[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?

To: "'James Carlson'" <james.d.carlson@sun.com>, gmj@pobox.com, ericb@digitaljunkyard.net
Subject: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
From: "Smith, Donald" <Donald.Smith@qwest.com>
Date: Fri, 1 Aug 2003 07:38:19 -0600
Cc: opsec@ops.ietf.org

Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
(coffee != sleep) & (!coffee == sleep)

> -----Original Message-----
> From: James Carlson [mailto:james.d.carlson@sun.com]
> Sent: Friday, August 01, 2003 6:37 AM
> To: gmj@pobox.com; ericb@digitaljunkyard.net
> Cc: opsec@ops.ietf.org
> Subject: RE: Dropping stealthing from opsec; Anyone for a 
> little I>R<TF
> wo rk ?
> 
> 
> George Jones writes:
> > On Thu, 31 Jul 2003, James Carlson wrote:
> > > [1] It's not just to hide the IP addresses, is it?  That'd just be
> > >     security-by-obscurity.  I don't think that treating 
> IP addresses
> > >     as secrets is a viable plan.

Not secret, NOT routable. You would not be able to route packets from
outside (edge/border)
to the core as a customer or peer.


> > 
> > No.  The point is to explore ways of making it impossible for anyone
> > beyond the edge of a network to address packets to any of the
> > interfaces of the core routers and have them successfully routed
> > there.  If you can't get packets there you can't attempt a DoS, you
> > can't attempt management functions, etc.
> 
> I must be missing something essential here.  How do packets coming
> *out* of the core have anything to do with attackers getting packets
> *in* to the core?  Why would we care at all about packets coming *out*
> of the core?

As many of us have seen the cores make great reflectors if you can get them
to send packets
to a spoofed address. (TTL timeouts, spoofed bgp or other service requests)

> 
> Moreover, if you can't get packets into the core, then it seems fair
> to say that the core doesn't actually do much, since its primary
> purpose would otherwise have been to forward the packets that do go
> into the core.  If nothing can get there, then utilization is likely
> to be pretty low indeed.
> 

The core would continue to forward packets. This addresses the fact that
customers
do not (except PERHAPS in troubleshooting) need to know what path the
packets they are sending took.


> ericb@digitaljunkyard.net writes:
> > jc> I'm not sure I understand the point of this[1], but 
> please do consider
> > jc> the effect of such a plan on path MTU discovery.  The 
> ICMP messages
> > jc> from within the core do need to make it out to the 
> sender in _some_
> > jc> form.
> > 
> > Path MTU Discovery should not really be needed on modern Internet
> > backbones.  Every path I've taken in recent times has made it across
> > the backbone without chunking down from the Ethernet max.  
> If there's
> > a bottleneck, it's outside the core.
> 
> Yeah, I'd like to think so, too, but there are at least three
> considerations here:
> 
> 	1.  Accidents happen.  Path MTU Discovery helps prevent abject
>             failure in the event of misconfiguration.  If we break it,
>             then we're saying that things _always_ must be configured
>             properly, and, based on history, that seems like an
>             untenable plan.
> 
> 	2.  Some RFCs require the use of Path MTU Discovery.  You're
>             going to have to ... um ... "harmonize" with those v6
>             standards.

This stealthing requirement will require rfc violations. That is a given.
(ignoring ttl timeouts, no reply to icmp echo requests, no resets on closed
ports ... )

> 
> 	3.  Packets leaving the core have nothing whatsoever to do
>             with whether the core can be attacked.  Attacks are based
>             on packets coming in.  ICMP errors leaving the core don't
>             carry attacks back into the core.  (Unless, of course,
>             we're assuming that the source IP addresses are "secrets,"
>             and then we're back to security-by-obscurity.)

If you can cause a core router to respond to stimulation as noted above they
make good reflectors.


> > jc> [1] It's not just to hide the IP addresses, is it?  
> That'd just be
> > jc>    security-by-obscurity.  I don't think that treating 
> IP addresses
> > jc>    as secrets is a viable plan.
> > 
> > Think of the phone network.  When's the last time a kid successfully
> > whistled 2600?  You don't see red boxes around anymore.  Do you have
> > ANY idea what the path of the last long distance call you made was?
> 
> That's a completely different story, and you're not addressing that at
> all.  2600 + KP + ... + ST hasn't worked in a long time (in the US at
> least) because the architecture of the system was changed -- the
> interswitch trunks used to signal calls using in-band tones (called
> "AC" or "SF" signaling).  It doesn't work *now* because they
> completely removed the signaling from the in-band path.  It's now done
> via what's called "common channel signaling," which means that the
> signaling for multiple voice channels travels via a common (and
> separate) channel.  In many cases, that common channel is even via a
> physically separate set of wires.
> 
> What this all means is that the Internet is still in the SF era
> architecturally.  What I think you're proposing is to place 2600 Hz
> notch filters at the entry and exit of the network.  This is not at
> all the same thing as what the modern telephone system does to solve
> the problem.  If you want to move the signaling out of band, then
> you'll have to move it out of band -- separate circuits.  (And as a
> router-head, I'd really object to that.)
> 
> And, for what it's worth, a notch filter on the *output* of the
> network does no good.  You need one on the *input* in order to protect
> the network.
> 
> > The Internet (in a very tall Ivory Tower sort of way) should be the
> > same.  You should buy service, and inject packets into the cloud.
> > They should come out near your destination.  And you should neither
> > know nor care what path your packets took.
> 
> Except, of course, when it doesn't work.  At a minimum, I need to know
> which pinhead I should be yelling at.  In practice, though, I need to
> know quite a bit more, since many problems that occur are quite a bit
> more subtle, and obscuring the network just gives the tech at the
> other end one more reason to say "well, it works for me."
> 
> > You don't know the MAC address of a switch in the middle of Google's
> > datacenter, and you don't care.
> 
> Correct, but not really relevant.
> 
> I don't care about the IP addresses of the routers in the middle,
> *except* as stable identifiers that I can report to someone who can
> fix the problem.
> 
> If you want to scrazzle the IP addresses at the border, I suppose
> that's fine.  I don't think it fixes any problem at all, though.
> 
> >  Heck, you can't even find out what it
> > is without either breaking one of their boxes or abusing 
> protocols in
> > interesting ways.  Similarly, you don't know the path that 
> your packet
> > took, how their HSRP is working today, or what STP has pruned this
> > time.
> 
> Ah!  But that's not true.  I do know something about the path my
> packets take today, and the information it reveals is very important.
> Is my packet bouncing back and forth between internal routers?  If so,
> then there's a forwarding loop.  Is the path it's taking wildly
> unstable?  If so, then there's some sort of internal routing protocol
> failure.  Is it getting ditched at the boundary between the three or
> four ASes that my packets have to cross?  If so, then it might be BGP
> trouble.  Is it right at the last hop?  Maybe the customer at that far
> end has falling off the net.
> 
> Now, I neither know nor care whether they're using HSRP (I'd certainly
> hope it's not used anywhere near the core, but I guess it's not my
> problem) or STP (how'd that get in there?), but I'd very much prefer
> that my ISP not treat me to the Mushroom Theory.
> 
> Note that this information loss would affect both _users_ and
> _operators_.  The result would be that ISPs would not be able to "see
> into" each others networks for diagnostic purposes.  That'd be bad.
> 
> > So as long as everything works the way that it should 
> (which is a huge
> > caveat), you neither know nor care what IP path your packets take
> > across the core.  It's just a huge black cloud, and you 
> cannot whistle
> > 2600.
> 
> Traceroute != blue box.
> 
> The analogy is false.  If you'd argued to keep IP-based routing
> traffic (OSPF, BGP) from entering the core from the outside, then I'd
> agree.  But ICMP messages leaving the core just not the same thing.
> 
> -- 
> James Carlson, IP Systems Group                
> <james.d.carlson@sun.com>
> Sun Microsystems / 1 Network Drive         71.234W   Vox +1 
> 781 442 2084
> MS UBUR02-212 / Burlington MA 01803-2757   42.497N   Fax +1 
> 781 442 1677
>
Follow-Ups:
- RE: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
  - From: James Carlson <james.d.carlson@sun.com>
Prev by Date: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
Next by Date: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF work ?
Previous by thread: Re: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
Next by thread: RE: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
Index(es):
- Date
- Thread