Bug 8284

Summary: IPsec anti-replay window management flaw
Product: Networking Reporter: Didier Schrapf (didier.schrapf)
Component: IPV4Assignee: Stephen Hemminger (stephen)
Status: REJECTED WILL_NOT_FIX    
Severity: normal    
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.20.4 Subsystem:
Regression: --- Bisected commit-id:
Attachments: Validate replay window <= 32

Description Didier Schrapf 2007-03-30 01:06:13 UTC 
The IPsec ESP/AH anti-replay window size is configurable, 64 being the value 
recommended by RFC 2406.
Linux kernels use a 32 bit bitmap to check whether a sequence number has 
already been received.

When a packet is received, if its seq is lower than the greatest received seq,
and if the difference is greater than 32, the check doesn't work.
This constitutes a security flaw.

The faulty code is in net/xfrm/xfrm-state.c, functions xfrm_replay_check() and 
xfrm_replay_advance().
Comment 1 Anonymous Emailer 2007-03-30 01:14:52 UTC 
Reply-To: akpm@linux-foundation.org

On Fri, 30 Mar 2007 01:06:17 -0700 bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=8284
> 
>            Summary: IPsec anti-replay window management flaw
>     Kernel Version: 2.6.20.4
>             Status: NEW
>           Severity: normal
>              Owner: shemminger@osdl.org
>          Submitter: didier.schrapf@alcatelaleniaspace.com
> 
> 
> The IPsec ESP/AH anti-replay window size is configurable, 64 being the value 
> recommended by RFC 2406.
> Linux kernels use a 32 bit bitmap to check whether a sequence number has 
> already been received.
> 
> When a packet is received, if its seq is lower than the greatest received seq,
> and if the difference is greater than 32, the check doesn't work.
> This constitutes a security flaw.
> 
> The faulty code is in net/xfrm/xfrm-state.c, functions xfrm_replay_check() and 
> xfrm_replay_advance().
Comment 2 Stephen Hemminger 2007-04-03 15:36:26 UTC 
Created attachment 11038 [details]
Validate replay window <= 32

We need to check that the replay_window value is not bigger than the
bitmap size.
Comment 3 Stephen Hemminger 2007-04-10 10:08:56 UTC 
Fixed in 2.6.21-rc6
Comment 4 Didier Schrapf 2007-04-20 05:18:08 UTC 
The proposed patch, which consists in limiting the replay window size to 32, 
is not acceptable : RFC 2406 recommends a value of 64, and this value is used 
by many applications.
The bitmap management must be modified in order to cope with values up to 64 
at least (and preferably 128).
Comment 5 Stephen Hemminger 2007-04-25 10:15:22 UTC 
Unfortunately, Linux made a mistake in implementing this and the interface
is restricted to 32 bits.  See include/linux/xfrm.h: struct xfrm_replay_state,
the bitmap field was chosen as 32 bits. This is then used in the replay
netlink message to the application.

For binary compatibility, this has to remain the same.