Subject: bin/37469: Racoon fails to check lifebyte value in "exact" proposal check mode
To: None <email@example.com, firstname.lastname@example.org>
From: Wolfgang Stukenbrock <Wolfgang.Stukenbrock@nagler-company.com>
Date: 12/03/2007 11:45:01
>Synopsis: Racoon fails to check lifebyte value in "exact" proposal check mode
>Arrival-Date: Mon Dec 03 11:45:01 +0000 2007
>Originator: W. Stukenbrock
>Release: NetBSD 3.1
Dr. Nagler & Company GmbH
System: NetBSD e010 3.1 NetBSD 3.1 (NSW-svc-ISDN) #0: Mon Nov 26 16:39:15 CET 2007 wgstuken@e010:/usr/src/sys/arch/i386/compile/NSW-svc-ISDN i386
There is no way to specify lifebyte information anymore in the actual racoon implementation.
But in exact proposal check mode lifebyte information is checked against the value supplied by the client.
This will lead to a message like "2007-12-03 10:33:11: ERROR: lifebyte mismatched: my:2147483647 peer:0" during
phase 2 setup.
remark: in the racoon.conf file is no lifebyte setup included. The value 2147483647 is 0x7fffffff.
This forces every peer setup to specifiy a value of 2147483647 for lifebyte information, which is not that that was
intended by the protocol.
This makes exact proposal check mode senceless, less secure or unusable.
Remark: specifying a specific value for lifebyte (and lifetime) can be used as an additional security check for the
client that connects to a VPN server from random IP-adresses.
This makes a lot of sence for Windows clients from unknown IP-Adresses, because Windows does not support
Hybrid-Auth mode. (Eigther a global password/key is needed for Windows or a dynamically generated temporary preshared password
must be used for Windows clients. The last (best) choice needs additional support-Programs on client and server, like the one
I'm currently writing to solve this security issue for our company.)
I've check the racoon sources in netbsd-4. There is the same problem.
setup a setting with exact proposal checking and let a client (e.g. Windows 2000 or Windows XP) connect to the system.
The possability to specify lifebyte information should be reenabled again. To set a default value of 0x7fffffff makes sence
if nothing is specified.