Pantek Library - Expert Linux and Open Source Services

Hosting Provided By
-----BEGIN PGP SIGNED MESSAGE-----

> To: Richard Guy Briggs 
> Subject: Re: linux-ipsec: OpenBSD enc+auth NOT compliant
> Cc: linux-ipsec@clinet.fi (linux ipsec)
> Date: 03/23/98, 12:09:54
> 
> 
> In message <199803231600.LAA07151@conscoop.ottawa.on.ca>, Richard Guy Briggs wr
> ites:
> >
> >After beating my head on OpenBSD, instrumenting klips, grovelling (yet
> >again) through standards, I have come to the conclusion that the OpenBSD
> >implementation of ESP using ENC+AUTH options together is NOT compliant
> >with draft-ietf-ipsec-esp-v2-04.  Section 3.3.2 states that "If
> >authentication is selected, encryption is performed first, before the
> >authentication, ...".  The reasons given are reducing replay DoS attacks
> >and to facilitate parallel processing.  The current OpenBSD implementation
> >is calculating the authorisation data *before* encryption.
> 
> That is simply not true. I suspect you have an old version of OpenBSD ?
> Perhaps 2.1 ? The current revision of sys/netinet/ip_esp_new.c is 1.17

I am fairly certain I have OpenBSD 2.2.  The file is dated Oct 2/97 with
version #1.9!  Are you sure these changes didn't happen *after* 2.2 was
released?  In any case, it certainly *has* been updated since.

> I did an informal interop of 3DES-SHA1 less than two weeks ago with
> Dan McDonald (Sun Microsystems) at NDSS and everything worked just
> fine.

Good, I'll go and get new code.

> >I am still getting mysterious 'device busy' errors with the use of /dev/ipsec
> >which appeared only once we started to delete eroutes and SAs.  Either I
> >introduced a bug or it was already there but didn't manifest itself since
> >we had to reboot the kernel or,  more recently, unload the module to clear
> >these out.
> 
> There are some interesting races in the linux routing code (or were,
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
> last I looked into that) -- if you check some of JI's old code, you'll
> notice that sometimes he's sleep()'ing for 1 second or something.

I'll check it.

> -Angelos

Thanks!

	Slainte Mhath, rgb
- -- 
Richard Guy Briggs -- PGP key available                       Auto-Free Ottawa!
rgb at conscoop dot ottawa dot on dot ca              http://www.flora.org/afo/
http://www.achilles.net/~rgb/                   Ottawa-Rideau Bioregion, Canada
Please send all spam to root@127.0.0.1

"We left our footprints in the Earth
And punched a hole right through the sky" -- S.Hogarth/J.Helmer(Marillion)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNRaeMt+sBuIhFagtAQEB2wP+PcGBmU12Ah9mTj2qgRffuJoHolt1Z5td
pfDVLN7svMH5XF7pixL7D/4bFx52jnsIlMCkX8XfjZ8gADxeYtEYsozJ6u84dAI2
ucirZTSPnOA5yoxzuuNv5xFL9jKw2h7LUE+9ZUUWkmR1HuL+d4uDf3Kazr36GPvV
P8Xh/37opZU=
=8Ngd
-----END PGP SIGNATURE-----