Bug ( error ) in IP Security Policy , is there a patch /fix for th

Bug ( error ) in IP Security Policy , is there a patch /fix for th
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Bug ( error ) in IP Security Policy , is there a patch /fix for th Bill Simard 11-10-2008
Posted by =?Utf-8?B?QmlsbCBTaW1hcmQ=?= on November 10, 2008, 10:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I am running 2000 Server and in the IP security policy I can add IP ranges to
block,
ex. 77.0.0.0 with a subnet mask of 255.0.0.0 to block the entire
77.0.0.0-77.255.255.255 range, but

When I try to do this for the higher ranges, ex: 193.0.0.0 with a subnet
mask of 255.0.0.0 to block the entire 193.0.0.0-193.255.255.255 range, it
will not work.

It gives me an Invalid Net Mask message and will not let me go any farther.

I tried this on XP and XP has no problems accepting the higher ranges.

I tried exporting the policy from XP to 2000, but it will not work.

You can go from 2000 to XP, but not vice-versa, must be a compatibility thing.

Does anyone know if there is a fix for 2000 that addresses this issue?

Is there a way to submit this to MS as a bug and not a pay for support issue?

Is there a way to manually edit the ipsec policy file ?

I looked at it with a hex editor, but it is encrypted or written in machine
code that I can't make heads or tails of.

Any help would be greatly appricated.

Thanks

Bill


Posted by =?Utf-8?B?a2JpdHMubmV0?= on November 12, 2008, 8:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
It's not a bug it is in the TCP/IP design. The problem is that you are trying
to use a Class A subnet mask with a Class C IP address range. For Class C
address range the default subnet mask is 255.255.255.0. There are only
certain subnet masks you can use. For Class C there are a handful such as
255.255.255.192. There are sites that discuss subnetting and Cisco books on
the subject as well.

Hope this helps

"Bill Simard" wrote:

> I am running 2000 Server and in the IP security policy I can add IP ranges to
> block,
> ex. 77.0.0.0 with a subnet mask of 255.0.0.0 to block the entire
> 77.0.0.0-77.255.255.255 range, but
>
> When I try to do this for the higher ranges, ex: 193.0.0.0 with a subnet
> mask of 255.0.0.0 to block the entire 193.0.0.0-193.255.255.255 range, it
> will not work.
>
> It gives me an Invalid Net Mask message and will not let me go any farther.
>
> I tried this on XP and XP has no problems accepting the higher ranges.
>
> I tried exporting the policy from XP to 2000, but it will not work.
>
> You can go from 2000 to XP, but not vice-versa, must be a compatibility thing.
>
> Does anyone know if there is a fix for 2000 that addresses this issue?
>
> Is there a way to submit this to MS as a bug and not a pay for support issue?
>
> Is there a way to manually edit the ipsec policy file ?
>
> I looked at it with a hex editor, but it is encrypted or written in machine
> code that I can't make heads or tails of.
>
> Any help would be greatly appricated.
>
> Thanks
>
> Bill
>

Posted by Alun Jones on November 13, 2008, 12:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> It's not a bug it is in the TCP/IP design. The problem is that you are
> trying
> to use a Class A subnet mask with a Class C IP address range. For Class C
> address range the default subnet mask is 255.255.255.0. There are only
> certain subnet masks you can use. For Class C there are a handful such as
> 255.255.255.192. There are sites that discuss subnetting and Cisco books
> on
> the subject as well.

I have to respectfully disagree with you there - even in the days of Windows
2000, there was CIDR - Classless Inter-Domain Routing - in which the first
octet does NOT specify the subnet mask to be applied.

Even if that were not the case, the filtering range is something akin to a
router range - though it looks like a subnet mask, it is not a local subnet
mask, and therefore should assume that it's possible that the mask implies a
range that extends across more than one subnet.

Having said that, I doubt that you'll get much impetus behind persuading
Microsoft to fix an operating system that is rapidly approaching its
ten-year anniversary. In OS years, that's akin to too old to be worried
about getting a bikini wax to make yourself more attractive to the young
boys. While 2000 may not be quite end-of-life, it is at least winding down,
and you'll find that Microsoft isn't willing to make fixes that aren't
better addressed some other way. Wouldn't it be cheaper to buy a simple
off-the-shelf honest-to-goodness firewall to plug in front of the server?

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.



Posted by =?Utf-8?B?a2JpdHMubmV0?= on November 14, 2008, 1:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
As I noted in the end of my post go to an expert source. Pick up a Cisco book
and go to the section on subnet masks and address classes. Don't rely too
heavily on we tech forum eggspurts. Many of us have no certs or educ in the
subject we offer expert advice in. Many are thus insecure and slam those who
did educate and certify themselves. In the end the person who requested the
help received none. But at least an ego was fed. And isn't that the purpose
of this place? Feeding egos?

"Alun Jones" wrote:

> > It's not a bug it is in the TCP/IP design. The problem is that you are
> > trying
> > to use a Class A subnet mask with a Class C IP address range. For Class C
> > address range the default subnet mask is 255.255.255.0. There are only
> > certain subnet masks you can use. For Class C there are a handful such as
> > 255.255.255.192. There are sites that discuss subnetting and Cisco books
> > on
> > the subject as well.
>
> I have to respectfully disagree with you there - even in the days of Windows
> 2000, there was CIDR - Classless Inter-Domain Routing - in which the first
> octet does NOT specify the subnet mask to be applied.
>
> Even if that were not the case, the filtering range is something akin to a
> router range - though it looks like a subnet mask, it is not a local subnet
> mask, and therefore should assume that it's possible that the mask implies a
> range that extends across more than one subnet.
>
> Having said that, I doubt that you'll get much impetus behind persuading
> Microsoft to fix an operating system that is rapidly approaching its
> ten-year anniversary. In OS years, that's akin to too old to be worried
> about getting a bikini wax to make yourself more attractive to the young
> boys. While 2000 may not be quite end-of-life, it is at least winding down,
> and you'll find that Microsoft isn't willing to make fixes that aren't
> better addressed some other way. Wouldn't it be cheaper to buy a simple
> off-the-shelf honest-to-goodness firewall to plug in front of the server?
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web: http://www.wftpd.com/
> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.
>
>
>

Posted by FromTheRafters on November 14, 2008, 4:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> As I noted in the end of my post go to an expert source. Pick up a Cisco
> book
> and go to the section on subnet masks and address classes. Don't rely too
> heavily on we tech forum eggspurts. Many of us have no certs or educ in
> the
> subject we offer expert advice in. Many are thus insecure and slam those
> who
> did educate and certify themselves. In the end the person who requested
> the
> help received none. But at least an ego was fed. And isn't that the
> purpose
> of this place? Feeding egos?

Evidently.



Similar ThreadsPosted
Snaphot viewer security patch - out of memory error October 21, 2008, 8:19 am
Error in RegKey for Spanish MS06-006 (911564) patch February 15, 2006, 8:36 am
Default domain Policy error August 29, 2006, 8:49 pm
Security Patch Uninstall January 11, 2006, 5:40 pm
MS backs out of releasing a security patch.... September 12, 2005, 3:59 pm
XP security exploit causes BSOD - when will patch be released? July 7, 2005, 1:37 pm
print spooler security bulletin & patch October 14, 2005, 12:19 am
Security policy / ACL October 18, 2005, 3:20 am
Security Patch MS06-023/KB917344 for Jscript 5.6 Win2000 SP4 July 11, 2006, 1:33 pm
Local security policy January 23, 2006, 2:11 am

The site map in XML format XML site map

Contact Us | Privacy Policy