Subject: kern/30821: IPsec-AH is always calculated using the same key in AES-XCBC-MAC
To: None <firstname.lastname@example.org, email@example.com,>
From: None <firstname.lastname@example.org>
Date: 07/24/2005 07:07:00
>Synopsis: IPsec-AH is always calculated using the same key in AES-XCBC-MAC
>Arrival-Date: Sun Jul 24 07:07:00 +0000 2005
>Originator: SUZUKI, Shinsuike
KAME SNAP-users Mailing List
(9149, 9150 and 9153 are the corresponding thread)
AES-XCBC-MAC (an IPsec-AH algorithm) is always calculated using the same key, not the key given from userland applications.
A FreeBSD machine can communicate with any FreeBSD machine using
IPsec-AH with AES-XCBC-MAC, even when it does not have the right key of the target machine.
Since sys/netinet6/ah_aesxcbcmac.c first appeared two years ago.
Establish a IPsec-SA by setkey or IKE daemon,
with AES-XCBC-MAC as an AH algorithm and
a different pre-shared key at each host.
IPsec-SA must not be established in theory, but
actually it's established.
Don't use AES-XCBC-MAC as an IPsec-AH algorithm.
(as far as I know, only FreeBSD, NetBSD and USAGI(Linux) supports it. So it's not a bad workaround)
Available at the following URL: