Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

S-170: KAME Project IPv6 IPComp Vulnerability

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) S-170: KAME Project IPv6 IPComp Vulnerability
# 1  
Old 02-11-2008
S-170: KAME Project IPv6 IPComp Vulnerability
The KAME project's IPv6 implementation does not properly process IPv6 packets that contain the IPComp header. The risk is LOW. If exploited, this vulnerability may allow an attacker to cause a vulnerable system to crash.


More...
Login or Register to Ask a Question

Previous Thread | Next Thread

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Assigning ipv6 to bonding interface - getting old as well as changed ipv6 in ifconfig output

Hi, I have created a bonding bond1 interface with 6 Eth , mode=4. Recently i have changed my old ipv6 to new one and tried to restart as well as reload network service. Post which i can see old as well as changed ipv6 in ifconfig command output. Below are few files and command output for your... (1 Reply)
Discussion started by: omkar.jadhav
1 Replies

2. AIX

creo 44p-170 trendsetter aix 4.3.3.0

Hello Gentlemen, I have a 44p-170 CREO computer that conects to Trendsetter 800 quamtum ans one printer console, I have Problem with cable connections, someone knows how to interconnect whith them, thanks. Please understand that, to ensure a common convening platform, is English only. I have... (0 Replies)
Discussion started by: allanlikan
0 Replies

3. AIX

IBM 44p-170 boot problems

I am trying to install AIX 4.3 on a 44P-170 and am having problems. I have the 44P connected to a laptop through the serial port and am trying to boot from the IBM AIX 4.3 CD and I can only get as far as the SMS (I believe) screen. The current Processor Firmware is sh040616 and the system... (3 Replies)
Discussion started by: SeanU
3 Replies

4. UNIX for Dummies Questions & Answers

IBM 44p-170 boot problems

Post moved to more adequate group: AIX https://www.unix.com/aix/84704-ibm-44p-170-boot-problems.html (2 Replies)
Discussion started by: vbe
2 Replies

5. AIX

connecting to service processor on 44P 170

I dont have an ascii terminal to hook upto this thing, trying to use my laptop but it doesnt seem to want to communicate, is there a special cable i should be using for this? (1 Reply)
Discussion started by: BG_JrAdmin
1 Replies
Login or Register to Ask a Question

LEARN ABOUT NETBSD

kame_ipsec

KAME_IPSEC(4)						   BSD Kernel Interfaces Manual 					     KAME_IPSEC(4)

NAME

     ipsec -- IP security protocol

SYNOPSIS

     #include <sys/types.h>
     #include <netinet/in.h>
     #include <netinet6/ipsec.h>

     options KAME_IPSEC
     options IPSEC_ESP
     options IPSEC_NAT_T
     options IPSEC_DEBUG

DESCRIPTION

     ipsec is the first implemtation of IPSEC in NetBSD.  It is being replaced by fast_ipsec(4).

     The following kernel options are available:

     options IPSEC
     Includes support for the IPsec protocol.  IPSEC will enable secret key management part, policy management part, AH and IPComp.  Kernel binary
     will not be subject to export control in most of countries, even if compiled with IPSEC.  For example, it should be okay to export it from
     the United States of America.  INET6 and IPSEC are orthogonal so you can get IPv4-only kernel with IPsec support, IPv4/v6 dual support kernel
     without IPsec, and so forth.  This option requires INET at this moment, but it should not.

     options IPSEC_DEBUG
     Enables debugging code in IPsec stack.  This option assumes IPSEC.

     options IPSEC_ESP
     Includes support for IPsec ESP protocol.  IPSEC_ESP will enable source code that is subject to export control in some countries (including
     the United States), and compiled kernel binary will be subject to certain restriction.  This option assumes IPSEC.

     options IPSEC_NAT_T
     Includes support for IPsec Network Address Translator Traversal (NAT-T), as described in RFCs 3947 and 3948.  This feature might be patent-
     encumbered in some countries.  This option assumes IPSEC and IPSEC_ESP.

SEE ALSO

     ioctl(2), socket(2), ipsec_set_policy(3), fast_ipsec(4), icmp6(4), intro(4), ip6(4), ipsec(4), racoon(8), setkey(8), sysctl(8)

STANDARDS

     Daniel L. McDonald, Craig Metz, and Bao G. Phan, PF_KEY Key Management API, Version 2, RFC, 2367.

HISTORY

     The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.

BUGS

     The IPsec support is subject to change as the IPsec protocols develop.

     There is no single standard for policy engine API, so the policy engine API described herein is just for KAME implementation.

     AH and tunnel mode encapsulation may not work as you might expect.  If you configure inbound ``require'' policy against AH tunnel or any
     IPsec encapsulating policy with AH (like ``esp/tunnel/A-B/use ah/transport/A-B/require''), tunneled packets will be rejected.  This is
     because we enforce policy check on inner packet on reception, and AH authenticates encapsulating (outer) packet, not the encapsulated (inner)
     packet (so for the receiving kernel there's no sign of authenticity).  The issue will be solved when we revamp our policy engine to keep all
     the packet decapsulation history.

     Under certain condition, truncated result may be raised from the kernel against SADB_DUMP and SADB_SPDDUMP operation on PF_KEY socket.  This
     occurs if there are too many database entries in the kernel and socket buffer for the PF_KEY socket is insufficient.  If you manipulate many
     IPsec key/policy database entries, increase the size of socket buffer or use sysctl(8) interface.

BSD
								 January 16, 2012							       BSD