Vulnerability Development mailing list archives
Re: IPSec research potential problem areas.
From: patrick.denton () HANAUER NET (Patrick Denton)
Date: Sat, 25 Mar 2000 14:55:41 -0800
I might be clarifying the obvious here but for those who don't know here goes: We've implemented IPSEC cloud nation wide to five remote sites. One of the problems we saw first was packet sizes issues. The IPSEC header adds additional bytes to the original packet thus making a packet that goes over the max MTU size. This caused problems for both NT and Unix flavored machines VPN wide. The primary and really only symptom of this was terrible throughput performance across the board on the VPN side. For NT boxex we had to hack registry entries to restrict MTU size down to 1416 and enable blackhole router detection. For the Solaris machines we had to ndd -set /dev/tcp tcp_mss_max 1416 and make appropriate changes in the startup files. Also ICMP redirects needed to be allowed through our firewall from the external VPN routers. All this because of a few lowsy bytes get added to the original packet =). Problems ceased once we implemented these changes. Mike Hudack wrote:
In general, IPSEC seems to be the "be all end all" of encrypted network traffic. Unfortunately, there are difficulties. My company's working on a product which was originally going to use IPSEC - we ran across several problems, however. IPSEC, although having been arround for a while, seems to be relatively untested and has several flaws - authentication and handshaking seems to be the biggest problem we came across, but not the only ones. In general I feel better recommending other tunneling protocols, we moved over to a modified SSH implementation. Good luck, Mike Hudack Chief Scientist: Knowledge Propulsion Laboratory 203.838.7129 mhudack () kplab com On Fri, 24 Mar 2000, Bep Verberk wrote:I'm trying to locate some research/documents/papers discussing the use of IPSec to provide enhanced security. Aside from the obvious performance hit, people seem to be talking like this is the "silver bullet" for security over IP. Surely, there must be some inherent flaws ? What about the need for a trusted key exchange system ? Is that vulnerable ? Perhaps a good idea in theory will fall apart due to bad implementations, riddled with buffer overflow exploits and DOS vulnerabilities ?? Any thoughts, ideas, pointers ? Cheers.
<HR NOSHADE> <UL> <LI>text/x-vcard attachment: Card for Patrick Denton </UL>
Current thread:
- Re: AIM 3.0 Buffer Overflow exploit, (continued)
- Re: AIM 3.0 Buffer Overflow exploit Jamal Hendershot (Mar 19)
- Re: AIM 3.0 Buffer Overflow exploit - - (Mar 21)
- Re: spoofing the ethernet address Arnold, Jamie (Mar 15)
- Re: spoofing the ethernet address James A. Robbins (Mar 15)
- Re: spoofing the ethernet address Pierre Landau (Mar 21)
- Re: spoofing the ethernet address Ex Machina (Mar 22)
- Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 24)
- IPSec research Bep Verberk (Mar 24)
- Re: IPSec research Dug Song (Mar 24)
- Re: IPSec research Mike Hudack (Mar 25)
- Re: IPSec research potential problem areas. Patrick Denton (Mar 25)
- Re: spoofing the ethernet address Ex Machina (Mar 22)