[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Draft EOS minutes



>>>>> On Fri, 13 Sep 2002 11:46:49 +0100, "Tom Petch" <nwnetworks@dial.pipex.com> said:

Tom> 1.  (*) text/plain ( ) text/html
Tom> Sorry I am less than clear; practical example follows.

Tom> Using the world's most widely used enterprise router and software, if
Tom> I reboot many times, I get (mostly) the precise same sequence of
Tom> SNMPv1 traps from the same IP address/port with the same OIDs and the
Tom> same values.  The only difference from one sequence to another is in
Tom> the (copy of the) sysUpTime, which, reset on boot, has a very small
Tom> standard deviation, more like hundredths of a second as opposed to a
Tom> second.  (These boxes really are predictable).

Tom> So when, as has happened, the router boots and crashes during startup
Tom> and does so every two minutes or less, how can I distinguish this
Tom> situation from packets getting duplicated in the network, even perhaps
Tom> as part of a malicious replay attack?

Tom> I think of TCP connection startup where I can tell because (most)
Tom> systems use a pseudo-random seed to initialise the sequence number so
Tom> I expect to detect a duplicate SYN or SYN-ACK.

Tom> If the request-id was pseudo-random, no problem - but it isn't!

Many implementations do have a pseudo-random initial requestid, but if
your device does not then that's really what's causing you problems.
If they're always starting up using the same value for a requestid
there is not much you can do, other than upgrade the device to SNMPv3
or tell it to send at most a single trap with no duplicates on startup
(if you can tell it this).

-- 
"The trouble with having an open mind, of course, is that people will
 insist on coming along and trying to put things in it."   -- Terry Pratchett