Vulnerability Development mailing list archives

Re: IPSec research potential problem areas.

From: patrick.denton () HANAUER NET (Patrick Denton)
Date: Sat, 25 Mar 2000 14:55:41 -0800


I might be clarifying the obvious here but for those who don't know here
goes:

We've implemented IPSEC cloud  nation wide to five remote sites.  One of the
problems we saw first was packet sizes issues.  The IPSEC header adds
additional bytes to the original packet thus making a packet that goes over
the max MTU size.  This caused problems for both NT and Unix flavored
machines VPN wide.  The primary and really only symptom of this was terrible
throughput performance across the board on the VPN side.  For NT boxex we had
to hack registry entries to restrict MTU size down to 1416 and enable
blackhole router detection.  For the Solaris machines we had to ndd -set
/dev/tcp tcp_mss_max 1416 and make appropriate changes in the startup
files.   Also ICMP redirects needed to be allowed through our firewall from
the external VPN routers.  All this because of a few lowsy bytes get added to
the original packet  =).   Problems ceased once we implemented these changes.

Mike Hudack wrote:

In general, IPSEC seems to be the "be all end all" of encrypted network
traffic.  Unfortunately, there are difficulties.

My company's working on a product which was originally going to use IPSEC
- we ran across several problems, however.

IPSEC, although having been arround for a while, seems to be relatively
untested and has several flaws - authentication and handshaking seems to
be the biggest problem we came across, but not the only ones.

In general I feel better recommending other tunneling protocols, we moved
over to a modified SSH implementation.

Good luck,

Mike Hudack
Chief Scientist: Knowledge Propulsion Laboratory
203.838.7129
mhudack () kplab com

On Fri, 24 Mar 2000, Bep Verberk wrote:

I'm trying to locate some research/documents/papers discussing the use
of IPSec to provide enhanced security. Aside from the obvious
performance hit, people seem to be talking like this is the "silver
bullet"
for security over IP.

Surely, there must be some inherent flaws ?
What about the need for a trusted key exchange system ? Is that
vulnerable ?

Perhaps a good idea in theory will fall apart due to bad
implementations,
riddled with buffer overflow exploits and DOS vulnerabilities ??

Any thoughts, ideas, pointers ?

Cheers.


<HR NOSHADE>
<UL>
<LI>text/x-vcard attachment: Card for Patrick Denton
</UL>

Current thread:

Re: AIM 3.0 Buffer Overflow exploit, (continued)
- - - Re: AIM 3.0 Buffer Overflow exploit Jamal Hendershot (Mar 19)
    - Re: AIM 3.0 Buffer Overflow exploit - - (Mar 21)
- Re: spoofing the ethernet address Arnold, Jamie (Mar 15)
- Re: spoofing the ethernet address James A. Robbins (Mar 15)
- Re: spoofing the ethernet address Pierre Landau (Mar 21)
  - Re: spoofing the ethernet address Ex Machina (Mar 22)
    - Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 24)
    - IPSec research Bep Verberk (Mar 24)
    - Re: IPSec research Dug Song (Mar 24)
    - Re: IPSec research Mike Hudack (Mar 25)
    - Re: IPSec research potential problem areas. Patrick Denton (Mar 25)
- Re: spoofing the ethernet address Pauli Ojanpera (Mar 22)