COMMAND
	    IPSEC
SYSTEMS AFFECTED
	    OpenBSD IPSEC
PROBLEM
	    Matthew Franz found following.  The protocol scanning option (-sO)
	    in  2.54  Beta  releases  of  nmap  results  in a remote denial of
	    service  against  OpenBSD  2.7's  IPSEC  implementation due to its
	    inability to handle tiny AH/ESP packets.
	    Nmap protocol scans repeatedly  cycle through IP protocol  version
	    numbers, attempting to  elicit ICMP Protocol  Unreachable messages
	    in order to discover which IP protocols  (ICMP,TCP,UDP,GRE,AH,ESP,
	    etc.) are active on the target device.
	    The empty AH/ESP packets send OpenBSD 2.7 into debug mode with the
	    following results (more or less):
	
	        panic: m_copydata: null mbuf
	        Stopped at _Debugger+0x4:   leave
	         _panic(....
	         _m_copydata(...
	         _ipsec_common_input(...
	         _esp4_input(....
	         _ipv4_input(....
	         _ipintr(...
	        Bad frame pointer: 0xe3b55e98
	
	    OpenBSD 2.7  was the  only *NIX  IPSEC implementation  found to be
	    susceptible to this type  of scan. Matthew tested  Linux FreeS/WAN
	    himself, and KAME developers reported that FreeBSD (and he assumes
	    NetBSD)  was   *not*  vulnerable.    AIX  and   Solaris  8   IPSEC
	    implementations were not tested.
SOLUTION
	    This  vulnerability  was  reported  to  OpenBSD  developers  on 17
	    September and an advisory  (and patch) was released  the following
	    day.  See
	
	        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/024_ipsec.patch
	
	    for details.