Re: why icmp timestamping is enabled by default ?
> On Oct 21, 2013, at 2:57, Henning Brauer wrote: > > * Илья Шипицин [2013-10-11 04:52]: >> I was just curious why that timestamping is enabled by default. > > 'cause there is no reason to disable it. > > why is tcp enabled by default? > Everyone knows that TCP, like IP, and the Internet is just a passing fad.
Re: why icmp timestamping is enabled by default ?
On Mon, Oct 21, 2013 at 11:57:42AM +0200, Henning Brauer wrote: > * ?? [2013-10-11 04:52]: > > I was just curious why that timestamping is enabled by default. > > 'cause there is no reason to disable it. > > why is tcp enabled by default? > Because it is used to download porn and hack into other systems. -- :wq Claudio
Re: why icmp timestamping is enabled by default ?
* Илья Шипицин [2013-10-11 04:52]: > I was just curious why that timestamping is enabled by default. 'cause there is no reason to disable it. why is tcp enabled by default? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: why icmp timestamping is enabled by default ?
> > I am about to switch icmp timestamps off (security people are afraid > > of that setting) > > your "security people" have no clue regarding security. > > they probably also block icmp, since it's so dangerous. icmp is only dangerous if you have ip traffic. dangerous ip traffic. indeed, maybe dig to the root of the matter.
Re: why icmp timestamping is enabled by default ?
* Илья Шипицин [2013-10-10 13:31]: > I am about to switch icmp timestamps off (security people are afraid > of that setting) your "security people" have no clue regarding security. they probably also block icmp, since it's so dangerous. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: why icmp timestamping is enabled by default ?
I apologise that I didn't predict such responces. I was looking for "real life examples", i.e. "we use icmp timestamps widely, because we use timed" or "a lot of devices like D-Link-NNN use icmp timestamps". I was not looking for theoretical possibilities that icmp timestamping gives. I should mention that of course. Sorry. 2013/10/14 Mihai Popescu : >> it is famous "your mother if fat" openbsd community style. I was not >> asking whether it is secret or not. I was curious about common use >> scenarios, where icmp timestamping is involved. > > Hi, > > 1. Maybe I'm wrong but I think OpenBSD doesn't have a "community" like > other praised OSes, so there is no "style". > > 2. Looking at your thread it is very hard for me to figure out what > the hell did you ask. > > 3. If you try to impress some developers of OpenBSD, try to attach > something at your email. It doesn't work with opinions and subtle > suggestions about what might be wrong. > > * this message might be bad at line length (i'm sorry).
Re: why icmp timestamping is enabled by default ?
> it is famous "your mother if fat" openbsd community style. I was not > asking whether it is secret or not. I was curious about common use > scenarios, where icmp timestamping is involved. Hi, 1. Maybe I'm wrong but I think OpenBSD doesn't have a "community" like other praised OSes, so there is no "style". 2. Looking at your thread it is very hard for me to figure out what the hell did you ask. 3. If you try to impress some developers of OpenBSD, try to attach something at your email. It doesn't work with opinions and subtle suggestions about what might be wrong. * this message might be bad at line length (i'm sorry).
Re: why icmp timestamping is enabled by default ?
> >> actually, I'm not going to block icmp at all, I was curious why > >> net.inet.icmp.tstamprepl=1 by default. > > > > So you can run timed, of course. > > timed was removed from OpenBSD recently > > > As others have said, the time is not a secret. > > it is famous "your mother if fat" openbsd community style. I was not > asking whether it is secret or not. I was curious about common use > scenarios, where icmp timestamping is involved. In your first mail, you simply asked why OpenBSD made that policy decision. In answer, a bunch of people (many developers) supplied clear answers. Without insulting you. All the answers politely articulated the reasons behind the decision. We were not talking about your mother; you brought that up yourself. You, sir, are the one bringing unrelated junk discussion to the table to pick a fight. And in doing so, you are attacking those people. Being too clear in answers and explanations for the policy decision is now an insult? I see no insults in any of the replies. Insult is only implied in your mails.
Re: why icmp timestamping is enabled by default ?
2013/10/11 Christian Weisgerber : > wrote: > >> actually, I'm not going to block icmp at all, I was curious why >> net.inet.icmp.tstamprepl=1 by default. > > So you can run timed, of course. timed was removed from OpenBSD recently > As others have said, the time is not a secret. it is famous "your mother if fat" openbsd community style. I was not asking whether it is secret or not. I was curious about common use scenarios, where icmp timestamping is involved. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de
Re: why icmp timestamping is enabled by default ?
wrote: > actually, I'm not going to block icmp at all, I was curious why > net.inet.icmp.tstamprepl=1 by default. So you can run timed, of course. As others have said, the time is not a secret. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: why icmp timestamping is enabled by default ?
2013/10/11 Claudio Jeker : > On Fri, Oct 11, 2013 at 08:44:36AM +0600, ??? wrote: >> 2013/10/10 Philip Guenther : >> > On Thu, Oct 10, 2013 at 4:30 AM, ??? wrote: >> >> I use ntp already. >> > >> > So everyone can predict what your machine would have sent in response >> > to an ICMP timestamp query, meaning that turning it off doesn't hide >> > anything. >> > >> > >> >> I am about to switch icmp timestamps off (security people are afraid >> >> of that setting), >> > >> > Cargo cult security. >> >> it is known behavior of security people. >> >> > >> > >> >> just curious what was the purpose of it. >> > >> > Oddly enough, the RFC that defines it (RFC792) has a reference about that. >> >> by "purpose" I mean common use scenarios, like >> >> "we enable ssh by default, because it is used in routine >> administration and automation tasks, not because of RFC" >> >> "we enable icmp destination unreachable, because it is used commonly >> in PMTU mechanisms, not because it is mentioned in some RFC" >> >> or you enable everything found in RFC ? you must be odd if so. I am >> not that odd. >> > > The better question is why block it? What is the attack vector? > You start with ICMP timestamps, next you block ICMP echo then all of ICMP > and by that break the internet. I waste way to much time with situations > where I can't debug network issues because people block important internet > control messages. So if there is not a well known threat (e.g. source > routing or the fameous IPv6 rtr-0 header) it should not be disbale just > for a bit of a warm fuzzy feeling. "icmp dest unreach, frag required" (3/4) is very important, I'm not going to block it. kinda fed up with poorly configured networks as well. "icmp echo request/reply", i.e. ping/pong is also important, when people do not see ping responce, they beleive host is down. I'm also not going to block it. actually, I'm not going to block icmp at all, I was curious why net.inet.icmp.tstamprepl=1 by default. > > -- > :wq Claudio
Re: why icmp timestamping is enabled by default ?
On Fri, Oct 11, 2013 at 08:44:36AM +0600, ??? wrote: > 2013/10/10 Philip Guenther : > > On Thu, Oct 10, 2013 at 4:30 AM, ??? wrote: > >> I use ntp already. > > > > So everyone can predict what your machine would have sent in response > > to an ICMP timestamp query, meaning that turning it off doesn't hide > > anything. > > > > > >> I am about to switch icmp timestamps off (security people are afraid > >> of that setting), > > > > Cargo cult security. > > it is known behavior of security people. > > > > > > >> just curious what was the purpose of it. > > > > Oddly enough, the RFC that defines it (RFC792) has a reference about that. > > by "purpose" I mean common use scenarios, like > > "we enable ssh by default, because it is used in routine > administration and automation tasks, not because of RFC" > > "we enable icmp destination unreachable, because it is used commonly > in PMTU mechanisms, not because it is mentioned in some RFC" > > or you enable everything found in RFC ? you must be odd if so. I am > not that odd. > The better question is why block it? What is the attack vector? You start with ICMP timestamps, next you block ICMP echo then all of ICMP and by that break the internet. I waste way to much time with situations where I can't debug network issues because people block important internet control messages. So if there is not a well known threat (e.g. source routing or the fameous IPv6 rtr-0 header) it should not be disbale just for a bit of a warm fuzzy feeling. -- :wq Claudio
Re: why icmp timestamping is enabled by default ?
2013/10/11 Paul de Weerd :
> On Thu, Oct 10, 2013 at 05:30:39PM +0600, ??? wrote:
> | I use ntp already.
> | I am about to switch icmp timestamps off (security people are afraid
> | of that setting), just curious what was the purpose of it.
>
> Uhm .. why? Is your pf broken somehow?
it is not broken.
>
> block in on $interface inet proto icmp icmp-type { timereq, timerep }
does PF perform better than net.inet.icmp.tstamprepl=0 ?
>
> I can understand you don't want to send anything in reply to spoofed
> packets, but you're really better off filtering those with a firewall
> instead of a knob per type of packet.
>
>
> If you think this is going to improve the security of your host,
> you're wrong (as pointed out by others).
it is not about "improving security", you got it wrong.
I was just curious why that timestamping is enabled by default.
>
> If others tell you this improves the security of your host, tell them
> they're wrong.
I wish they could understand what other people are talking about.
>
> If they are not open to sane arguments: run.
>
>
> Then, they can disable the sysctl themselves and wallow in their
> awesome security while their site is XSS'd by 10-year-olds.
yeah, we found an XSS on their site couple of months ago :-)
>
> Paul 'WEiRD' de Weerd
>
> --
>>[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
> http://www.weirdnet.nl/
Re: why icmp timestamping is enabled by default ?
2013/10/10 Philip Guenther : > On Thu, Oct 10, 2013 at 4:30 AM, Илья Шипицин wrote: >> I use ntp already. > > So everyone can predict what your machine would have sent in response > to an ICMP timestamp query, meaning that turning it off doesn't hide > anything. > > >> I am about to switch icmp timestamps off (security people are afraid >> of that setting), > > Cargo cult security. it is known behavior of security people. > > >> just curious what was the purpose of it. > > Oddly enough, the RFC that defines it (RFC792) has a reference about that. by "purpose" I mean common use scenarios, like "we enable ssh by default, because it is used in routine administration and automation tasks, not because of RFC" "we enable icmp destination unreachable, because it is used commonly in PMTU mechanisms, not because it is mentioned in some RFC" or you enable everything found in RFC ? you must be odd if so. I am not that odd. > > Philip Guenther
Re: why icmp timestamping is enabled by default ?
On Thu, Oct 10, 2013 at 05:30:39PM +0600, ??? wrote:
| I use ntp already.
| I am about to switch icmp timestamps off (security people are afraid
| of that setting), just curious what was the purpose of it.
Uhm .. why? Is your pf broken somehow?
block in on $interface inet proto icmp icmp-type { timereq, timerep }
I can understand you don't want to send anything in reply to spoofed
packets, but you're really better off filtering those with a firewall
instead of a knob per type of packet.
If you think this is going to improve the security of your host,
you're wrong (as pointed out by others).
If others tell you this improves the security of your host, tell them
they're wrong.
If they are not open to sane arguments: run.
Then, they can disable the sysctl themselves and wallow in their
awesome security while their site is XSS'd by 10-year-olds.
Paul 'WEiRD' de Weerd
--
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
http://www.weirdnet.nl/
Re: why icmp timestamping is enabled by default ?
On 2013-10-10, Philip Guenther wrote: > On Thu, Oct 10, 2013 at 4:30 AM, Илья Шипицин wrote: >> I use ntp already. > > So everyone can predict what your machine would have sent in response > to an ICMP timestamp query, meaning that turning it off doesn't hide > anything. > > >> I am about to switch icmp timestamps off (security people are afraid >> of that setting), > > Cargo cult security. > > >> just curious what was the purpose of it. > > Oddly enough, the RFC that defines it (RFC792) has a reference about that. > > Philip Guenther > > I suppose next you'll be wanting to know how to force insecure ciphers for HTTPS ;)
Re: why icmp timestamping is enabled by default ?
> > I use ntp already. > > So everyone can predict what your machine would have sent in response > to an ICMP timestamp query, meaning that turning it off doesn't hide > anything. Oh my god! It's revealing a public secret!
Re: why icmp timestamping is enabled by default ?
On Thu, Oct 10, 2013 at 4:30 AM, Илья Шипицин wrote: > I use ntp already. So everyone can predict what your machine would have sent in response to an ICMP timestamp query, meaning that turning it off doesn't hide anything. > I am about to switch icmp timestamps off (security people are afraid > of that setting), Cargo cult security. > just curious what was the purpose of it. Oddly enough, the RFC that defines it (RFC792) has a reference about that. Philip Guenther
Re: why icmp timestamping is enabled by default ?
I use ntp already. I am about to switch icmp timestamps off (security people are afraid of that setting), just curious what was the purpose of it. 2013/10/10 Theo de Raadt : >> > it turned out that OpenBSD allows icmp timestamping by default: >> > >> > net.inet.icmp.tstamprepl=1 >> > >> > what was that done for ? >> >> well, why not? >> >> if you have some program vulnerable to a "the attacker knows the time" >> attack, i don't think turning off icmp timestamps will save you. the >> attacker could reasonably guess that your system time is going to be >> close to his system time. unless you are going to deliberately set the >> clock wrong on all your systems. fixing the vulnerability seems like a >> better idea. > > there is also this thing called ntp that is becoming rather common. > if you're not doing time distribution to your systems, ah, i see the > problem.
Re: why icmp timestamping is enabled by default ?
> > it turned out that OpenBSD allows icmp timestamping by default: > > > > net.inet.icmp.tstamprepl=1 > > > > what was that done for ? > > well, why not? > > if you have some program vulnerable to a "the attacker knows the time" > attack, i don't think turning off icmp timestamps will save you. the > attacker could reasonably guess that your system time is going to be > close to his system time. unless you are going to deliberately set the > clock wrong on all your systems. fixing the vulnerability seems like a > better idea. there is also this thing called ntp that is becoming rather common. if you're not doing time distribution to your systems, ah, i see the problem.
Re: why icmp timestamping is enabled by default ?
On Thu, Oct 10, 2013 at 09:21, Илья Шипицин wrote: > it turned out that OpenBSD allows icmp timestamping by default: > > net.inet.icmp.tstamprepl=1 > > what was that done for ? well, why not? if you have some program vulnerable to a "the attacker knows the time" attack, i don't think turning off icmp timestamps will save you. the attacker could reasonably guess that your system time is going to be close to his system time. unless you are going to deliberately set the clock wrong on all your systems. fixing the vulnerability seems like a better idea.
why icmp timestamping is enabled by default ?
Hello! it turned out that OpenBSD allows icmp timestamping by default: net.inet.icmp.tstamprepl=1 what was that done for ? Cheers, Ilya Shipitsin
