[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Draft EOS minutes

>>>>> On Fri, 13 Sep 2002 11:46:49 +0100, "Tom Petch" <nwnetworks@dial.pipex.com> said:

Tom> 1.  (*) text/plain ( ) text/html
Tom> Sorry I am less than clear; practical example follows.

Tom> Using the world's most widely used enterprise router and software, if
Tom> I reboot many times, I get (mostly) the precise same sequence of
Tom> SNMPv1 traps from the same IP address/port with the same OIDs and the
Tom> same values.  The only difference from one sequence to another is in
Tom> the (copy of the) sysUpTime, which, reset on boot, has a very small
Tom> standard deviation, more like hundredths of a second as opposed to a
Tom> second.  (These boxes really are predictable).

Tom> So when, as has happened, the router boots and crashes during startup
Tom> and does so every two minutes or less, how can I distinguish this
Tom> situation from packets getting duplicated in the network, even perhaps
Tom> as part of a malicious replay attack?

Tom> I think of TCP connection startup where I can tell because (most)
Tom> systems use a pseudo-random seed to initialise the sequence number so
Tom> I expect to detect a duplicate SYN or SYN-ACK.

Tom> If the request-id was pseudo-random, no problem - but it isn't!

Many implementations do have a pseudo-random initial requestid, but if
your device does not then that's really what's causing you problems.
If they're always starting up using the same value for a requestid
there is not much you can do, other than upgrade the device to SNMPv3
or tell it to send at most a single trap with no duplicates on startup
(if you can tell it this).

"The trouble with having an open mind, of course, is that people will
 insist on coming along and trying to put things in it."   -- Terry Pratchett