If you try
% sudo ip route add 194.100.7.227/32 dev eth0
% sudo arp -i eth0 -s 194.100.7.227 ff:ff:ff:ff:ff:ff
% ping 194.100.7.227
Chances are that you get ping replies (Cisco VXR, Cisco ISR, Juniper SRX,
Juniper M10i, Juniper M7i, Linksys e4200)
But you also might not be getting replies (Catalyst 7600, 3560, EX4200)
RFC[0] says in rather unambiguous way, that this should not be working. I
don't think catalyst/EX guys were lot smarter and honoured the RFC. Rather
I think it's hardware limitation they work like this. At least 7600 (as per
ELAM capture) acts like switch and tries to normally broadcast the frame in
the VLAN, but as it is L3 interface, there is only one port in the VLAN, so
net effect is, frame is dropped.
Now I'm facing loop, which is caused by ill-configured network, by any
networker definition of ill-configured. However, if our router would behave
like RFC says, then the ill-configured network would not cause loops.
This puts me in bit of a pickle, I can't call cisco and juniper and tell
them to fix all their routers and give me fixed release tomorrow, since
this behaviour seems very standard/de-facto behaviour. Customer refuses to
do any of the fixes in the ill-configured network, as problem only started
after swapping catalyst to ISR, so customer understandably does not grasp
the fault is not in our end (it's not, fault is caused by mismatching L2/L3
topologies with directed-broadcast in customer router)
Anyone else ever had problems due to router vendors not implementing
rfc1812 5.3.4?
[0] http://tools.ietf.org/html/rfc1812#section-5.3.4
--
++ytti
> Hi...How do I do it!
> I'm utterly amazed how many people give away free consultant work.
> We need to keep people working... not giving it away.
> Ethics... Security... etc...
> Does the university give away free diploma's? I don't think so.
I don't expect a free diploma, but many universities are offering free
internet videos of various classes.
If you want a sample, here are a few good starting points:
http://ocw.mit.edu/http://oyc.yale.edu/http://webcast.berkeley.edu/
--
These are my opinions, not necessarily my employer's. I hate spam.
Interweb Re-Engineering Task Force J. Oquendo
Request for Comments 4012012 E-Fensive Security Strategies
Category: Informational
Expires: 2020
STEP by STEP Security
Status of this Memo
This Internet-Draft is submitted in full nonconformance with
provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, except to publish it
as an RFC and to translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on April 01, 2020.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Oquendo Expires Apr 01, 2020 [Page 1]
Internet-Draft Security Step by STEP RFC 4012012
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Abstract
This framework describes a practical methodology for ensuring
security in otherwise insecure environments. The goal is to provide
a rapid response mechanism to defend against the advanced persistent
threats in the wild.
Table of Contents
1. Introduction..................................................2
2. Conventions used in this document.............................4
3. Threats Explained.............................................4
3.1. Possible Actors..........................................4
4. STEP Explained................................................5
5. STEP in Action................................................6
6. Security Considerations.......................................7
7. IANA Considerations...........................................7
8. Conclusions...................................................8
8.1. Informative References...................................8
9. Acknowledgments...............................................8
Appendix A. Copyright............................................9
1. Introduction
In the network and computing industry, malicious actions,
applications and actors have become more pervasive. Response times
to anomalous events are burdening today's infrastructures and often
strain resources. As networks under attack are often saturated with
malicious traffic and advanced persistent threat actors engage in
downloading terabytes of data, resources to combat these threats
have diminished.
Additionally, the threats are no longer just anonymized actors
engaging in juvenile behavior, there are many instances of State
Actors, disgruntled employees, contractors, third party vendors and
criminal organizations. Each with separate agendas, each
consistently targeting devices on the Internet.
Oquendo Informational [Page 2]
Internet-Draft Security Step by STEP RFC 4012012
The intent behind this document is to define a methodology for rapid
response to these threats. In this document, security will be
achieved using a new methodology and protocol henceforth named
Scissor To Ethernet Protocol (STEP).
Initially designed as a last approach for security, STEP ensures
that no attacker can disaffect any of the Confidentiality,
Integrity, Availability of data as a whole.
Many variables are involved in security, but the STEP methodology
focuses on the following:
o FUD (Fear Uncertainty and Doubt)
o SCAM (Security Compliance and Management)
o APT (Another Possible Threat)
This methodology proposes STEP that SHOULD be performed at the onset
of a cyber attack before more terabytes of data are exfiltrated from
a network.
1. Industry Standard IP connection
+-----------+ +-----------+ +-----------+
| | IP | | INGRESS | |
| Rogue |-------> | Internet | ------> | Target |
| A | | | | B |
| | | | EGRESS | |
+-----------+ +-----------+ <------ +-----------+
Figure 1 Example session between a rogue attacker and target
Figure 1 illustrates the connection via the Internet from a rogue
attacker, towards a target. Irrespective of the attack used, IP
will ALWAYS be used as the attack vector.
Oquendo Informational [Page 3]
Internet-Draft Security Step by STEP RFC 4012012
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance.
3. Threats Explained
A security threat is a theoretical happening that may not occur but
should be considered as part of a proper security architecture and
design. For example, the threat always exists that your systems
will become the target of a denial of service attack. A threat may
or may not have a method to mitigate the possibility of attack.
Vendors across the security spectrum offer FUD based solutions often
promoting SCAM based systems to mitigate against APT. While some of
the available solutions may minimize the potential for catastrophic
transfers of terabytes of data, these solutions SHOULD NOT be used
as an all-inclusive solution for security. Engineers MUST NOT rely
on FUD, or SCAMs against the APT.
3.1. Possible Actors
Both malicious attacks and unintended (non-malicious) attacks can
occur from anywhere in the world including local attacks inside of
the infrastructure. In the barest threat explanation above, the
threat that someone can commit a typographical error, causing a
disruption in service, is as severe as a Distributed Denial of
Service attack from the public Internet. Actors can never be easily
identified unless one is watching the Academy Awards on television.
Oquendo Informational [Page 4]
Internet-Draft Security Step by STEP RFC 4012012
4. STEP Explained
o S - Scissors
Scissors as defined by wikipedia are" hand-operated cutting
instruments. They consist of a pair of metal blades pivoted so that
the sharpened edges slide against each other when the handles (bows)
opposite to the pivot are closed. Scissors are used for cutting
various thin materials, such as paper, cardboard, metal foil, thin
plastic, cloth, rope, and wire. Scissors can also be used to cut
hair and food. Scissors and shears are functionally equivalent, but
larger implements tend to be called shears. Scissors is a critical
component for STEP security and MUST be readily available 99.99999%
with redundant scissors within arm�..s reach.
| |
X X
/ \ O O
(Opened) (Closed)
o T - To
To: [preposition] (Used for expressing direction or motion or
direction toward something) in the direction of; toward: from north
to south.
o E - Ethernet
Ethernet via Wikiepedia is described as a family of computer
networking technologies for local area networks (LANs) commercially
introduced in 1980. Standardized in IEEE 802.3, Ethernet has
largely replaced competing wired LAN technologies. For clarity in
our protocol, Ethernet is defined as the cabling between a device
and a network component such as a router or a switch.
o P - Protocol
A communications protocol is a system of digital message formats and
rules for exchanging those messages in or between computing systems
and in telecommunications. A protocol may have a formal
description.
Oquendo Informational [Page 5]
Internet-Draft Security Step by STEP RFC 4012012
Protocols may include signaling, authentication and error detection
and correction capabilities.
A protocol definition defines the syntax, semantics, and
synchronization of communication; the specified behavior is
typically independent of how it is to be implemented. A protocol
can therefore be implemented as hardware or software or both.
In STEP, Protocol is a rule an engineer MUST follow in order to
complete STEP. S MUST be in a closed state.
Actor -----> | Target (secured from the threat)
X
O O
(Closed)
5. STEP in Action
The following illustrates a remote APT attack against a webserver
located in the demilitarized zone of an infrastucture. In the
example, an APT attacker is launching a SQLI, XSS and CSRF against a
target over the Internet.
The attacks are common and according to statistics, are the same
attacks used to leverage access against major Fortune 500 companies
in the past decade.
+-------+ +-----+ +-----+ +--------+
| | SQLi | | + + INGRESS | |
| APT | -------> | ISP | ---> + ISP + ------> | Target |
| | XSS/CSRF | A | + B + | www |
| | | | + + | |
+-------+ +-----+ +-----+ +--------+
o Figure 5.1 Attacker launching attacks
+-------+ +-----+ +-----+ +--------+
| | TCP | | + + Reverse | |
| APT | <------ | ISP | <--- + ISP + <------ | Target |
| | | A | + B + Shell | www |
| | | | + + | |
+-------+ +-----+ +-----+ +--------+
o Figure 5.2 Attacker executing a reverse shell
Oquendo Informational [Page 6]
Internet-Draft Security Step by STEP RFC 4012012
In the illustration, an attacker is almost certainly attempting to
obtain a reverse shell. This enables an attacker to access a device
as if one were physically present at the device itself.
Using STEP we can mitigate and deny this attack from various points:
+-------+ +-----+ +-----+ +--------+
| | SQLi | | + + | | |
| APT | -------> | ISP | ---> + ISP + -->| | Target |
| | XSS/CSRF | A | + B + x | www |
| | | | + + o o | |
+-------+ +-----+ +-----+ +--------+
o Figure 5.2 Ingress STEP
+-------+ +-----+ +-----+ +--------+
| | Attack | | | + + | |
| APT | ------> | ISP | ->| + ISP + | Target |
| | | A | x + B + | www |
| | | | o o + + | |
+-------+ +-----+ +-----+ +--------+
o Figure 5.4 Provider based STEP
Both instances of STEP successfully demonstrate the power of the
STEP protocol. In no case, can an attacker successfully launch any
attack against a target as the security posture has now been
hardened.
6. Security Considerations
Cutting any Ethernet cable could potentially lead to shock and
degradation of IP services on your network. Please ensure there are
additional Ethernet cables for redundancy. Otherwise there is
nothing to consider.
7. IANA Considerations
There are no alternative considerations. STEP is the ultimate in
security.
Oquendo Informational [Page 7]
Internet-Draft Security Step by STEP RFC 4012012
8. Conclusions
Step defends against APT while minimizing your exposure to SCAMs and
FUD.
8.1. Informative References
[1] http://www.amazon.com/b?ie=UTF8&node=689392011
[2] http://ha.ckers.org/xss.html
[3] http://en.wikipedia.org/wiki/Advanced_persistent_threat
[4] http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt
9. Acknowledgments
Sofia Vergara
Kenji, Saki and Coco
Oquendo Informational [Page 8]
Internet-Draft Security Step by STEP RFC 4012012
Appendix A. Copyright
Copyright (c) 2012 IETF Trust and the persons identified as authors
of the code. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
o Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
o Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
o Neither the name of Internet Society, IETF or IETF Trust, nor the
names of specific contributors, may be used to endorse or promote
products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Author's Addresses
Jesus Oquendo
E-Fensive Security Strategies
Oquendo Informational [Page 9]
Shahab,
We did a large scale outdoor rollout for the X-Games (both summer and winter) where we used our outdoor APs to light up the side of Buttermilk mountain in Aspen for the winter X Games as well as the LA Coliseum, Staples Center, Nokia Theater and Part of downtown LA for the summer X Games.
Here is a link to a story we did on this project: Bat Blue Delivers Wifi Services for ESPN X-Games You can see one of our outdoor APs in the background as Avril Levigne hands Shaun White his medal.
We would be happy to work with you on your project if you think we can help.
Best Regards,
Babak
--
Babak Pasdar
President & CEO | Certified Ethical Hacker
Bat Blue Networks
(p) 212.461.3322 x3005 | (f) 212.584.9999 | www.BatBlue.com
Bat Blue: AS 25885 | BGP Policy | Peering Policy
Watch: Cloud Security Video | Cloud Network Video
Read: Official Provider for ESPN X Games
Anyone seen signs of this attack actually occurring ?
http://www.nytimes.com/2012/03/31/technology/with-advance-warning-bracing-f…
<snip>
The message called it Operation Global Blackout, and rallied Anonymous
supporters worldwide to attack the Domain Name System, which converts
human-friendly domain names like google.com into numeric addresses
that are more useful for computers.
It declared when the attack would be carried out: March 31. And it
detailed exactly how: by bombarding the Domain Name System with junk
traffic in an effort to overwhelm it altogether.
<snip>
Regards
Marshall
So I came across this post the other day and wanted to see what folks
think about it.
https://plus.google.com/u/0/109418153881180057361/posts/AvjZbbK6T7X
Here is the relevant portion:
*Got anything more specific than that to go on?*
Actually, yes. Although I still want community feedback on how the idea
can be improved.
Most mesh systems have pretty arbitrary ways of handing out IP
addresses, so I say, put a little logic into 'em, in a consistent way
that works well for routing between networks and across the existing
internet. An IPv6 address is composed of 8 chunks, each of which is 4
hex digits long. The first chunk should be something arbitrary but
unclaimed - anybody know if 00fd is taken? - which is used consistently
to indicate that this is a mesh-global address. The next two chunks are
the longitude and latitude, respectively, in whatever precision a chunk
affords across its respective scope. These first three chunks make up
the network prefix that defines one network as distinct from another.
How much geographical accuracy does this imply? Just enough to indicate
where the "heart" of a network is, or was traditionally. A chunk can
represent any number from 0-65534, because it can represent up to 65535
unique numbers and we start at 0. So, longitude can be expressed as a
number of degrees "moved east" of the prime meridian from 0-360. This
means the difference between each integer in a longitude chunk is
360°/65535, or .005493°. At the equator, where a degree represents the
longest distance, that works out to about .4 miles [1]. For any other
latitude, however, precision is better than that. Latitude, which goes
from -90 to +90, can be represented as a 0-180 number where the equator
is at 90, which works out to .002747° precision.
So, competing networks in the same area can have slightly different
network prefixes, while still each being more or less accurate (because
networks are big and amorphous) while the precision isn't enough to
pinpoint any individual node of the network, which I'd say is a happy
medium. Longitude comes first for easier routing, since inter-network
"send it east or send it west" questions seem more likely to me to come
up for most switches based on the geography of the continents and the
nature of the existing backbone ring of the internet.
The remaining chunks can be chosen according to whatever algorithm the
network administrators feel like. "Idiot devices" that aren't
consciously part of the mesh will generally just put up and shut up with
whatever DHCP gives them anyways, so that's not too concerning. If you
decide to use client MAC address as part of it, that only leaves chunk 4
left to be set, and you can use the first four digits of the md5 hash of
the MAC for that if you need something arbitrary yet deterministic.
Every network can have its gateways to the corporate internet, and be
accessible from the outside through them. That way, you can have
inter-mesh communication over existing internet in a lightweight way:
your packet routes to a gateway in your network, then across the tubes,
through a gateway at the destination network, and to the ultimate
destination. No packet encapsulation, no complex routing bullshit, just
point A to point B.
That's a simplistic overview, of course. It doesn't include shortcuts
like nodes that act as part of multiple, neighboring networks, thus
acting as gateways between the two. It doesn't consider IPv4 requests
and service, which will probably require an AYIYA-based tunnel
negotiation between the client and a gateway. But as a basic pattern, it
provides consistency and efficiency between independent networks, which
as far as I can see, is a vast deal more important than making one mesh
to rule them all.
I'm not sure what to make of it. Seems like someone trying to re
establish classful addressing and not understanding routing, subnets,
managed networks etc.