FreeBSD-SA-06:11.ipsec "IPsec replay attack vulnerability"

The FreeBSD Project よりセキュリティ勧告が出ました。私の認識を以下にまとめます。

危険度中

セキュリティ勧告は ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:11.ipsec.asc にあります。
以下は上記のセキュリティ勧告の一部とその翻訳です。ただし品質は保証致しません。

I. 背景 - Background

IPsec is a set of protocols, including ESP (Encapsulating Security Payload) and AH (Authentication Header), that provide security services for IP datagrams. ESP protects IP payloads from wire-tapping by encrypting them using secret key cryptography algorithms. AH guarantees the integrity of IP packets and protects them from intermediate alteration or impersonation by attaching a cryptographic checksum computed using one-way hash functions.
IPsecはESP（Encapsulating Security Payload：暗号ペイロード）とAH（Authentication Header：認証ヘッダー）を含む、IPデータグラムによる安全なサービスを提供するプロトコルです。ESPは共通鍵暗号方式を使用して暗号化する事により盗聴からIPペイロードを保護します。

II. 問題の詳細 - Problem Description

IPsec provides an anti-replay service which when enabled prevents an attacker from successfully executing a replay attack. This is done through the verification of sequence numbers. A programming error in the fast_ipsec(4) implementation results in the sequence number associated with a Security Association not being updated, allowing packets to unconditionally pass sequence number verification checks.

III. 影響範囲 - Impact

An attacker able to to intercept IPSec packets can replay them. If higher level protocols which do not provide any protection against packet replays (e.g., UDP) are used, this may have a variety of effects.

IV. 回避方法 - Workaround

No workaround is available.
回避方法はありません。