Re: linux-ipsec: OpenBSD enc+auth NOT compliant

-----BEGIN PGP SIGNED MESSAGE----- To: Richard Guy Briggs <rgb@conscoop.ottawa.on.ca> Subject: Re: linux-ipsec: OpenBSD enc+auth NOT compliant Cc: linux-ipsec@clinet.fi (linux ipsec)
Date: 03/23/98, 12:09:54

In message <199803231600.LAA07151@conscoop.ottawa.on.ca>, Richard Guy Briggs wr ites:
>
>After beating my head on OpenBSD, instrumenting klips, grovelling (yet
>again) through standards, I have come to the conclusion that the OpenBSD
>implementation of ESP using ENC+AUTH options together is NOT compliant
>with draft-ietf-ipsec-esp-v2-04. Section 3.3.2 states that "If
>authentication is selected, encryption is performed first, before the
>authentication, ...". The reasons given are reducing replay DoS attacks
>and to facilitate parallel processing. The current OpenBSD implementation
>is calculating the authorisation data *before* encryption.

That is simply not true. I suspect you have an old version of OpenBSD ? Perhaps 2.1 ? The current revision of sys/netinet/ip_esp_new.c is 1.17

I did an informal interop of 3DES-SHA1 less than two weeks ago with Dan McDonald (Sun Microsystems) at NDSS and everything worked just fine.

>I am still getting mysterious 'device busy' errors with the use of /dev/ipsec
>which appeared only once we started to delete eroutes and SAs. Either I
>introduced a bug or it was already there but didn't manifest itself since
>we had to reboot the kernel or, more recently, unload the module to clear
>these out.

There are some interesting races in the linux routing code (or were, last I looked into that) -- if you check some of JI's old code, you'll notice that sometimes he's sleep()'ing for 1 second or something. - -Angelos

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3i
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNRaXYr0pBjh2h1kFAQELXQP9F+7ny8h64ytRvw+fOM4iNqTXQz6ZCteT ddMdldHoeo+o6S6B7gzsNzdRV1DXCxg+8HJjOLBa0+d/lEaOU6/I30Ez8ptVd5+O ajZXv2jShpxYsypE2xnDA9K89vwJqoHm8/DbGc1w3MEjEMLtvnFmBk9rTypBeOzr rnK4VpaYkcY=
=6xNc
-----END PGP SIGNATURE----- Received on Mon Mar 23 12:23:45 1998

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek