search for: ipcomp

Hi, as some IPSec users might be worried about the "BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload" from http://seclists.org/fulldisclosure/2011/Apr/0 , here's some braindump: To be affected it's believed that you need to 1) manually compile in IPSEC (not done in GENERIC or the release), 2) have an entry for ipcomp in your secu...

...ot (nearly) identical linux firewalls on both ends of the link. The problem occurs when I enable compression. As soon as I do this, the firewall starts dropping the VPN traffic on the remote end of the link (regardless of which way I send it). I''ve tried adding a firewall rule to accept IPComp protocol traffic, but this has no effect. I''ve checked lsmod and ipcomp,esp,deflate etc are all loaded properly. Strangely, I noticed in the firewall logs that the protocol being dropped off the VPN link is "0" rather than ESP or IPCOMP. "Oct 16 22:21:02 firewall Shorewal...

TITLE: KAME Project "ipcomp6_input()" Denial of Service CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote DESCRIPTION: A vulnerability has been reported in the KAME Project, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error withi...

...WAN optimizations with linux. My network is composed for MPLS network connecting 200 branches against a central site. I use Linux machines to provide security with IPSEC in the branches and in the central site. Now I''m lookup for techniques for optimization the link. My first ideas was use IPCOMP and proxy to cache traffic of HTTP applications. Somebody have any other idea to get better utilization of WAN links with Linux? I had seen commercial appliances that do dictionary compression and other cool things, but I don''t want to use they. regards, diegows -- -----------------...

...y work. It's a completely updated system, Intel i5 with 16 GB of RAM, nothing remarkable. Any ideas? [root at backup2 ~]# tipc-config -netid=1234 -a=1.1.1 -be=eth:eth0 TIPC module not installed [root at backup2 ~]# modprobe -l | grep -i ipc kernel/sound/pci/snd-cmipci.ko kernel/net/ipv4/ipcomp.ko kernel/net/xfrm/xfrm_ipcomp.ko kernel/net/ipv6/ipcomp6.ko [root at backup2 ~]# uname -a Linux backup2.schoolpathways.com 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root at backup2 ~]# yum repolist Loaded plugins: fastestmirror Loading mirror...

...SHA1 In this release: 1) Dynamic Ipsec Zones now work. 2) Output Traffic Accounting by user/group is supported (thanks to Tuomas Jormola). 3) The following negative test options are added in /etc/shorewall/ipsec and /etc/shorewall/masq: reqid!=<number> spi!=<number> proto!=esp|ah|ipcomp mode!=tunnel|transport tunnel-src!=<address>[/<mask>] tunnel-dst!=<address>[/<mask>] 4) Source port mapping is now supported in /etc/shorewall/masq. http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.7 ftp://shorewall.net/pub/shorewall/2.1/shorewall-2.1.7 - -Tom - --...

...option struct extensions: libxt_TOS: Add translation to nft Harsha Sharma (6): iptables: Constify option struct Update .gitignore libxt_TOS: add tests for translation infrastructure tests: xlate: print output in same way as nft-test.py extensions: add tests for ipcomp protocol extensions: libxt_hashlimit: Do not print default timeout and burst James Cowgill (1): extensions: libxt_hashlimit: fix 64-bit printf formats Jan Engelhardt (2): libxtables: remove unnecessary nesting from host_to_ip(6)addr libxtables: abolish AI_CANONNAME Juerge...

...>props.mode == XFRM_MODE_TUNNEL) x->props.header_len += sizeof(struct iphdr); + else if (x->props.mode == XFRM_MODE_BEET) + x->props.header_len += IPV4_BEET_PHMAXLEN; if (x->encap) { struct xfrm_encap_tmpl *encap = x->encap; diff -urN a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c --- a/net/ipv4/ipcomp.c 2007-05-25 12:21:11.000000000 +0300 +++ b/net/ipv4/ipcomp.c 2007-05-25 12:21:11.000000000 +0300 @@ -176,7 +176,7 @@ return 0; out_ok: - if (x->props.mode) + if (x->props.mode == XFRM_MODE_TUNNEL) ip_send_check(iph); ret...

Hi! The Netfilter project proudly presents: iptables 1.6.0 This release includes accumulated fixes and enhancements for the following matches: * ah * connlabel * cgroup * devgroup * dst * icmp6 * ipcomp * ipv6header * quota * set * socket * string and targets: * CT * REJECT * SET * SNAT * SNPT,DNPT * SYNPROXY * TEE We also got rid of the very very old MIRROR and SAME targets and the unclean match, that were removed from the kernel tree long time ago. We also got patches to update different aspe...

...86] invalid opcode: 0000 [#1] SMP > [ 5123.816131] Modules linked in: btrfs(OF) raid1 xt_multiport > xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack > iptable_filter ip_tables x_tables iscsi_tcp libiscsi_tcp libiscsi > scsi_transport_iscsi xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp > esp4 ah4 8021q garp stp llc bonding deflate zlib_deflate ctr > twofish_generic twofish_x86_64_3way twofish_x86_64 twofish_common > camellia_generic camellia_x86_64 serpent_sse2_x86_64 glue_helper lrw > serpent_generic xts gf128mul blowfish_generic blowfish_x86_64 > blow...

...00000 Apr 5 20:00:21 sydlxfw01 kernel: Oops: 0002 [#1] Apr 5 20:00:21 sydlxfw01 kernel: PREEMPT Apr 5 20:00:21 sydlxfw01 kernel: Modules linked in: rtc nvidia tun l2cap bluetooth nfsd exportfs lockd sunrpc ipt_ULOG defl ate twofish serpent aes_i586 blowfish des sha256 sha1 crypto_null xfrm_user ipcomp esp4 ah4 af_key lp autofs4 capability com moncap ip_nat_ftp ip_conntrack_ftp binfmt_misc binfmt_aout raw ppp_deflate zlib_deflate bsd_comp ppp_async crc_ccitt ppp_gen eric slhc eepro100 eth1394 bridge atm cls_fw cls_u32 sch_sfq sch_htb af_packet ip6t_limit ip6t_LOG ip6t_mac ip6t_MARK ip6tab le_mang...

...Sep 2003 (http://www.openssl.org/) 2004-01-13 13:36:39: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for AH 2004-01-13 13:36:39: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for ESP 2004-01-13 13:36:39: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for IPCOMP 2004-01-13 13:36:39: DEBUG: cftoken.l:549:yycf_set_buffer(): reading config file /usr/local/etc/racoon/racoon.conf 2004-01-13 13:36:39: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2004-01-13 13:36:39: DEBUG: pfkey.c:2310:pk_checkalg(): compression algorithm can not be checked...

...| 2 +- net/ipv4/ah4.c | 1 + net/ipv4/esp4.c | 1 + net/ipv4/fib_semantics.c | 1 + net/ipv4/ip_vti.c | 1 + net/ipv4/ipcomp.c | 1 + net/ipv4/netfilter/ipt_REJECT.c | 1 + net/mac80211/cfg.c | 2 ++ net/netfilter/nf_conntrack_proto_dccp.c | 1 + net/netfilter/nf_tables_api.c...

...| 2 +- net/ipv4/ah4.c | 1 + net/ipv4/esp4.c | 1 + net/ipv4/fib_semantics.c | 1 + net/ipv4/ip_vti.c | 1 + net/ipv4/ipcomp.c | 1 + net/ipv4/netfilter/ipt_REJECT.c | 1 + net/mac80211/cfg.c | 2 ++ net/netfilter/nf_conntrack_proto_dccp.c | 1 + net/netfilter/nf_tables_api.c...

...| 2 +- net/ipv4/ah4.c | 1 + net/ipv4/esp4.c | 1 + net/ipv4/fib_semantics.c | 1 + net/ipv4/ip_vti.c | 1 + net/ipv4/ipcomp.c | 1 + net/ipv4/netfilter/ipt_REJECT.c | 1 + net/mac80211/cfg.c | 2 ++ net/netfilter/nf_conntrack_proto_dccp.c | 1 + net/netfilter/nf_tables_api.c...

...istate "IP: tunneling" depends on INET diff -Nru a/net/ipv4/Makefile b/net/ipv4/Makefile --- a/net/ipv4/Makefile Thu May 22 15:41:57 2003 +++ b/net/ipv4/Makefile Thu May 22 15:41:57 2003 @@ -19,7 +19,6 @@ obj-$(CONFIG_INET_AH) += ah.o obj-$(CONFIG_INET_ESP) += esp.o obj-$(CONFIG_INET_IPCOMP) += ipcomp.o -obj-$(CONFIG_IP_PNP) += ipconfig.o obj-$(CONFIG_NETFILTER) += netfilter/ obj-y += xfrm4_policy.o xfrm4_state.o xfrm4_input.o xfrm4_tunnel.o diff -Nru a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c --- a/net/ipv4/ipconfig.c Thu May 22 15:41:57 2003 +++ /dev/null Wed Dec 31 16:00:00 19...