I've tried to use IPSEC under WinXP in conjunction with FreeSWAN on Linux over
a wireless connection to step around the problems with WEP encryption. After
a small amount of traffic in poor signal conditions, the wireless connection
drops a few packets and the IPSEC connection goes dead, requiring a reboot of
the windows machine.
My initial investigations suggest that Windows XP has a 'window size' of 1 on
the sequence numbers in the IPSEC header - i.e. A single dropped packet can
kill the connection! Can anyone confirm this and/or provide any workarounds?
It seems it would be trivial to DoS a windows IPSEC client if you can just
interrupt the network for a few seconds.
On Tue, 20 Apr 2004 05:34 pm, first last wrote:
> Hello everyone,
>
> I have been using IPSec for a while now, i am a fan of it BUT theres 1
> weakness that id like to see if theres a way around.
>
> Basicaly It comes down to Source Port Scaning. Now the thing is if you have
> a rule that allows trafic to go FROM you:any TO the internet:80 all some
> one has to do is scan from port 80 on there pc. poof allowed traffic. So i
> tryed to set up more rules ie FROM internet:21,53,80 TO me:21,53,80 and
> block this hoping since theres a 2nd more specific rule that it will block
> all connections from any:80 TO me:80 since this traffic should never be
> happining anyway... but nope dont work...
>
> So my question for you is how can i do a work-around ? there a registery
> setting i can fix? set priortys for applying IPSec rules? anything at all
>
> The only thing that i can think that would work is to make tens of
> thousands of allow rules like ...
>
> FROM any:1200 TO me:80 allow
> FROM any:1201 TO me:80 allow
> FROM any:1202 TO me:80 allow and onn and onnn id have to write a script to
> write a script to make the rules (unless i made 1 script w/ tens of
> thousands of MANUALY writen rules and thats not gunna happen...)
>
> Incase i wasnt to clear i want to prevent source port scaning from
> reveiling every thing running on that box, blocking things like
>
> FROM any:80 TO me:80 block
> FROM any:80 TO me:135 block
> FROM any:80 TO me:445 block ect ect
>
> any ideas?
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar ? get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
---
I've tried to use IPSEC under WinXP in conjunction with FreeSWAN on Linux over
a wireless connection to step around the problems with WEP encryption. After
a small amount of traffic in poor signal conditions, the wireless connection
drops a few packets and the IPSEC connection goes dead, requiring a reboot of
the windows machine.
My initial investigations suggest that Windows XP has a 'window size' of 1 on
the sequence numbers in the IPSEC header - i.e. A single dropped packet can
kill the connection! Can anyone confirm this and/or provide any workarounds?
It seems it would be trivial to DoS a windows IPSEC client if you can just
interrupt the network for a few seconds.
On Tue, 20 Apr 2004 05:34 pm, first last wrote:
> Hello everyone,
>
> I have been using IPSec for a while now, i am a fan of it BUT theres 1
> weakness that id like to see if theres a way around.
>
> Basicaly It comes down to Source Port Scaning. Now the thing is if you have
> a rule that allows trafic to go FROM you:any TO the internet:80 all some
> one has to do is scan from port 80 on there pc. poof allowed traffic. So i
> tryed to set up more rules ie FROM internet:21,53,80 TO me:21,53,80 and
> block this hoping since theres a 2nd more specific rule that it will block
> all connections from any:80 TO me:80 since this traffic should never be
> happining anyway... but nope dont work...
>
> So my question for you is how can i do a work-around ? there a registery
> setting i can fix? set priortys for applying IPSec rules? anything at all
>
> The only thing that i can think that would work is to make tens of
> thousands of allow rules like ...
>
> FROM any:1200 TO me:80 allow
> FROM any:1201 TO me:80 allow
> FROM any:1202 TO me:80 allow and onn and onnn id have to write a script to
> write a script to make the rules (unless i made 1 script w/ tens of
> thousands of MANUALY writen rules and thats not gunna happen...)
>
> Incase i wasnt to clear i want to prevent source port scaning from
> reveiling every thing running on that box, blocking things like
>
> FROM any:80 TO me:80 block
> FROM any:80 TO me:135 block
> FROM any:80 TO me:445 block ect ect
>
> any ideas?
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar ? get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]