After a week of chasing a bug that involved a Solaris NFS server and
a Linux NFS client, both running ENskip-0.67 with authentication and
encryption required, I've discovered and fixed a problem with sk_buff
security member values on reassembled datagram fragments. The server
was sending fragmented UDP datagrams in ENskip's tunneled mode, and
Linux was not preserving the sk_buff security member value of the
ENskip-processed fragments during reassembly. This caused ENskip to
reject the reassembled datagram because it was not labeled as having
been authenticated and decrypted.
The fix is part of the 2.1.116 kernel distribution. The *real* fix
will involve a bit more work, because the security member values
associated with the individual fragments should be checked for
consistency before assigning a value to the security member of the
sk_buff corresponding to the reassembled datagram. I invite the
epsilon worshipers among us to evaluate the feasibility of attacking
a Linux ENskip host, knowing that the security member value of the
first fragment is the only one checked during reassembly. My gut feel
is that the probability of successfully attacking (DoS attacks included)
such a configuration due to a weakness in ENskip is low, but a more
rigorous discussion might be a useful exercise.
--
Bob Tracy | "Microsoft's biggest and most dangerous
Trident Data Systems | contribution to the software industry may
AFIWC/TIPER | be the degree to which it has lowered user
[EMAIL PROTECTED] | expectations." - Esther Schindler
OS/2 Magazine
