[ previous ] [ next ] [ threads ]
 From:  "William Fulton" <wfulton at thirdhatch dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Vulnerabilities in IPSEC using ESP
 Date:  Wed, 18 May 2005 18:38:24 -0700

Thank you so much for looking into this for us!  I appreciate all of the
help this list has been and continues to be.

Thanks again,


> -----Original Message-----
> From: Chris Buechler [mailto:cbuechler at gmail dot com]
> Sent: Tuesday, May 17, 2005 11:13 PM
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Vulnerabilities in IPSEC using ESP
> On 5/13/05, William Fulton <wfulton at thirdhatch dot com> wrote:
> > Folks,
> >
> > I would recommend this as a good read.  Can anyone tell me if
> > is vulnerable to this problem using aggressive mode?
> >
> > http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en
> >
> From what I've looked at (and I've dug and dug), it doesn't appear
> m0n0wall is affected because it doesn't allow you to setup the types
> of connections that are vulnerable.  Manuel agrees, but neither of us
> have really found anything completely conclusive.
> Part of an email from Manuel to me explains it very well:
> --
> ESP is only affected when used without integrity
> protection, i.e. without a hash algorithm. m0n0wall doesn't even
> allow that configuration (you need to select at least one encryption
> and one hash algorithm), even though it's possible to use setkey to
> define an SA with encryption only and no hashing (I've never heard of
> anyone doing that though). So I wouldn't judge the severity of that
> issue to be that high, since anybody who's in their right state of
> mind wouldn't use ESP with encryption only (I think that like
> m0n0wall, most commercial products won't even let you do it).
> AH alone doesn't seem to be affected; the way I interpret it is that
> the advisory merely says that using AH in transport mode tunneled
> inside ESP won't make the problem go away, but that's another very
> exotic configuration that m0n0wall doesn't even support.
> --
> If anybody finds anything to suggest differently, please let Manuel
> and/or I know.
> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch