Subject: bin/37469: Racoon fails to check lifebyte value in "exact" proposal check mode
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Wolfgang Stukenbrock <Wolfgang.Stukenbrock@nagler-company.com>
List: netbsd-bugs
Date: 12/03/2007 11:45:01
>Number:         37469
>Category:       bin
>Synopsis:       Racoon fails to check lifebyte value in "exact" proposal check mode
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 03 11:45:01 +0000 2007
>Originator:     W. Stukenbrock
>Release:        NetBSD 3.1
>Organization:
Dr. Nagler & Company GmbH
	
>Environment:
	
	
System: NetBSD e010 3.1 NetBSD 3.1 (NSW-svc-ISDN) #0: Mon Nov 26 16:39:15 CET 2007 wgstuken@e010:/usr/src/sys/arch/i386/compile/NSW-svc-ISDN i386
Architecture: i386
Machine: i386
>Description:
	There is no way to specify lifebyte information anymore in the actual racoon implementation.
	But in exact proposal check mode lifebyte information is checked against the value supplied by the client.
	This will lead to a message like "2007-12-03 10:33:11: ERROR: lifebyte mismatched: my:2147483647 peer:0" during
	phase 2 setup.
	remark: in the racoon.conf file is no lifebyte setup included. The value 2147483647 is 0x7fffffff.

	This forces every peer setup to specifiy a value of 2147483647 for lifebyte information, which is not that that was
	intended by the protocol.
	This makes exact proposal check mode senceless, less secure or unusable.

	Remark: specifying a specific value for lifebyte (and lifetime) can be used as an additional security check for the
	client that connects to a VPN server from random IP-adresses.
	This makes a lot of sence for Windows clients from unknown IP-Adresses, because Windows does not support
	Hybrid-Auth mode. (Eigther a global password/key is needed for Windows or a dynamically generated temporary preshared password
	must be used for Windows clients. The last (best) choice needs additional support-Programs on client and server, like the one
	I'm currently writing to solve this security issue for our company.)

	I've check the racoon sources in netbsd-4. There is the same problem.
>How-To-Repeat:
	setup a setting with exact proposal checking and let a client (e.g. Windows 2000 or Windows XP) connect to the system.
>Fix:
	The possability to specify lifebyte information should be reenabled again. To set a default value of 0x7fffffff makes sence
	if nothing is specified.

>Unformatted: