000000000000000 2004-04-27 20:52:29: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:52:29: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:52:37: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:52:37: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:52:40: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:52:40: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:52:40: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.1[500] 2004-04-27 20:52:40: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.1[500] 2004-04-27 20:52:40: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.0.10[500] 2004-04-27 20:52:40: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 248 bytes message will be sent to 10.0.0.10[500] 2004-04-27 20:52:40: DEBUG: plog.c:193:plogdump(): 055c6e2d 1a6f5cf0 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0a000084 740d9432 471292e7 904d632f 29a2f3a5 aebdac90 1890488c ed630ccc a630afea 2c12c7c7 5f33aee7 8cab687d e03c0f84 28267175 3674acaf 3105339b 0796e4df 737fcac3 1e3cbdf7 34d1fe6d 0d65c16c 7f0125e6 7a71e10d 55473f4f 6ec53f95 b4d786bd a6656857 a377e251 bedcea49 05cd8477 ff460c16 fbfcd342 aea5ac79 05000014 bf9a051a 8cbfbef6 30991dd7 190ff373 0000000c 011101f4 0a000001 2004-04-27 20:52:43: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 055c6e2d1a6f5cf0:0000000000000000 2004-04-27 20:52:50: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:52:50: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:52:53: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 10 .0.0.10->10.0.0.1 2004-04-27 20:52:53: INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. 2004-04-27 20:53:00: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:00: DEBUG: pfkey.c:1620:pk_recvacquire(): suitable outbound SP found: 0.0.0.0/0[0] 10.0.0.0/24[0] proto=any dir=ou t. 2004-04-27 20:53:00: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff944: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2004-04-27 20:53:00: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2004-04-27 20:53:00: DEBUG: pfkey.c:1636:pk_recvacquire(): suitable inbound SP found: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in. 2004-04-27 20:53:00: DEBUG: pfkey.c:1675:pk_recvacquire(): new acquire 0.0.0.0/0[0] 10.0.0.0/24[0] proto=any dir=out 2004-04-27 20:53:00: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected. 2004-04-27 20:53:00: DEBUG: proposal.c:828:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqi d=0:0) 2004-04-27 20:53:00: DEBUG: proposal.c:862:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-sha) 2004-04-27 20:53:00: DEBUG: proposal.c:862:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5) 2004-04-27 20:53:00: DEBUG: proposal.c:862:printsatrns(): (trns_id=BLOWFISH encklen=448 authtype=hmac-sha) 2004-04-27 20:53:00: DEBUG: proposal.c:862:printsatrns(): (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 2004-04-27 20:53:06: DEBUG: proposal.c:862:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha) 2004-04-27 20:53:06: DEBUG: proposal.c:862:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=hmac-md5) 2004-04-27 20:53:06: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for 10.0.0.10. 2004-04-27 20:53:06: INFO: isakmp.c:1713:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found . 2004-04-27 20:53:06: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.1[500] 2004-04-27 20:53:06: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.1[500] 2004-04-27 20:53:06: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.0.10[500] 2004-04-27 20:53:06: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 248 bytes message will be sent to 10.0.0.10[500] 2004-04-27 20:53:06: DEBUG: plog.c:193:plogdump(): 055c6e2d 1a6f5cf0 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0a000084 740d9432 471292e7 904d632f 29a2f3a5 aebdac90 1890488c ed630ccc a630afea 2c12c7c7 5f33aee7 8cab687d e03c0f84 28267175 3674acaf 3105339b 0796e4df 737fcac3 1e3cbdf7 34d1fe6d 0d65c16c 7f0125e6 7a71e10d 55473f4f 6ec53f95 b4d786bd a6656857 a377e251 bedcea49 05cd8477 ff460c16 fbfcd342 aea5ac79 05000014 bf9a051a 8cbfbef6 30991dd7 190ff373 0000000c 011101f4 0a000001 2004-04-27 20:53:06: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 055c6e2d1a6f5cf0:0000000000000000 2004-04-27 20:53:06: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:06: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:53:13: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:13: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:53:24: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:24: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:53:26: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.1[500] 2004-04-27 20:53:26: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.1[500] 2004-04-27 20:53:26: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.0.10[500] 2004-04-27 20:53:26: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 248 bytes message will be sent to 10.0.0.10[500] 2004-04-27 20:53:26: DEBUG: plog.c:193:plogdump(): 055c6e2d 1a6f5cf0 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0a000084 740d9432 471292e7 904d632f 29a2f3a5 aebdac90 1890488c ed630ccc a630afea 2c12c7c7 5f33aee7 8cab687d e03c0f84 28267175 3674acaf 3105339b 0796e4df 737fcac3 1e3cbdf7 34d1fe6d 0d65c16c 7f0125e6 7a71e10d 55473f4f 6ec53f95 b4d786bd a6656857 a377e251 bedcea49 05cd8477 ff460c16 fbfcd342 aea5ac79 05000014 bf9a051a 8cbfbef6 30991dd7 190ff373 0000000c 011101f4 0a000001 2004-04-27 20:53:26: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 055c6e2d1a6f5cf0:0000000000000000 2004-04-27 20:53:34: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:34: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:53:37: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 10 .0.0.10->10.0.0.1 2004-04-27 20:53:37: INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. 2004-04-27 20:53:45: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:45: DEBUG: pfkey.c:1620:pk_recvacquire(): suitable outbound SP found: 0.0.0.0/0[0] 10.0.0.0/24[0] proto=any dir=ou t. 2004-04-27 20:53:45: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff944: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2004-04-27 20:53:45: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in 2004-04-27 20:53:45: DEBUG: pfkey.c:1636:pk_recvacquire(): suitable inbound SP found: 10.0.0.0/24[0] 0.0.0.0/0[0] proto=any dir=in. 2004-04-27 20:53:45: DEBUG: pfkey.c:1675:pk_recvacquire(): new acquire 0.0.0.0/0[0] 10.0.0.0/24[0] proto=any dir=out 2004-04-27 20:53:45: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected. 2004-04-27 20:53:45: DEBUG: proposal.c:828:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqi d=0:0) 2004-04-27 20:53:45: DEBUG: proposal.c:862:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-sha) 2004-04-27 20:53:45: DEBUG: proposal.c:862:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5) 2004-04-27 20:53:45: DEBUG: proposal.c:862:printsatrns(): (trns_id=BLOWFISH encklen=448 authtype=hmac-sha) 2004-04-27 20:53:45: DEBUG: proposal.c:862:printsatrns(): (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 2004-04-27 20:53:45: DEBUG: proposal.c:862:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha) 2004-04-27 20:53:45: DEBUG: proposal.c:862:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=hmac-md5) 2004-04-27 20:53:45: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for 10.0.0.10. 2004-04-27 20:53:45: INFO: isakmp.c:1713:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found . 2004-04-27 20:53:46: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:46: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:53:46: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.1[500] 2004-04-27 20:53:46: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.1[500] 2004-04-27 20:53:46: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.0.10[500] 2004-04-27 20:53:46: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 248 bytes message will be sent to 10.0.0.10[500] 2004-04-27 20:53:46: DEBUG: plog.c:193:plogdump(): 055c6e2d 1a6f5cf0 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0a000084 740d9432 471292e7 904d632f 29a2f3a5 aebdac90 1890488c ed630ccc a630afea 2c12c7c7 5f33aee7 8cab687d e03c0f84 28267175 3674acaf 3105339b 0796e4df 737fcac3 1e3cbdf7 34d1fe6d 0d65c16c 7f0125e6 7a71e10d 55473f4f 6ec53f95 b4d786bd a6656857 a377e251 bedcea49 05cd8477 ff460c16 fbfcd342 aea5ac79 05000014 bf9a051a 8cbfbef6 30991dd7 190ff373 0000000c 011101f4 0a000001 2004-04-27 20:53:46: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 055c6e2d1a6f5cf0:0000000000000000 2004-04-27 20:53:57: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:53:57: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found 2004-04-27 20:54:06: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.1[500] 2004-04-27 20:54:06: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.1[500] 2004-04-27 20:54:06: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.0.10[500] 2004-04-27 20:54:06: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 248 bytes message will be sent to 10.0.0.10[500] 2004-04-27 20:54:06: DEBUG: plog.c:193:plogdump(): 055c6e2d 1a6f5cf0 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0a000084 740d9432 471292e7 904d632f 29a2f3a5 aebdac90 1890488c ed630ccc a630afea 2c12c7c7 5f33aee7 8cab687d e03c0f84 28267175 3674acaf 3105339b 0796e4df 737fcac3 1e3cbdf7 34d1fe6d 0d65c16c 7f0125e6 7a71e10d 55473f4f 6ec53f95 b4d786bd a6656857 a377e251 bedcea49 05cd8477 ff460c16 fbfcd342 aea5ac79 05000014 bf9a051a 8cbfbef6 30991dd7 190ff373 0000000c 011101f4 0a000001 2004-04-27 20:54:06: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 055c6e2d1a6f5cf0:0000000000000000 2004-04-27 20:54:07: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ACQUIRE message 2004-04-27 20:54:07: DEBUG: pfkey.c:1604:pk_recvacquire(): ignore the acquire because ph2 found ^C2004-04-27 20:54:10: INFO: session.c:299:check_sigreq(): caught signal 2 2004-04-27 20:54:10: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey FLUSH message 2004-04-27 20:54:10: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. 2004-04-27 20:54:11: DEBUG: pfkey.c:333:pfkey_dump_sadb(): call pfkey_send_dump 2004-04-27 20:54:11: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. 2004-04-27 20:54:11: INFO: session.c:180:close_session(): racoon shutdown -- Dan Langille : http://www.langille.org/ BSDCan - http://www.bsdcan.org/ From owner-freebsd-security@FreeBSD.ORG Tue Apr 27 22:00:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E13616A4CE for ; Tue, 27 Apr 2004 22:00:11 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE09B43D31 for ; Tue, 27 Apr 2004 22:00:10 -0700 (PDT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id A686D1FF9A6; Wed, 28 Apr 2004 07:00:08 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id B90A31FF931; Wed, 28 Apr 2004 07:00:06 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 533A415612; Wed, 28 Apr 2004 04:56:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 48B1615601; Wed, 28 Apr 2004 04:56:11 +0000 (UTC) Date: Wed, 28 Apr 2004 04:56:11 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Dan Langille In-Reply-To: <408ECCFB.2846.3587C13A@localhost> Message-ID: References: <408ECCFB.2846.3587C13A@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-security@FreeBSD.org Subject: Re: IPsec works, but racoon/IKE does not X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2004 05:00:11 -0000 On Tue, 27 Apr 2004, Dan Langille wrote: > I have no idea whatsoever as to why racoon/IKE does not work here. > I've tried various how-to documents but found nothing that works for > me. > > Gateway (10.0.0.1) running 4.9-stable. > Laptop (10.0.0.10) running 5.2.1-release. ... > I see this on the gateway. Does this mean anything to anyone? > Thanks. not read the log but this is most likly the problem described in this thread (along with solutions): http://lists.freebsd.org/pipermail/freebsd-net/2004-March/003514.html -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Wed Apr 28 07:24:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89E6516A4CE for ; Wed, 28 Apr 2004 07:24:26 -0700 (PDT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5854243D5E for ; Wed, 28 Apr 2004 07:24:26 -0700 (PDT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 39DB43D3D; Wed, 28 Apr 2004 10:24:25 -0400 (EDT) From: "Dan Langille" To: "Bjoern A. Zeeb" Date: Wed, 28 Apr 2004 10:24:25 -0400 MIME-Version: 1.0 Message-ID: <408F8659.26009.385BE5A8@localhost> Priority: normal References: <408ECCFB.2846.3587C13A@localhost> In-reply-to: X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-security@FreeBSD.org Subject: Re: IPsec works, but racoon/IKE does not X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2004 14:24:26 -0000 On 28 Apr 2004 at 4:56, Bjoern A. Zeeb wrote: > On Tue, 27 Apr 2004, Dan Langille wrote: > > > I have no idea whatsoever as to why racoon/IKE does not work here. > > I've tried various how-to documents but found nothing that works for > > me. > > > > Gateway (10.0.0.1) running 4.9-stable. > > Laptop (10.0.0.10) running 5.2.1-release. > ... > > I see this on the gateway. Does this mean anything to anyone? > > Thanks. > > not read the log but this is most likly the problem described in this > thread (along with solutions): > > http://lists.freebsd.org/pipermail/freebsd-net/2004-March/003514.html Thank you! That was it. IKE just worked after these mods to my kernel: remove: options IPSEC options IPSEC_ESP options IPSEC_DEBUG options INET6 add: options FAST_IPSEC device crypto man fast_ipsec told me that there is no support for IPv6, which eventually led me to remove INET6 when the kernel would not compile. -- Dan Langille : http://www.langille.org/ BSDCan - http://www.bsdcan.org/ From owner-freebsd-security@FreeBSD.ORG Wed Apr 28 09:31:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 637FC16A4CE; Wed, 28 Apr 2004 09:31:17 -0700 (PDT) Received: from fnord.ir.bbn.com (fnord.ir.bbn.com [192.1.100.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id B120F43D46; Wed, 28 Apr 2004 09:31:16 -0700 (PDT) (envelope-from gdt@ir.bbn.com) Received: from fnord.ir.bbn.com (localhost [127.0.0.1]) by fnord.ir.bbn.com (Postfix) with ESMTP id 6F0611F69; Wed, 28 Apr 2004 12:31:15 -0400 (EDT) From: Greg Troxel To: "Crist J. Clark" In-Reply-To: Message from "Crist J. Clark" <20040427184422.GA88369@blossom.cjclark.org> Date: Wed, 28 Apr 2004 12:31:15 -0400 Sender: gdt@ir.bbn.com Message-Id: <20040428163115.6F0611F69@fnord.ir.bbn.com> cc: freebsd-security@FreeBSD.org cc: Dan Langille Subject: Re: IPsec - got ESP going, but not AH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2004 16:31:17 -0000 > Date: Tue, 27 Apr 2004 11:44:22 -0700 > From: "Crist J. Clark" > To: Greg Troxel > Cc: Dan Langille , freebsd-security@FreeBSD.org > Subject: Re: IPsec - got ESP going, but not AH > Message-ID: <20040427184422.GA88369@blossom.cjclark.org> > Reply-To: "Crist J. Clark" > References: <40885ECF.22456.1C68F42E@localhost> > > On Fri, Apr 23, 2004 at 08:02:15AM -0400, Greg Troxel wrote: > > While this should probably work, it's more straightforward to use ESP > > with integrity protection. That is, use a -A hmac-sha1 argument also > > to ESP. (hmac-md5 is probably still fine, but sha1 goes better > > strength-wise with rijndael-cbc.) > > > > I believe that in tunnel mode AH and ESP integrity are essentially > > identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you > > really want to understand. > > Not true. ESP integrity does not cover the IP header, only the ESP > payload. Look at the diagrams in section 3.1 of RFC2406. I was a bit off here. AH in tunnel mode does authenticate the outer IP header. But since this header is removed at tunnel egress, and presumably checked against the SPD or SAD entry, an ICV over the outer header fields has little additional value once one checks an ICV over the packet and determines that the packet came from the other SA endpoint. Whether and how carefully KAME-derived implementations check tunnel headers against SPD/SAD is another story - I have not investigated this. > > In transport mode, AH protects parts of > > the original (and only) IP header. > > Not true. AH protects the entire datagram, including payload. Again > hop down to section 3.1 of RFC2402 for that RFC-ASCII art we all love > so much. Sorry - I was being too terse. I meant that it protects part of the IP header in addition to the payload (which is also protected by ESP). Really the point I was trying to make (and did so badly) was that for many uses, ESP with integrity is perfectly adequate and is simpler than AH and ESP together. From owner-freebsd-security@FreeBSD.ORG Thu Apr 29 09:07:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F41D616A4CF for ; Thu, 29 Apr 2004 09:07:13 -0700 (PDT) Received: from Daffy.timing.com (mx2.timing.com [206.168.13.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id A44F943D2D for ; Thu, 29 Apr 2004 09:07:13 -0700 (PDT) (envelope-from nrg@gremlin.timing.com) Received: from gremlin.timing.com (gremlin.timing.com [206.168.13.222]) by Daffy.timing.com (8.12.8p2/8.12.8) with ESMTP id i3TG3wcR056775 for ; Thu, 29 Apr 2004 10:03:58 -0600 (MDT) (envelope-from nrg@gremlin.timing.com) Received: by gremlin.timing.com (Postfix, from userid 631) id 0F91214EEE; Thu, 29 Apr 2004 10:03:58 -0600 (MDT) Date: Thu, 29 Apr 2004 10:03:58 -0600 From: Nick Golder To: freebsd-security@freebsd.org Message-ID: <20040429160357.GA6623@gremlin.timing.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Sendmail issues; possible exploit? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 16:07:14 -0000 On a 4.8-RELEASE-p17 machine running Sendmail 8.12.8p2 we are seeing the following errors in /var/log/{messages,maillog}: sm-mta[50018]: i3TDTBcR050018: SYSERR(root): out of memory: Cannot allocate memory I will include more info as we can gather it. --- Nick Golder From owner-freebsd-security@FreeBSD.ORG Thu Apr 29 10:46:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 644AC16A4CF for ; Thu, 29 Apr 2004 10:46:28 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5260843D60 for ; Thu, 29 Apr 2004 10:46:28 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id i3THkQle003668; Thu, 29 Apr 2004 10:46:26 -0700 (PDT) Received: from [10.1.1.193] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i3THkP3Z012802; Thu, 29 Apr 2004 10:46:25 -0700 (PDT) In-Reply-To: <20040429160357.GA6623@gremlin.timing.com> References: <20040429160357.GA6623@gremlin.timing.com> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <1F9AF010-9A05-11D8-BC40-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Thu, 29 Apr 2004 13:46:20 -0400 To: Nick Golder X-Mailer: Apple Mail (2.613) cc: freebsd-security@freebsd.org Subject: Re: Sendmail issues; possible exploit? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 17:46:28 -0000 On Apr 29, 2004, at 12:03 PM, Nick Golder wrote: > On a 4.8-RELEASE-p17 machine running Sendmail 8.12.8p2 we are seeing > the > following errors in /var/log/{messages,maillog}: > sm-mta[50018]: i3TDTBcR050018: SYSERR(root): out of memory: Cannot > allocate memory The error message suggests that you're running out of swapspace. Do you have excessive numbers of sendmail processes running, perhaps due to someone mail-bombing your server? There have been security holes fixed in sendmail since 8.12.8, and 8.12.11 is the most current version. Some of the fixes have been backported to FreeBSD 4.8, (that's what the p2 means), but I'm not sure whether your version is completely up-to-date. -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Apr 29 14:56:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 676AC16A4CE for ; Thu, 29 Apr 2004 14:56:43 -0700 (PDT) Received: from Daffy.timing.com (mail.timing.com [206.168.13.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3295E43D41 for ; Thu, 29 Apr 2004 14:56:43 -0700 (PDT) (envelope-from nrg@gremlin.timing.com) Received: from gremlin.timing.com (gremlin.timing.com [206.168.13.222]) by Daffy.timing.com (8.12.8p2/8.12.8) with ESMTP id i3TLuQBc077579; Thu, 29 Apr 2004 15:56:26 -0600 (MDT) (envelope-from nrg@gremlin.timing.com) Received: by gremlin.timing.com (Postfix, from userid 631) id 715C214EEE; Thu, 29 Apr 2004 15:56:26 -0600 (MDT) Date: Thu, 29 Apr 2004 15:56:26 -0600 From: Nick Golder To: Alex V Eustrop Message-ID: <20040429215626.GA7078@gremlin.timing.com> References: <20040429160357.GA6623@gremlin.timing.com> <200404291857.i3TIvaap004216@azest.net.mave.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200404291857.i3TIvaap004216@azest.net.mave.ru> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Sendmail issues; possible exploit? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 21:56:43 -0000 On 2004-04-29 22:57 +0400, Alex V Eustrop wrote: > Are you using clamav-milter? There are was such trouble with clamav-milter > from clamav-devel before Apr 2004 on FreeBSD 4.9 (sendmail 8.12.9p2) > I had that problem with 1.5 minutes or more while transferring single > message to sendmail with clamav-milter. Sendmail has no trouble without > clamav-milter or with other one (For example - spamass-milter-0.2.0_1 port) > Clamav was fixed for that bug, but real problem could be (on not to be) > inside sendmail. > > P.S. I am not sure that my message will be posted to freebsd-security@, > but you can forward it to upcoming discussion if it's interesting. > It did end up being clamd/clamav-milter. The symptoms began when clamd exited with a signal 6. Thanks for the suggestions. -Nick From owner-freebsd-security@FreeBSD.ORG Sat May 1 05:54:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC10216A4CE for ; Sat, 1 May 2004 05:54:09 -0700 (PDT) Received: from phobos.osem.com (phobos.osem.com [66.92.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id A757143D3F for ; Sat, 1 May 2004 05:54:09 -0700 (PDT) (envelope-from andy@lewman.com) Received: by phobos.osem.com (Postfix, from userid 1001) id 31B7E294; Sat, 1 May 2004 08:54:09 -0400 (EDT) Date: Sat, 1 May 2004 08:54:09 -0400 From: andy@lewman.com To: freebsd-security@freebsd.org Message-ID: <20040501125409.GA65876@phobos.osem.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-phase_of_moon: The Moon is Waxing Gibbous (86% of Full) Subject: chkrootkit and 4.10-prerelease issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 May 2004 12:54:10 -0000 Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later report chfn, chsh, and date as infected? I built world yesterday, and my nightly chkrootkit reports this on run. I've replaced the binaries with their 4.9 equivalents, and things don't report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit reports them as infected again. Is this similar to the 5.x issues with chkrootkit? -- Andrew From owner-freebsd-security@FreeBSD.ORG Sat May 1 09:36:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A030316A4CE for ; Sat, 1 May 2004 09:36:57 -0700 (PDT) Received: from smtp02.syd.iprimus.net.au (smtp02.syd.iprimus.net.au [210.50.76.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3384E43D53 for ; Sat, 1 May 2004 09:36:57 -0700 (PDT) (envelope-from wts666@iprimus.com.au) Received: from pionig (203.134.23.96) by smtp02.syd.iprimus.net.au (7.0.024) id 408C4956002AA4DC for freebsd-security@freebsd.org; Sun, 2 May 2004 02:36:55 +1000 Message-ID: <408C4956002AA4DC@> (added by postmaster@iprimus.com.au) From: "Mark Picone" To: Date: Sun, 2 May 2004 02:35:44 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcQve4MWNfuWtSM4RBKQ2wAobqTKQAAHnI0g X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 In-Reply-To: <20040501125409.GA65876@phobos.osem.com> Subject: RE: chkrootkit and 4.10-prerelease issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 May 2004 16:36:57 -0000 Probably because chrootkit doesn't know u builtworld and is still checking whether chfn & chsh are infected against 4.9 MD5 Sums, I would suggest reading the manual and seeing how to fix this or just reinstall it. - Mark -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of andy@lewman.com Sent: Saturday, 1 May 2004 10:54 pm To: freebsd-security@freebsd.org Subject: chkrootkit and 4.10-prerelease issues? Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later report chfn, chsh, and date as infected? I built world yesterday, and my nightly chkrootkit reports this on run. I've replaced the binaries with their 4.9 equivalents, and things don't report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit reports them as infected again. Is this similar to the 5.x issues with chkrootkit? -- Andrew _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat May 1 17:11:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1192016A4CE for ; Sat, 1 May 2004 17:11:23 -0700 (PDT) Received: from phobos.osem.com (phobos.osem.com [66.92.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABB9343D39 for ; Sat, 1 May 2004 17:11:22 -0700 (PDT) (envelope-from andy@lewman.com) Received: by phobos.osem.com (Postfix, from userid 1001) id 00566190; Sat, 1 May 2004 20:11:18 -0400 (EDT) Date: Sat, 1 May 2004 20:11:18 -0400 From: andy@lewman.com To: freebsd-security@freebsd.org Message-ID: <20040502001118.GA15191@phobos.osem.com> References: <20040501125409.GA65876@phobos.osem.com> <408C4956002AA4DC@> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <408C4956002AA4DC@> User-Agent: Mutt/1.4.2.1i X-phase_of_moon: The Moon is Waxing Gibbous (90% of Full) Subject: Re: chkrootkit and 4.10-prerelease issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 May 2004 00:11:23 -0000 Update: I've received a number of replies stating others have the same problem. I've also received a number of replies basically telling me "reinstall noob". Obviously, I've reinstalled the port. A fresh 4.10-PR as cvsup'd " FreeBSD 4.10-PRERELEASE #0: Sat May 1 09:32:14 EDT 2004" has the same problem. Unless the cvs source is trojaned, I'm leaving this as a false positive; just like 5.x shows. -Andrew On Sun, May 02, 2004 at 02:35:44AM +1000, wts666@iprimus.com.au wrote 1.3K bytes in 35 lines about: : Probably because chrootkit doesn't know u builtworld and is still checking : whether chfn & chsh are infected against 4.9 MD5 Sums, I would suggest : reading the manual and seeing how to fix this or just reinstall it. : : - Mark : : -----Original Message----- : From: owner-freebsd-security@freebsd.org : [mailto:owner-freebsd-security@freebsd.org] On Behalf Of andy@lewman.com : Sent: Saturday, 1 May 2004 10:54 pm : To: freebsd-security@freebsd.org : Subject: chkrootkit and 4.10-prerelease issues? : : Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later : report chfn, chsh, and date as infected? : : I built world yesterday, and my nightly chkrootkit reports this on run. : I've replaced the binaries with their 4.9 equivalents, and things don't : report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit : reports them as infected again. : : Is this similar to the 5.x issues with chkrootkit? : : -- : Andrew : _______________________________________________ : freebsd-security@freebsd.org mailing list : http://lists.freebsd.org/mailman/listinfo/freebsd-security : To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" : : : _______________________________________________ : freebsd-security@freebsd.org mailing list : http://lists.freebsd.org/mailman/listinfo/freebsd-security : To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- | Andrew | e-mail | web | gpg/pgp keyid | | | andy@lewman.com | www.lewman.com | AC671F9B | "There is no reason for any individual to have a computer in their home." -- Ken Olsen, President of DEC, World Future Society Convention, 1977 From owner-freebsd-security@FreeBSD.ORG Sat May 1 22:39:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F7CF16A4D5 for ; Sat, 1 May 2004 22:39:10 -0700 (PDT) Received: from smtp2.eunet.yu (smtp2.eunet.yu [194.247.192.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C93B43D31 for ; Sat, 1 May 2004 22:39:09 -0700 (PDT) (envelope-from kolicz@eunet.yu) Received: from smtp2.EUnet.yu (root@localhost) by smtp2.eunet.yu (8.12.10/8.12.10) with SMTP id i425d7Hb009657 for ; Sun, 2 May 2004 07:39:07 +0200 Received: from kolic.net (P-2.114.EUnet.yu [213.240.2.114]) by smtp2.eunet.yu (8.12.10/8.12.10) with ESMTP id i425d6k4009608 for ; Sun, 2 May 2004 07:39:06 +0200 Received: by kolic.net (Postfix, from userid 1001) id 749BF41F3; Sun, 2 May 2004 07:37:53 +0200 (CEST) Date: Sun, 2 May 2004 07:37:53 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20040502053753.GA624@kolic.net> References: <20040501190057.E062D16A4DA@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040501190057.E062D16A4DA@hub.freebsd.org> Subject: Re: chkrootkit and 4.10-prerelease issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 May 2004 05:39:10 -0000 > Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or > later report chfn, chsh, and date as infected? > Is this similar to the 5.x issues with chkrootkit? Almost always. Mostly "date", but sometimes "ps", "ls"... First time I was scared to death. Nice little app with own secret life. ZK