Let’s return to our simple four AS network to look at a number of issues with BGPSEC — the bits you won’t often hear discussed in just about any forum. Assume, for a moment, that AS65000 advertises some route, say 192.0.2.0/24, to AS65001, and not to AS65002. For whatever reason, a few days pater, the […]
The post BGPSEC: Replays, Timers, and Performance appeared first on Packet Pushers Podcast and was written by Russ White.
I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.
An article came out this week that really made me sigh. The title was “Six Aging Protocols That Could Cripple The Internet“. I dove right in, expecting to see how things like Finger were old and needed to be disabled and removed. Imagine my surprise when I saw things like BGP4 and SMTP on the list. I really tried not to smack my own forehead as I flipped through the slideshow of how the foundation of the Internet is old and is at risk of meltdown.
If It Ain’t Broke
Engineers love the old adage “If it ain’t broke, don’t fix it!”. We spend our careers planning and implementing. We also spend a lot of time not touching things afterwards in order to prevent it from collapsing in a big heap. Once something is put in place, it tends to stay that way until something necessitates a change.
BGP is a perfect example. The basics of BGP remain largely the same from when it was first implemented years ago. BGP4 has been in use since 1994 even though RFC 4271 didn’t officially formalize it until 2006. It remains a critical part of how the Continue reading
#10: The CIA coordinated the release of classified information to the media, including inaccurate information concerning the effectiveness of the CIA's enhanced interrogation techniques. The CIA's Office of Public Affairs and senior CIA officials coordinated to share classified information on the CIA's Detention and Interrogation Program to select members of the media to counter public criticism, shape public opinionOf course they did, but then so did the Senate committee itself. They've been selectively leaking bits of the report for over a year. Their description of the "CIA hacking" scandal was completely inaccurate.
No. When compared to the operation of existing networks, SDN is much more secure.
The post Are SDN Controllers a Security Risk ? appeared first on EtherealMind.
In my last post on the subject of BGPSEC, I explained the basic operation of the modifications to BGP itself. In this post, I’ll begin looking at some of the properties — both good and bad — of these extensions to BGP. To being, we’ll look at the simple network illustrated here, and see what […]
The post BGPSEC: Protections Offered appeared first on Packet Pushers Podcast and was written by Russ White.
Resource Public Key Infrastructure (RPKI) is a relatively new standard for establishing BGP route origination. I wrote a brief introductory article here. Apologies for the self-promotion, but rather than rehash the basics here, I raise another issue that needs community attention: ARIN’s Relying Party Agreement (RPA: PDF link). Having said that, some basics are needed. […]
A different kind of war story this time: Unix security blunders. Old-school Unix-types will mutter about how much more secure Unix systems are than Windows, but that glosses over a lot. In a former life I worked as an HP-UX sysadmin, and I saw some shocking default configurations. I liked HP-UX – so much better laid out than Solaris – but it was very insecure by default. Here’s a few things I’ve come across:
We’d lost the root password for a test HP-UX server. We had user access, but not root. The server was located in a different DC, and we didn’t really feel like going and plugging in a console cable to reset the root password. So we started looking around at how we might get access. After a while I found these two things:
And now for the kicker:
hpux lhill$ ls -ld / drwxrwxrwx 30 root wheel 1020 1 Nov 13:57 /
Put those together, and you can see it’s easy to gain root. All we needed to do was create /.rhosts, and add whatever Continue reading