
IPsec Vulnerabilities and Software Security Prediction - wglb
https://www.altsci.com/ipsec/
======
616c
So I know many people use OpenVPN these days, but does anyone use L2TP/IPSec
or IPSec? I asked because when recently searching this topic, despite the
author mentioning lots of dated materials, most of what I find is archaic.
This post mentions ipsec-tools, but it has been clear that since the IPSec
changes/patches went inline into the kernel for 2.6.x and beyond, these have
slowly become more relevant over time, and that ipsec-tools and/or raccon to
do L2TP and IPSec or pure IPSec is generally outdated and now only really
suited to the BSDs because, as the articles mentions, it is more germane to
that architecture.

And the difference between FreeSWAN, LibreSWAN, and StrongSWAN was very
confusing to me unitl I read this.

[http://serverfault.com/questions/173158/strongswan-vs-
opensw...](http://serverfault.com/questions/173158/strongswan-vs-
openswan/225374#225374)

I mean setting up VPN is no trivial pursuit, but the amount of effort to set
any of these up to use native VPN clients for my mobile (Android devices)
encouraged me to potentially consider StrongSWAN once I really review the
documentation and learn as much as I can.

What are others doing?

Thanks for the cool article either way.

~~~
dhess
I use IPsec in addition to OpenVPN, primarily because that's all iOS used to
support. Since iOS 5 or 6 (I think; maybe even as late as version 7?), Apple
has allowed third-party VPN apps, so with an "official" OpenVPN client now
available in the iOS App Store, it's not as important as it was. However, I've
left it running as a fallback solution to OpenVPN (some hotel firewalls, for
example, permit IPsec but actively block UDP-based OpenVPN).

I use ipsec-tools, as circa 2012 when I was originally setting this up, it was
the only free software IPsec solution I could get to work with iOS clients,
but based on this vulnerability I've now disabled it and will try StrongSWAN
again.

~~~
brunoqc
You can also use OpenVPN on port 443 as a last resort (only as a last resort
since TCP over TCP is a bad idea[1])

1-
[https://news.ycombinator.com/item?id=2409090](https://news.ycombinator.com/item?id=2409090)

~~~
dhess
Yes, I do that as well, but I think that IPsec is a better backup solution.

~~~
616c
In addition, tunneling TCP in TCP to hide OpenVPN behind a HTTP proxy, lest it
look out of place and be easily fingerprinted as OpenVPN on packet analysis is
why I wanted to avoid it this time around.

[https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-
traffi...](https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-traffic-an-
introduction/)

Plus, I wanted to better secure my home network AND make it accessible
remotely (in a dorm-like accomodation with enterprise-grade NAT with Cisco
gear), I thought an IPSec tunnel would be optimal as well.

------
bcook
Someone once told me, "you are far too interested in what you have to say". I
think that applies to this write-up.

I mean, it was educational and somewhat entertaining, but the lack of
professionalism bothers even me, and that's saying something... Just stick to
the technical aspects so that people can fix this as quickly as possible.

With all due respect, find a more appropriate soap-box next time. All the
ranting simply caught me off guard in a 0-day announcement.

~~~
Javantea_
Thank you for the comment. I didn't have enough time to finish the paper, so
it is more than a little rough around the edges. I have intentionally reduced
professionalism in this paper to save time and energy so that I can spend it
on more effective pursuits. The reason I tacked on the whole question of "Was
IPsec itself poorly designed?" "Why didn't this get reported in 2013?" "What
should we do about software vulnerability?" was to get interest from people
who generally get nothing from a vulnerability announcement in software they
don't use. Thus, the audience of this paper is very different from the
traditional audience of people who read vulnerability announcements by the
hundreds. Like another user commented, I tried very hard to put the important
stuff first so that people like you could stop reading when they became
disinterested.

You have convinced me to release a version of the report without the soapbox
for people like you: [https://www.altsci.com/ipsec/ipsec-tools-
sa.html](https://www.altsci.com/ipsec/ipsec-tools-sa.html)

~~~
bcook
Although my post did have legitimate reasons for criticizing, I really just
meant to poke a little fun at someone who is obviously more dedicated and
passionate than the majority.

I meant no harm. You are most probably accomplishing the types of things in
the security field that I can only dream about. /me stares off into space,
thinking of a day when I might discover a vital 0-day.

Congrats on the discovery!

------
twunde
FYI, this seems to affect some configurations but not all configurations. I've
had one member of the NYC BSD group ran these against his IPSec configuration
with just errors, but then set up a IPSec using the OP's configuration and was
able to reproduce the coredumps.

~~~
Javantea_
Thank you very much for testing this exploit. The vulnerability is in gssapi.c
which is only compiled in if HAVE_GSSAPI is defined. This is an optional
configuration parameter, so it sounds like the configuration you tested did
not have GSSAPI/kerberos enabled. That's good news for users who have a
similar setup, it will give them ample time to switch to a different IPsec
implementation.

------
bredanbrooke
I would recommend IPVanish with exceptional performance combined with
outstanding online security, IPVanish VPN will keep you from all kinds of
threats present on the internet and it allow internet freedom. With 150+
servers located all over the world as well as securing your data with safe
encryption tunnels along with protocols, IPVanish will be away cyber-goons and
also protect your privacy. Take a look at this review
[http://www.bestvpnprovider.com/ipvanish-
review/](http://www.bestvpnprovider.com/ipvanish-review/)

------
redwards510
What does GLSA stand for? It's near the bottom where he is listing software
that should be replaced. It sounds like it means "vulnerability".

~~~
Javantea_
Gentoo Linux Security Advisories. See here:
[https://security.gentoo.org/glsa/](https://security.gentoo.org/glsa/)

~~~
redwards510
Is the number of vulnerabilities for a product really a good indicator of it's
quality? I seem to remember a year-end report showing Google Chrome as the
browser with the most number of security bugs found, but some people said that
was because they pay the most in their bug bounty program.

~~~
Javantea_
No, by itself the number of vulnerabilities patched is only useful in telling
us which software has been tested and found to be lacking in the past. Along
with other metrics (severity, static analysis results, code quality,
complexity, reports by an independent auditor, availability of a testing
framework, and competitor quality), this can be used to decide which projects
need to be replaced or improved upon.

The reason that many vulnerabilities have been found in Chrome is because it
is a very large and complex project. The bug bounty only gives people the
necessary additional motivation to work on it during business hours. Other
projects that lack bug bounties have found similar numbers of bugs (Wireshark
and ClamAV to name a few) due to their complexity.

