Re: Has PSI been assigned network 1?
there are about a dozen ISP's extensively using ascend's which have this hole. our original RFP to them dealt with this issue but they did not execute they keep trying to fix this, but so far no go we have tried to keep this quiet so that microsoft/uunet/psinet/etc..... don't get extensively hacked we have had two occurences of this so far in one year that I know of though there are probably more marty
PSI allows people to negotiate PPP addresses, and then propagates everything everywhere w/o even token filtering. I.e. any idiot can subscribe to PSI service and kill the Internet.
--vadim
Date: Sun, 16 Apr 95 21:02:04 MET DST
From: Peter Lothberg <roll@Stupi.SE> To: schoff@psi.com, nanog@merit.edu, postel@isi.edu Subject: Has PSI been assigned network 1?
Or why are they announcing it to the rest of the Internet through their box at MAE-East???
bash$ whois 1.0.0.0 No match for "1.0.0.0".
The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.
traceroute 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets 1 sl-dialup-2.sprintlink.net (192.157.36.128) 252 ms 245 ms 223 ms 2 192.157.36.1 (192.157.36.1) 251 ms 250 ms 251 ms 3 sl-dc-1- S3-T1.sprintlink.net (144.228.0.225) 252 ms 262 ms 253 ms 4 icm-dc-1-F0/0.icp.net (144.228.20.101) 275 ms 269 ms 252 ms 5 psi-mae-east-1.psi.net (192.41.177.235) 268 ms 254 ms 241 ms 6 washington2.dc.isdn.psi.net (38.146.99.110) 261 ms 271 ms 262 ms 7 1.1.1.1 (1.1.1.1) 457 ms 1284 ms 543 ms
bash$ traceroute 1.1.1.2 traceroute to 1.1.1.2 (1.1.1.2), 30 hops max, 40 byte packets 1 sl-dialup-2.sprintlink.net (192.157.36.128) 253 ms 253 ms 246 ms 2 192.157.36.1 (192.157.36.1) 246 ms 243 ms 228 ms 3 sl-dc-1- S3-T1.sprintlink.net (144.228.0.225) 249 ms 447 ms 313 ms 4 icm-dc-1-F0/0.icp.net (144.228.20.101) 274 ms 251 ms 278 ms 5 psi-mae-east-1.psi.net (192.41.177.235) 265 ms 257 ms 266 ms 6 core.net228.psi.net (38.1.2.7) 286 ms 278 ms 276 ms 7 core.net99.psi.net (38.1.2.10) 338 ms 370 ms 279 ms 8 core.net228.psi.net (38.1.2.7) 306 ms 326 ms 290 ms 9 core.net99.psi.net (38.1.2.10) 335 ms 308 ms 325 ms 10 core.net228.psi.net (38.1.2.7) 372 ms 353 ms 341 ms 11 core.net99.psi.net (38.1.2.10) 376 ms 385 ms 377 ms 12 core.net228.psi.net (38.1.2.7) 438 ms 375 ms 365 ms 13 core.net99.psi.net (38.1.2.10) 384 ms 441 ms 371 ms 14 core.net228.psi.net (38.1.2.7) 394 ms 426 ms 474 ms 15 core.net99.psi.net (38.1.2.10) 427 ms 540 ms 565 ms 16 core.net228.psi.net (38.1.2.7) 521 ms 500 ms 489 ms 17 core.net99.psi.net (38.1.2.10) 530 ms 483 ms 527 ms 18 core.net228.psi.net (38.1.2.7) 567 ms 493 ms 561 ms 19 core.net99.psi.net (38.1.2.10) 779 ms 462 ms 670 ms 20 core.net228.psi.net (38.1.2.7) 531 ms 620 ms 613 ms 21 core.net99.psi.net (38.1.2.10) 562 ms 728 ms 598 ms 22 core.net228.psi.net (38.1.2.7) 812 ms 566 ms 835 ms 23 core.net99.psi.net (38.1.2.10) 661 ms 678 ms 574 ms 24 core.net228.psi.net (38.1.2.7) 647 ms 820 ms 666 ms 25 core.net99.psi.net (38.1.2.10) 649 ms 625 ms 628 ms 26 core.net228.psi.net (38.1.2.7) 900 ms 634 ms 733 ms 27 core.net99.psi.net (38.1.2.10) 648 ms 659 ms 656 ms 28 core.net228.psi.net (38.1.2.7) 776 ms 979 ms 834 ms 29 core.net99.psi.net (38.1.2.10) 715 ms 689 ms 734 ms 30 core.net228.psi.net (38.1.2.7) 782 ms 785 ms 677 ms
---Peter
Marty, and others: Yes, the Ascend's are fundenmentally broken, BUT and this is a big one, there are work arounds for the problems with Ascend's broken routing protocols, i.e. don't use them, or filter them. This is easy enough to do. The problem is more general than Ascend however. There are MANY boxes out there (terminal servers) who's PPP is broken in this way. Telebit Netblazers and Livingston Portmasters included. It's kind of sad, really, when a small company like mine, can make this work and the "world's largest ISP" can't fix the problem. It is good to point out that other large ISPs have this same problem.
there are about a dozen ISP's extensively using ascend's which have this hole.
our original RFP to them dealt with this issue
but they did not execute
they keep trying to fix this, but so far no go
we have tried to keep this quiet so that
microsoft/uunet/psinet/etc.....
don't get extensively hacked
we have had two occurences of this so far in one year that I know of though there are probably more
marty
PSI allows people to negotiate PPP addresses, and then propagates everything everywhere w/o even token filtering. I.e. any idiot can subscribe to PSI service and kill the Internet.
--vadim
Date: Sun, 16 Apr 95 21:02:04 MET DST
From: Peter Lothberg <roll@Stupi.SE> To: schoff@psi.com, nanog@merit.edu, postel@isi.edu Subject: Has PSI been assigned network 1?
Or why are they announcing it to the rest of the Internet through their box at MAE-East???
bash$ whois 1.0.0.0 No match for "1.0.0.0".
The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.
traceroute 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets 1 sl-dialup-2.sprintlink.net (192.157.36.128) 252 ms 245 ms 223 ms 2 192.157.36.1 (192.157.36.1) 251 ms 250 ms 251 ms 3 sl-dc-1- S3-T1.sprintlink.net (144.228.0.225) 252 ms 262 ms 253 ms 4 icm-dc-1-F0/0.icp.net (144.228.20.101) 275 ms 269 ms 252 ms 5 psi-mae-east-1.psi.net (192.41.177.235) 268 ms 254 ms 241 ms 6 washington2.dc.isdn.psi.net (38.146.99.110) 261 ms 271 ms 262 ms 7 1.1.1.1 (1.1.1.1) 457 ms 1284 ms 543 ms
bash$ traceroute 1.1.1.2 traceroute to 1.1.1.2 (1.1.1.2), 30 hops max, 40 byte packets 1 sl-dialup-2.sprintlink.net (192.157.36.128) 253 ms 253 ms 246 ms 2 192.157.36.1 (192.157.36.1) 246 ms 243 ms 228 ms 3 sl-dc-1- S3-T1.sprintlink.net (144.228.0.225) 249 ms 447 ms 313 ms 4 icm-dc-1-F0/0.icp.net (144.228.20.101) 274 ms 251 ms 278 ms 5 psi-mae-east-1.psi.net (192.41.177.235) 265 ms 257 ms 266 ms 6 core.net228.psi.net (38.1.2.7) 286 ms 278 ms 276 ms 7 core.net99.psi.net (38.1.2.10) 338 ms 370 ms 279 ms 8 core.net228.psi.net (38.1.2.7) 306 ms 326 ms 290 ms 9 core.net99.psi.net (38.1.2.10) 335 ms 308 ms 325 ms 10 core.net228.psi.net (38.1.2.7) 372 ms 353 ms 341 ms 11 core.net99.psi.net (38.1.2.10) 376 ms 385 ms 377 ms 12 core.net228.psi.net (38.1.2.7) 438 ms 375 ms 365 ms 13 core.net99.psi.net (38.1.2.10) 384 ms 441 ms 371 ms 14 core.net228.psi.net (38.1.2.7) 394 ms 426 ms 474 ms 15 core.net99.psi.net (38.1.2.10) 427 ms 540 ms 565 ms 16 core.net228.psi.net (38.1.2.7) 521 ms 500 ms 489 ms 17 core.net99.psi.net (38.1.2.10) 530 ms 483 ms 527 ms 18 core.net228.psi.net (38.1.2.7) 567 ms 493 ms 561 ms 19 core.net99.psi.net (38.1.2.10) 779 ms 462 ms 670 ms 20 core.net228.psi.net (38.1.2.7) 531 ms 620 ms 613 ms 21 core.net99.psi.net (38.1.2.10) 562 ms 728 ms 598 ms 22 core.net228.psi.net (38.1.2.7) 812 ms 566 ms 835 ms 23 core.net99.psi.net (38.1.2.10) 661 ms 678 ms 574 ms 24 core.net228.psi.net (38.1.2.7) 647 ms 820 ms 666 ms 25 core.net99.psi.net (38.1.2.10) 649 ms 625 ms 628 ms 26 core.net228.psi.net (38.1.2.7) 900 ms 634 ms 733 ms 27 core.net99.psi.net (38.1.2.10) 648 ms 659 ms 656 ms 28 core.net228.psi.net (38.1.2.7) 776 ms 979 ms 834 ms 29 core.net99.psi.net (38.1.2.10) 715 ms 689 ms 734 ms 30 core.net228.psi.net (38.1.2.7) 782 ms 785 ms 677 ms
---Peter
-- ---------------------------------------------------------------------------- | Jeremy Porter (512)-339-6094 Freeside Communications, Inc. info@fc.net | | jerry@fc.net (512)-339-4466 (data) P.O. Box 530264 Austin, TX 78753 | ----------------------------------------------------------------------------
Pretty bad, we a single DOS machine can hose Internet routing tables all across the globe. ------------------------------------------ snmpwalk 1.1.1.1 public Name: system.sysDescr.0 OCTET STRING- (ascii): 80486 DOS 6.20.Windows 3.10 Enhanced Mode.NetMan age SNMP 4.256 Name: system.sysObjectID.0 OBJECT IDENTIFIER: .iso.org.dod.internet.private.enterprises.233 Name: system.sysUpTime.0 Timeticks: (610689) 1:41:46 Name: system.4.0 Variable has bad type Name: system.5.0 Variable has bad type Name: system.6.0 Variable has bad type Name: system.7.0 Variable has bad type Name: interfaces.ifNumber.0 INTEGER: 1 Name: interfaces.ifTable.ifEntry.ifIndex.1 INTEGER: 1 Name: interfaces.ifTable.ifEntry.ifDescr.1 OCTET STRING- (ascii): InterRamp-PPP -- ---------------------------------------------------------------------------- | Jeremy Porter (512)-339-6094 Freeside Communications, Inc. info@fc.net | | jerry@fc.net (512)-339-4466 (data) P.O. Box 530264 Austin, TX 78753 | ----------------------------------------------------------------------------
In message <199504172244.RAA29471@freeside.fc.net>, Jeremy Porter writes:
Pretty bad, we a single DOS machine can hose Internet routing tables all across the globe.
------------------------------------------ snmpwalk 1.1.1.1 public
Name: system.sysDescr.0 OCTET STRING- (ascii): 80486 DOS 6.20.Windows 3.10 Enhanced Mode.NetManage SNMP 4.256 Name: system.sysObjectID.0 OBJECT IDENTIFIER: .iso.org.dod.internet.private.enterprises.233
.... Didn't hose our routing. We consider this a matter of routing hygene. If your going to do full routing you've got to be protected or be very sure about who you are peering with. :-) Fortunately this doesn't have any operational impact. There have been incidents in the past where major legitimate destinations were accidentally announced by small sites hosing a good portion of the global Internet for hours at a time. Particularly memorable was a 3 continent routing loop involving a bogus route to 140.222 that took nearly half a day for some providers to fix and affected most traffic from some of the providers affected. These get noticed. Again- A goal of the PRS WG is to make it possible to quite painlessly isolate such problems, at least localizing the problem. Another goals in to make it easier to determine when aggregation (or proxy aggregation) can be preformed without detrimental effects on routing. Based on some earlier mail, this might have some immediate application as well. Curtis
In message <199504172244.RAA29471@freeside.fc.net>, Jeremy Porter writes:
Pretty bad, we a single DOS machine can hose Internet routing tables all across the globe. ... Name: system.sysDescr.0 OCTET STRING- (ascii): 80486 DOS 6.20.Windows 3.10 Enhanced Mode.NetManage SNMP 4.256
Didn't hose our routing. We consider this a matter of routing hygene. If your going to do full routing you've got to be protected or be very sure about who you are peering with. :-)
Well, if you are peering with PSI, or anyone else that trusts the Ascend's RIP packets, then you are trusting any end user that calls up their terminal server. Someone pointed out to me in private email that at least Telebit has addressed the problem of PPP negotiated IPs. I would think that, just because someone has invested in bad hardware doesn't excuse the rest of the net from suffering as a result. It wouldn't take much effort to select a major DNS machine say, ns.psi.net or mabye a root name server, or better yet a router at MAE-East, to seriously hose large sections of the net.
Fortunately this doesn't have any operational impact. There have been incidents in the past where major legitimate destinations were accidentally announced by small sites hosing a good portion of the global Internet for hours at a time. Particularly memorable was a 3 continent routing loop involving a bogus route to 140.222 that took nearly half a day for some providers to fix and affected most traffic from some of the providers affected. These get noticed.
Again- A goal of the PRS WG is to make it possible to quite painlessly isolate such problems, at least localizing the problem. Another goals in to make it easier to determine when aggregation (or proxy aggregation) can be preformed without detrimental effects on routing. Based on some earlier mail, this might have some immediate application as well.
Curtis
Is there more info on the PRS WG's efforts available somewhere? A more difficult problem is where a small site is being incorrectly announced, and this can be a major security issue. If someone were to exploit this problem, they could signficantly impact the whole net. And with source routing they could theortically re-route specific IP data streams, without completely interrupting service. This could have a much large impact than even packet sniffers have had in the past. These problems with regards to route filtering at source and destination become even more critical as more people realize the true nature of these problems there will come along some people that will exploit these holes. -- ---------------------------------------------------------------------------- | Jeremy Porter (512)-339-6094 Freeside Communications, Inc. info@fc.net | | jerry@fc.net (512)-339-4466 (data) P.O. Box 530264 Austin, TX 78753 | ----------------------------------------------------------------------------
Ascend assures me that the IP address negotiation can be turned off in atleast their 4.4 software release and that this feature has been available for some time. --pushpendra Pushpendra Mohta pushp@cerf.net +1 619 455 3908 Director, CERFnet http://www.cerf.net +1 800 876 2373
Ascend assures me that the IP address negotiation can be turned off in atleast their 4.4 software release and that this feature has been available for some time.
Well, if it is, it isn't documented anywhere I can find. Then again that's about par for Ascend's documentation. Also note, there are important functional differences between "4.4" on the different models of Ascend boxes, i.e. p50, p400, and Max. -- ---------------------------------------------------------------------------- | Jeremy Porter (512)-339-6094 Freeside Communications, Inc. info@fc.net | | jerry@fc.net (512)-339-4466 (data) P.O. Box 530264 Austin, TX 78753 | ----------------------------------------------------------------------------
In message <199504181640.LAA16368@freeside.fc.net>, Jeremy Porter writes:
In message <199504172244.RAA29471@freeside.fc.net>, Jeremy Porter writes:
Pretty bad, we a single DOS machine can hose Internet routing tables all across the globe. ... Name: system.sysDescr.0 OCTET STRING- (ascii): 80486 DOS 6.20.Windows 3.10 Enhanced Mode.NetMa
nage SNMP 4.256
Didn't hose our routing. We consider this a matter of routing hygene. If your going to do full routing you've got to be protected or be very sure about who you are peering with. :-)
Well, if you are peering with PSI, or anyone else that trusts the Ascend's RIP packets, then you are trusting any end user that calls up their terminal server.
We don't trust our peers. We only accept routes which they are registered as providing transit for in the PRDB. When the RADB is in use, unless PSI has a route object for 1.0.0.0/8 in the RADB, we still won't trust them when they try to pass us 1/8.
Is there more info on the PRS WG's efforts available somewhere?
The BOF was held at Danvers. The mailing list is prs@isi.edu, requests to prs-request@isi.edu. In a nutshell, it is an attempt to bring RIPE-181 and related documents into the IETF process and make some extensions to the policy description capabilities to accommodate some current needs. Also take a look at http://www.ripe.net and http://www.ra.net/rrinfo.html.
A more difficult problem is where a small site is being incorrectly announced, and this can be a major security issue. If someone were to exploit this problem, they could signficantly impact the whole net. And with source routing they could theortically re-route specific IP data streams, without completely interrupting service.
Hey... no kidding. :-) You may not be the first to have noticed this. We do not accept arbitrary routes from our direct customers and don't accept arbirary routes from our peers.
This could have a much large impact than even packet sniffers have had in the past.
Good thing we use kerberos.
These problems with regards to route filtering at source and destination become even more critical as more people realize the true nature of these problems there will come along some people that will exploit these holes.
Just preferring routes from on place over another doesn't help since a more specific route always overrides a less specific. Curtis
In message <95Apr18.192150edt.52848-2@ghost.uunet.ca>, elliot@ghost.uunet.ca wr ites:
The BOF was held at Danvers. The mailing list is prs@isi.edu, requests to prs-request@isi.edu.
This should be rps@isi.edu, and rps-request@isi.edu.
elliot
Yes. Sorry. Curtis
On Tue, 18 Apr 1995, Curtis Villamizar wrote:
Is there more info on the PRS WG's efforts available somewhere?
The BOF was held at Danvers. The mailing list is prs@isi.edu, requests to prs-request@isi.edu. In a nutshell, it is an attempt to bring RIPE-181 and related documents into the IETF process and make
actually, i believe the name of the WG (to be?) is RPS instead of PRS for Routing Policy System. :) hence, you need to send list requests to rps-request@isi.edu dsc
participants (6)
-
Curtis Villamizar -
David Comay -
elliot@ghost.uunet.ca -
Jeremy Porter -
Martin L. Schoffstall -
Pushpendra Mohta