Re: turning on comcast v6

I've been in the process of rolling out IPv6 (again this night) across a very large, highly conservative, and very bureaucratic enterprise. (Roughly 100K employees. More than 600 distinct site. Yada. Yada.) I've had no issues whatsoever implementing the IPv6 RA+DHCPv6 model alongside the IPv4 model

Re: turning on comcast v6

On Dec 30, 2013, at 9:29 PM, Victor Kuarsingh wrote: > I think a new initiative to revive this concept will need to address the > [negative] points from those previous experiences and contrast them to the > operational benefits of having it available. I am willing to help out > here, but we need

Re: turning on comcast v6

Leo, On Mon, Dec 30, 2013 at 6:24 PM, Leo Bicknell wrote: > > On Dec 30, 2013, at 2:49 PM, Lee Howard wrote: > > > I'm not really an advocate for or against DHCP or RAs. I really just > want > > to understand what feature is missing. > > I encourage you to try this simple experiment in your l

Re: NSA able to compromise Cisco, Juniper, Huawei switches

To supplement and amend what I said: These are the KINDS of things we want the NSA to do; however, the institutional oversight necessary to make sure it's Constitutional, warranted, and kept "in bounds" is woefully lacking (if any exists at all). Even FISA is unsatisfactory. At any rate, I agree

RE: NSA able to compromise Cisco, Juniper, Huawei switches

>We're all getting far too conditioned for the "click OK to proceed" >overload, and the sources aren't helping. If one embarks with deliberation upon a course of action which may entertain certain results then the intent to cause the result so obtained is, by implication, proved.

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Mon, Dec 30, 2013 at 10:41 PM, Blair Trosper wrote: > I'm torn on this. On one hand, it seems sinister. On the other, it's not > only what the NSA is tasked with doing, but it's what you'd EXPECT them to > be doing in the role as the NSA. > [snip] The NSA's role is not supposed to include su

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On 12/30/2013 11:06 PM, [AP] NANOG wrote: > As I was going through reading all these replies, the one thing that > continued to poke at me was the requirement of the signed binaries and > microcode. The same goes for many of the Cisco binaries, without direct > assistance, which is unclear at this

Re: NSA able to compromise Cisco, Juniper, Huawei switches

I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. I'm not saying it's right or wrong...it creeps me out a little, though...but these are the kinds of things we have

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Roland, I did fail to mention the HUMINT (Human Intelligence) side of things, thank you for bringing that up! -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 12/30/13, 11:33 PM, Dobbins, Roland wrote: > On Dec 31, 2013, at 11:06 AM, [AP] NANOG wrote: > >>

Re: turning on comcast v6

On Mon, Dec 30, 2013 at 6:31 PM, Leo Bicknell wrote: > > On Dec 30, 2013, at 4:37 PM, Victor Kuarsingh wrote: > > > On Mon, Dec 30, 2013 at 3:49 PM, Lee Howard wrote: > >>> The better question is are you using RIP or ICMP to set gateways in > your > >>> network now? > >> > >> I disagree that th

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 31, 2013, at 11:06 AM, [AP] NANOG wrote: > Then looking at things from the evil side though, if they owned the system > which provides the signing then they could sign > virtually anything they wish. Or if they owned *people* with the right level of access to do so, or if there were im

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 31, 2013, at 10:38 AM, Sabri Berisha wrote: > Assuming M/MX/T series, you are correct that the foundation of the > control-plane is a FreeBSD-based kernel. And the management plane, too? > However, that control-plane talks to a forwarding-plane (PFE). The PFE runs > Juniper designed A

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 31, 2013, at 10:59 AM, Randy Bush wrote: > assumptions that the TAO folk have been taking a long much-deserved > sabbatical are probably naive Indeed; that is my point. These documents allege that the capabilities in question were present five years ago, which is an eternity in tech-t

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Sabri, As I was going through reading all these replies, the one thing that continued to poke at me was the requirement of the signed binaries and microcode. The same goes for many of the Cisco binaries, without direct assistance, which is unclear at this point through the cloud of smoke so to sp

Re: NSA able to compromise Cisco, Juniper, Huawei switches

> It's also important to keep in mind that all these purported documents > refer to technologies which were supposedly available 5 years ago, > based on the dates in the slides. assumptions that the TAO folk have been taking a long much-deserved sabbatical are probably naive the shocking revelati

Re: NSA able to compromise Cisco, Juniper, Huawei switches

>Is Ken Thompson turning over in his grave yet? I certainly hope not...

Re: NSA able to compromise Cisco, Juniper, Huawei switches

- Original Message - > From: "Ray Soucy" > I hope when [if] the truth is learned it is a lot less prevalent than > it sounds, but I'm not optimistic. > > This is why we need all infrastructure to be implemented using open > standards, open hardware designs, and open source software IMHO.

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Hi Roland. > I don't know much about Juniper > gear, but it appears that the Juniper boxes listed are similar in nature, > albeit running FreeBSD underneath (correction welcome). With most Juniper gear, it is actually quite difficult to achieve wire-tapping on a large scale using something as si

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 31, 2013, at 10:16 AM, Blake Dunlap wrote: > The cynic in me says that cisco switch/router gear isn't part of that report > on clandestine backdoors, because they don't need said clandestine backdoors > to access them... T-series is in there, too. It's also important to keep in mind t

Re: NSA able to compromise Cisco, Juniper, Huawei switches

The cynic in me says that cisco switch/router gear isn't part of that report on clandestine backdoors, because they don't need said clandestine backdoors to access them... -Blake On Mon, Dec 30, 2013 at 8:54 PM, Dobbins, Roland wrote: > > On Dec 31, 2013, at 9:41 AM, Randy Bush wrote: > > > y

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 31, 2013, at 9:41 AM, Randy Bush wrote: > you may want to read the more complete, well let's say extensive Thanks, Randy - now I see the JunOS stuff in there for J-series and M-series. --- Roland Dobbins //

Re: NSA able to compromise Cisco, Juniper, Huawei switches

>> So this isn't an issue of the NSA working with Cisco and Juniper to >> include back doors, it's an issue of the NSA modifying those releases >> after the fact though BIOS implants. > > Yes, I see this now, thanks. > > AFAICT, the Cisco boxes listed are ASAs and PIXes, which are > essentially L

Re: turning on comcast v6

On 12/30/2013 8:16 PM, Leo Bicknell wrote: > There's a reason why there's huge efforts to put RA guard in switches, and do > cryptographic RA's. These are two admissions that the status quo does not work for many folks, but for some reason these two solutions get pushed over a simple DHCP router a

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 31, 2013, at 12:00 AM, Ray Soucy wrote: > So this isn't an issue of the NSA working with Cisco and Juniper to include > back doors, it's an issue of the NSA modifying those releases after the fact > though BIOS implants. Yes, I see this now, thanks. AFAICT, the Cisco boxes listed are

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 11:28 PM, Marco Teixeira wrote: > i just wanted to say that any network professional that puts any equipment > into production without securing it against the kind of > issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and > should be fired on the spot.

Re: turning on comcast v6

On Dec 30, 2013, at 6:56 PM, Owen DeLong wrote: > You can accomplish the same thing in IPv4…. > > Plug in Sally’s PC with Internet Connection Sharing turned on and watch as her > DHCP server takes over your network. No, the failure mode is still different. With IPv6 RA's, the rouge router bre

Re: turning on comcast v6

On Dec 30, 2013, at 7:51 PM, Owen DeLong wrote: > I have yet to see a use case from enterprise that actually requires RIO or > default route in DHCPv6, and I have seen many many use cases. > > Most of them are, actually, better solved through education, so I tend to > focus my efforts in that

Re: turning on comcast v6

You can accomplish the same thing in IPv4…. Plug in Sally’s PC with Internet Connection Sharing turned on and watch as her DHCP server takes over your network. Yes, you have to pay attention when you plug in a router just like you’d have to pay attention if you plugged in a DHCP server you were

Re: turning on comcast v6

> What the enterprise folks need is IPv6 champions, like yourself, like Lee, to > user stand their use case that even if you don't end up deploying it on your > own network you will show up at the IETF, or at least participate on the IETF > mailing lists and help them get what they need, so IPv6

Re: The state of TACACS+

On Mon, Dec 30, 2013 at 6:05 PM, Javier Henderson wrote: > > Are you talking about Cisco routers? The default timeout value for TACACS+ > is five seconds, so I’m not sure where you’re coming up with thirty > seconds, unless you have seven servers listed on the router and the first > six are dead/

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On 12/30/2013 3:51 PM, Randy Bush wrote: Clay Kossmeyer here from the Cisco PSIRT. shoveling kitty litter as fast as you can, eh? http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel "The article does not discuss or disclose any Cisco product vu

Re: The state of TACACS+

On Dec 30, 2013, at 6:42 PM, Jimmy Hess wrote: > How do you feel about having to wait 30 seconds between every command you > enter to troubleshoot, to fail to the second server, if the TACACS or > RADIUS system is nonresponsive, because the dumb router can't remember > which TACACS serve

Re: The state of TACACS+

On Mon, Dec 30, 2013 at 8:11 AM, Javier Henderson wrote: > Given the problem of remote auth; the restriction of choice of protocols is dictated by what protocols the relying party device supports. This is the problem: You are at the mercy of your router vendor, to support the authentication

Re: turning on comcast v6

On Dec 30, 2013, at 4:37 PM, Victor Kuarsingh wrote: > On Mon, Dec 30, 2013 at 3:49 PM, Lee Howard wrote: >>> The better question is are you using RIP or ICMP to set gateways in your >>> network now? >> >> I disagree that that's a better question. >> I'm not using RIP because my hosts don't su

Re: turning on comcast v6

On Dec 30, 2013, at 2:49 PM, Lee Howard wrote: > I'm not really an advocate for or against DHCP or RAs. I really just want > to understand what feature is missing. I encourage you to try this simple experiment in your lab, because this happens all day long on corporate networks around the worl

Re: turning on comcast v6

On Dec 30, 2013, at 3:43 PM, Owen DeLong wrote: > The current situation isn’t attributable to “the current IPv6 crowd” (whoever > that is), it’s the current IETF consensus position. Changing that IETF > consensus position is a matter of going through the IETF process and getting > a new conse

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Hi, > you gotta love it. they will roll over and piss themselves for nsa and > other who are violating every principle, but threaten paying customers > who would report a hole. Don't forget that for C and J, the U.S. government is a large customer as well. Thanks, Sabri

Re: NSA able to compromise Cisco, Juniper, Huawei switches

> Clay Kossmeyer here from the Cisco PSIRT. shoveling kitty litter as fast as you can, eh? > http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel "The article does not discuss or disclose any Cisco product vulnerabilities." this is disengenuous at b

Re: turning on comcast v6

On Mon, Dec 30, 2013 at 3:49 PM, Lee Howard wrote: > I'm not really an advocate for or against DHCP or RAs. I really just want > to understand what feature is missing. > > From: Blake Dunlap > Date: Monday, December 30, 2013 3:19 PM > To: Ryan Harden > Cc: Lee Howard , Jamie Bowden , > "na

Re: turning on comcast v6

On Dec 30, 2013, at 10:04 AM, Ryan Harden wrote: > On Dec 24, 2013, at 8:15 AM, Lee Howard wrote: > >>> default route information via DHCPv6. That's what I'm still waiting for. >> >> Why? >> You say, "The protocol suite doesn't meet my needs; I need default gateway >> in DHCPv6." So the IET

Re: turning on comcast v6

On Dec 30, 2013, at 8:19 AM, Leo Bicknell wrote: > > On Dec 24, 2013, at 8:15 AM, Lee Howard wrote: > >> Why? >> You say, "The protocol suite doesn't meet my needs; I need default gateway >> in DHCPv6." So the IETF WG must change for you to deploy IPv6. Why? > > Why must the people who wan

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Hi Folks - Clay Kossmeyer here from the Cisco PSIRT. We've published the following document in response to the original (Dec. 29) Der Spiegel article: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel and are investing the claims in the Dec. 30

Re: NSA able to compromise Cisco, Juniper, Huawei switches

> These are not backdoor issues, NSA related, whatever... This is noise. > Trying to get this thread on track, can the original poster provide any > proof of this so called ability of the so called inteligence agency beeing > able to access cisco/juniper, taking into account that management access

Re: turning on comcast v6

I'm not really an advocate for or against DHCP or RAs. I really just want to understand what feature is missing. From: Blake Dunlap Date: Monday, December 30, 2013 3:19 PM To: Ryan Harden Cc: Lee Howard , Jamie Bowden , "nanog@nanog.org" Subject: Re: turning on comcast v6 > The better qu

Re: turning on comcast v6

On 12/30/13 2:20 PM, "Ryan Harden" wrote: >On Dec 30, 2013, at 12:58 PM, Lee Howard wrote: > >>> >>> >>> 'Rewrite all of your tools and change your long standing business >>> practices¹ is a very large barrier to entry to IPv6. If adding gateway >>>as >>> an optional field will help people g

Re: turning on comcast v6

The better question is are you using RIP or ICMP to set gateways in your network now? If you don't use those now, why is RA a better solution in ipv6? -Blake On Mon, Dec 30, 2013 at 1:20 PM, Ryan Harden wrote: > On Dec 30, 2013, at 12:58 PM, Lee Howard wrote: > > >> > >> > >> 'Rewrite all of

Re: NSA able to compromise Cisco, Juniper, Huawei switches

There are many ways a backdoor could be used in a properly secured system. To think otherwise is a huge mistake. I can think of several ways, if tasked and given the resources of a large gov't that I would attack this problem. To assume that those tasked and focused only this type of solution a

Re: turning on comcast v6

On Dec 30, 2013, at 12:58 PM, Lee Howard wrote: >> >> >> 'Rewrite all of your tools and change your long standing business >> practices¹ is a very large barrier to entry to IPv6. If adding gateway as >> an optional field will help people get over that barrier, why not add it? >> Sure it doesn¹t

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Hi all, I've been watching this list for a couple weeks now and while risking beeing flamed, i just wanted to say that any network professional that puts any equipment into production without securing it against the kind of issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and

Re: NSA able to compromise Cisco, Juniper, Huawei switches

> IIRC, Cisco threatened to sue if it was ever released you gotta love it. they will roll over and piss themselves for nsa and other who are violating every principle, but threaten paying customers who would report a hole. the question is what have these companies and gov people not violated? r

Re: turning on comcast v6

On 12/30/13 1:04 PM, "Ryan Harden" wrote: >On Dec 24, 2013, at 8:15 AM, Lee Howard wrote: > >>> default route information via DHCPv6. That's what I'm still waiting >>>for. >> >> Why? >> You say, "The protocol suite doesn't meet my needs; I need default >>gateway >> in DHCPv6." So the IETF W

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On a side note, I've been involved with organizing the New England regional Collegiate Cyber-Defense Competition for a while, and one our "Red Team" members was able to make a pretty convincing IOS rootkit using IOS TCL scripting to mask configuration from the students. I don't think any students

Re: turning on comcast v6

On 12/30/13 11:19 AM, "Leo Bicknell" wrote: > >On Dec 24, 2013, at 8:15 AM, Lee Howard wrote: > >> Why? >> You say, "The protocol suite doesn't meet my needs; I need default >>gateway >> in DHCPv6." So the IETF WG must change for you to deploy IPv6. Why? > >Why must the people who want it ju

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock wrote: > NANOG: > > Here's the really scary question for me. > > Would it be possible for NSA-payload traffic that originates on our private > networks that is destined for the NSA to go undetected by our IDS systems? > Yup. Absolutely. Without a d

RE: NSA able to compromise Cisco, Juniper, Huawei switches

NANOG: Here's the really scary question for me. Would it be possible for NSA-payload traffic that originates on our private networks that is destined for the NSA to go undetected by our IDS systems? For example tcpdump-based IDS systems like Snort has been rooted to ignore or not report packets

Re: turning on comcast v6

On Dec 24, 2013, at 8:15 AM, Lee Howard wrote: >> default route information via DHCPv6. That's what I'm still waiting for. > > Why? > You say, "The protocol suite doesn't meet my needs; I need default gateway > in DHCPv6." So the IETF WG must change for you to deploy IPv6. Why? > > Lee Ther

Re: turning on comcast v6

On Tue, 24 Dec 2013, Lee Howard wrote: I used to run an enterprise network. It was very different from an ISP network. I didn't say, "You're wrong!" I said, "What's missing?" default route information via DHCPv6. That's what I'm still waiting for. Why? You say, "The protocol suite doesn't m

Re: turning on comcast v6

> You say, "The protocol suite doesn't meet my needs; I need default > gateway in DHCPv6." So the IETF WG must change for you to deploy > IPv6. Why? this is actually a non-trivial barrier to enterprise deployment and the ietf has been in stubborn denial for years. when an it department has been

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Looking more at the actual leaked information it seems that if the NSA is working with companies, it's not anything the companies are likely aware of. The common form of infection seems to be though software updates performed by administrators (through the NSA hijacking web traffic). They are imp

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 11:18 PM, Sam Moats wrote: > This might be an interesting example of it's (mis)use. > http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005 That's one of the cases I know about; it was utilized via Ericsson gear. -

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 11:16 PM, Enno Rey wrote: > at least back in 2007 it could be enabled/configured by SNMP RW access [see > slide 43 of the presentation referenced in this post > http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/] > so knowing the term "private" mi

Re: NSA able to compromise Cisco, Juniper, Huawei switches

I built the other. Sent from my Mobile Device. Original message From: Jeremy Bresley Date: 12/30/2013 7:34 AM (GMT-09:00) To: nanog@nanog.org Subject: Re: NSA able to compromise Cisco, Juniper, Huawei switches On 12/30/2013 9:05 AM, Warren Bailey wrote: > I'd love to know h

Re: NSA able to compromise Cisco, Juniper, Huawei switches

We had a hell of a time finding anything that supported the calea stuff past a 7206. This was for an in flight global wifi network, hence my original concern. Also note that when we did get it to work, it pretty much didn't. Or I should say.. It worked when it wanted to. How they are mapping pn

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On 12/30/2013 9:05 AM, Warren Bailey wrote: I'd love to know how they were getting in flight wifi. Sent from my Mobile Device. Original message From: sten rulz Date: 12/30/2013 12:32 AM (GMT-09:00) To: nanog@nanog.org Subject: NSA able to compromise Cisco, Juniper, Huawei s

Re: NSA able to compromise Cisco, Juniper, Huawei switches

This might be an interesting example of it's (mis)use. http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005 Sam Moats On 2013-12-30 11:16, Enno Rey wrote: On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, wrote: > What percenta

Re: turning on comcast v6

On Dec 24, 2013, at 8:15 AM, Lee Howard wrote: > Why? > You say, "The protocol suite doesn't meet my needs; I need default gateway > in DHCPv6." So the IETF WG must change for you to deploy IPv6. Why? Why must the people who want it justify to _you_? This is fundamental part I've not gotten

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote: > > On Dec 30, 2013, at 10:44 PM, > wrote: > > > What percentage of Cisco gear that supports a CALEA lawful intercept mode > > is installed in situations where CALEA doesn't apply, and thus there's a > > high likelyhood that sa

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On 12/30/2013 08:03 AM, Dobbins, Roland wrote: On Dec 30, 2013, at 10:44 PM, wrote: What percentage of Cisco gear that supports a CALEA lawful intercept mode is installed in situations where CALEA doesn't apply, and thus there's a high likelyhood that said support is misconfigured and abus

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 11:03 PM, Dobbins, Roland wrote: > AFAIK, it must be explicitly enabled in order to be functional. It isn't the > sort of thing which is enabled by default, nor can it be enabled without > making explicit configuration changes. It's also possible they're talking about som

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 10:44 PM, wrote: > What percentage of Cisco gear that supports a CALEA lawful intercept mode is > installed in situations where CALEA doesn't apply, and thus there's a high > likelyhood that said support is misconfigured and abusable without being > noticed? AFAIK, it m

Re: turning on comcast v6

From: Matthew Petach Date: Saturday, December 21, 2013 10:55 PM To: Lee Howard Cc: Jamie Bowden , Owen DeLong , "m...@kenweb.org" , "nanog@nanog.org" >> >> So there's an interesting question. You suggest there's a disagreement >> between enterprise network operators and protocol designer

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Mon, 30 Dec 2013 14:34:52 +, "Dobbins, Roland" said: > My assumption is that this allegation about Cisco and Juniper is the result > of non-specialists reading about lawful intercept for the first time, and > failing to do their homework. That does raise an interesting question. What perce

RE: NSA able to compromise Cisco, Juniper, Huawei switches

I'd love to know how they were getting in flight wifi. Sent from my Mobile Device. Original message From: sten rulz Date: 12/30/2013 12:32 AM (GMT-09:00) To: nanog@nanog.org Subject: NSA able to compromise Cisco, Juniper, Huawei switches Found some interesting news on one o

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 8:07 PM, Ray Soucy wrote: > I hope Cisco, Juniper, and others respond quickly with updated images for all > platforms affected before the details leak. During my time at Cisco, I was involved deeply enough with various platform teams as well as PSIRT, etc., to assert with

Re: The state of TACACS+

On Dec 30, 2013, at 9:01 AM, Christian Kratzer wrote: > Hi, > > On Mon, 30 Dec 2013, Christopher Morrow wrote: >> I don't think radius nor kerberos nor ssh with certificates supports >> command authorization, do they? > > it is with radius afaik ... RADIUS does not support command authorizati

Re: The state of TACACS+

On Dec 30, 2013 9:01 AM, "Saku Ytti" wrote: > > On (2013-12-30 08:49 -0500), Christopher Morrow wrote: > > > Nor accounting... > > I think this is probably sufficient justification for TACACS+. I'm not sure if > command authorization is sufficient, as you can deliver group via radius which > maps

Re: The state of TACACS+

Hi, On Mon, 30 Dec 2013, Christopher Morrow wrote: I don't think radius nor kerberos nor ssh with certificates supports command authorization, do they? it is with radius afaik ... Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de

Re: The state of TACACS+

On (2013-12-30 08:49 -0500), Christopher Morrow wrote: > Nor accounting... I think this is probably sufficient justification for TACACS+. I'm not sure if command authorization is sufficient, as you can deliver group via radius which maps to authorized commands. But if you must support accounting,

Re: The state of TACACS+

Nor accounting... On Dec 30, 2013 8:48 AM, "Christopher Morrow" wrote: > I don't think radius nor kerberos nor ssh with certificates supports > command authorization, do they? > On Dec 30, 2013 6:33 AM, "Saku Ytti" wrote: > >> On (2013-12-30 05:06 -0500), Robert Drake wrote: >> >> > TACACS+ was

Re: The state of TACACS+

I don't think radius nor kerberos nor ssh with certificates supports command authorization, do they? On Dec 30, 2013 6:33 AM, "Saku Ytti" wrote: > On (2013-12-30 05:06 -0500), Robert Drake wrote: > > > TACACS+ was proposed as a standard to the IETF. They never adopted > > it and let the standard

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Mon, Dec 30, 2013 at 8:07 AM, Ray Soucy wrote: > > I hope Cisco, Juniper, and others respond quickly with updated images for > all platforms affected before the details leak. So, if this plays out nice (if true, it won't), the fix will come months before the disclosure. Think, if you're leasi

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Even more outrageous than the domestic spying is the arrogance to think that they can protect the details on backdoors into critical infrastructure. They may have basically created the framework for an Internet-wide kill switch, that likely also affects every aspect of modern communication. Since

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 6:18 PM, Saku Ytti wrote: > I welcome the short-term havok and damage of such disclose if it would be > anywhere near the magnitude implied, it would create pressure to change > things. This is the type of change we're likely to see, IMHO:

Re: The state of TACACS+

On (2013-12-30 05:06 -0500), Robert Drake wrote: > TACACS+ was proposed as a standard to the IETF. They never adopted > it and let the standards draft expire in 1998. Since then there If continued existence of TACACS+ can be justified at IETF level, in parallel with radius and diameter, I have

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On Dec 30, 2013, at 5:06 PM, Saku Ytti wrote: > The quality of this data is too damn low. The #1 way that Cisco routers and switches are compromised is brute-forcing against an unsecured management plane, with username 'cisco' and password 'cisco. The #1 way that Juniper and switches are com

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On (2013-12-30 06:12 -0500), Shawn Wilson wrote: > I don't really want you to know how to recreate it until the companies have > had a chance to fix said issue. I'd hope, if such issues were disclosed, > those news outlets would go through proper channels of disclosure before > going to press w

Re: The state of TACACS+

I don't understand why vendors and operators keep turning to TACACS. It seems like they're often looking to Cisco as some paragon of best security practices. It's a vulnerable protocol, but some times the only thing to choose from. One approach to secure devices that can support only TACACS or RAD

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Saku Ytti wrote: >On (2013-12-30 20:30 +1100), sten rulz wrote: > >I really think we're doing disservice to an issue which might be at >scale of >human-rights issue, by spamming media with 0 data news. Where is this >backdoor? How does it work? How can I recreate on my devices? I don't really

The state of TACACS+

Ever since first using it I've always liked tacacs+. Having said that I've grown to dislike some things about it recently. I guess, there have always been problems but I've been willing to leave them alone. I don't have time to give the code a real deep inspection, so I'm interested in other

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On (2013-12-30 20:30 +1100), sten rulz wrote: > Found some interesting news on one of the Australia news websites. > > http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx The quality of this data is too damn low. Not as bad as this though, http://c

NSA able to compromise Cisco, Juniper, Huawei switches

Found some interesting news on one of the Australia news websites. http://www.scmagazine.com.au/News/368527,nsa-able-to-compromise-cisco-juniper-huawei-switches.aspx Regards, Steven.