the stream | Alexander Bochmann

ipspace: Leaf-and-spine fabrics versus fabric extenders

Alexander Bochmann Monday 27 of February, 2017

http://blog.ipspace.net/2017/02/leaf-and-spine-fabrics-versus-fabric.html

Ivan Pepelnjak wrote:

It’s obvious that a bunch of fabric extenders (leafs) connected to a pair of Nexus switches (spines) form a leaf-and-spine fabric.
However, there are several important differences between a fabric extender-based fabric and a leaf-and-spine fabric built with standard data center switches:
* In a well-designed leaf-and-spine fabric the spine nodes are completely independent – they share no configuration, state or risk. Nexus switches configured as a vPC pair share a lot of configuration and state (and risk).
* Leaf nodes in a traditional leaf-and-spine fabric are independent devices, whereas fabric extenders act as linecards of the spine switches. The blast radius (how many things can go wrong based on a single failure) on a fabric extender-based architecture is much larger than in a fabric built with independent switches.
* Independent leaf nodes can do local packet switching whereas in a fabric extender environment all traffic has to traverse the spine layer.

We don't use Nexus fabrics in our datacenter, but the "blast radius" of a Juniper EX or QFX Virtual Chassis (Fabric) control plane failure isn't much different (though they can do local packet switching on linecards, unlike the FEXen). Our next DC design will probably go towards a routed fabric - though we'll have to build up all the automation infrastructure and skills that comes with that. The Virtual Chassis black box, for all it's downsides, removes a lot of the configuration complexity.

my new favourite band of the day: Grand Parc

Alexander Bochmann Monday 27 of February, 2017

Youtube: KEXP presents Grand Parc performing live at Hôtel Pasteur during the 2016 Trans Musicales festival in Rennes, France. Recorded December 2, 2016.

firmware security blog: more on Apple/SuperMicro story

Alexander Bochmann Monday 27 of February, 2017

The firmware security blog has collected a few more links on the news that Apple has ditched SuperMicro as a source for it's own cloud server hardware after they downloaded a backdoored firmware from SuperMicro's update servers.

Ted Unangst: (l)inks

Alexander Bochmann Monday 27 of February, 2017

I wasn't aware (should probably think up a tag for posts that begin with those or similar words) that tedu had started a link collection fed from things he was reading a while ago - somewhat similar to what I'm trying to do here (and now another input for my RSS reader).

Today, he reflected on 1000 links having been posted to that collection. I can relate to a lot of what he wrote.

tedu wrote:

There was also the question of whether to post popular links seen elsewhere or focus on hidden gems. ICYMI YOLO FOMO. A curated best of list is good for people who want to replace social aggregators, but redundant for those who don’t. Focusing on the underserved link market means the site is less useful as an archive. It feels weird to exclude a link because other people liked it, and being able to flip back and find a link a week later has actually been immensely helpful.

His format is somewhat more terse than mine, usually with a one-line quote and a few words of comment. Okay, mabe it just seems more terse because the site is using a very simple layout.

tedu wrote:

There’s always some proposal or another about how to fix or replace sites like Twitter and HN. One possibility is for everybody to run a little site where they post their favorite links. Subscribe to the people who post good stuff, and boom, all those complaints about clickbait rising to the top disappear.

Hey, a distributed social network ;)

ftp protocol stream injection with Java and Python URL handling code

Alexander Bochmann Sunday 26 of February, 2017

Abusing FTP protocol inspection on firewalls to make them open arbitrary ports is an old game (and you should really disable that for "active" ftp data channel negotiation), but here's a new combination of attack vectors:

It's possible to create ftp:// URLs that contain additional FTP commands, which then get picked up by protocol inspection (Linux conntrack for example, but other implementations seem to use similar heuristics) to create inbound port forwardings. Java and Python protocol handlers don't sanitize input to remove such command injections, so if you find a setup suspectible to SSRF or XXE vulnerabilities, it might be possible to inject appropriately manipulated URLs.

Full writeup here: Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass .

(Via Oluf Lorenzen on G+.)

@SwiftOnSecurity: Never use Process Monitor. Everything is terrible. You never find good stuff with Process Monitor.

Alexander Bochmann Sunday 26 of February, 2017

So um, the Alps touchpad driver writes a registry key on every scroll event. Like, thousands a minute. When you're scrolling.

(Via someone on G+, but I can't currently find the post... Yeah, that's Google, the Search company, for you...)

Linus Torvalds on effects of the SHA1 collision attack on git

Alexander Bochmann Sunday 26 of February, 2017

He wrote a summary on Google+, I'll just quote the intro, skip over to G+ for the whole thing:

Linus Torvalds wrote:

I thought I'd write an update on git and SHA1, since the SHA1 collision attack was so prominently in the news.

Quick overview first, with more in-depth explanation below:

(1) First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git.

(2) Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation.

(3) And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories.

Anyway, that's the high-level overview, you can stop there unless you are interested in some more details (keyword: "some". If you want more, you should participate in the git mailing list discussions - I'm posting this for the casual git users that might just want to see some random comments).

In one of the comments, Linus also explains why objects with a colliding SHA1 hash won't be an immediate problem for git, while they can be used to destroy, for example, an SVN repository:

Linus Torvalds wrote:

SVN (unlike git) just does the SHA1 on the raw object data as the de-dupe mechanism, which is why just feeding the colliding pdf files into SVN triggered the problem.

Git ends up doing the SHA1 not on the raw user data, but on a "git object data", which includes a header with a type and a length. That means that if you just use the poisoned pdf's, git won't actually see the same SHA1 at all for them, and so we don't actually have a "real" git test case for the SHA1 collision yet.

SANS reading room: Tor Browser Artifacts in Windows 10

Alexander Bochmann Saturday 25 of February, 2017

This new document (PDF) in the forensics category of the SANS reading room introduces quite a few basic Windows-specific forensic tools being used on an example of tracking down the changes caused by a Tor Browser installation.

The first one being mentioned, Regshot (to compare the Registry before and after installation), seems immediately useful.

Airbus Cybersecurity: Playing defence against the Equation Group

Alexander Bochmann Saturday 25 of February, 2017

I missed this back in October: Airbus Cybersecurity has a long post examining specifically the documentation files from the Equation Group data leaked by Shadow Brokers...

Seems like quite a good summary on that part of the information.

These tools and exploits do not change the path of a normal killchain. What we see here is reconnaissance (command sets), lateral movement (RCEs on admin interfaces), privilege escalation [..], persistence [..]. This leak contains no initial intrusion material. This means that regular detection and defence strategies still apply. Even if we assume the worst-case scenario of a remote code execution on the public interface of a border firewall, it still takes us back to a defence-in-depth doctrine. [..]
What the exploits, tools and procedures contained in the package show is that Equation Group is actively pursuing admin networks and infrastructures. In this respect, the fact that they abort if logs are sent to separate equipment unless they “own” this equipment is a tell-tale sign of their operational tactics. [..]
What stand out are the professionalism, the organisation given to this task, and their focus on retaining stealth. As Rob Lee of SANS says, “It’s an army set-up to hack your organization”. That makes them a formidable opponent.

Geoff Huston: The Root of the DNS

Alexander Bochmann Thursday 23 of February, 2017

Geoff Huston (APNIC Chief Scientist) has an overview of the DNS root server system (cache) with some assorted trivia (why 13 root servers?), and some open questions about how to take load off the root name servers (who seem to spend a considerable amount of their life generating NXDOMAIN responses)...

PuTTY 0.68 released

Alexander Bochmann Thursday 23 of February, 2017

PuTTY releases are rare enough to be somewhat of a surprise when they happen (the last was nearly a year ago). Most noteworthy, this is the first PuTTY version to support elliptic curve cryptography (previously only available in development snapshots).

PuTTY latest release page (currently 0.68)

PuTTY changelog wrote:

These features are new in 0.68 (released 2017-02-21):

Security fix: an integer overflow bug in the agent forwarding code. See vuln-agent-fwd-overflow.
Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory (on versions of Windows where they previously were). See vuln-indirect-dll-hijack.
Windows PuTTY no longer sets a restrictive process ACL by default, because this turned out to inconvenience too many legitimate applications such as NVDA and TortoiseGit. You can still manually request a restricted ACL using the command-line option -restrict-acl.
The Windows PuTTY tools now come in a 64-bit version.
The Windows PuTTY tools now have Windows's ASLR and DEP security features turned on.
Support for elliptic-curve cryptography (the NIST curves and 25519), for host keys, user authentication keys, and key exchange.
Support for importing and exporting OpenSSH's new private key format.
Host key preference policy change: PuTTY prefers host key formats for which it already knows the key.
Run-time option (from the system menu / Ctrl-right-click menu) to retrieve other host keys from the same server (which cross-certifies them using the session key established using an already-known key) and add them to the known host-keys database.
The Unix GUI PuTTY tools can now be built against GTK 3.
There is now a Unix version of Pageant.

Google announces "first practical SHA1 collision attack"

Alexander Bochmann Thursday 23 of February, 2017

Google security blog: Announcing the first SHA1 collision.

Google wrote:

Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. .. Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.

So it seems the attack is not generalizable for all scenarios at this point in time (and we'll not yet see a collision for, say, a SHA-1 certificate hash), but that's how things started to go bad for MD5 too...

pfSense 2.3.3 released - with Let's Encrypt support

Alexander Bochmann Wednesday 22 of February, 2017

According to to the pfSense blog, pfSense 2.3.3 has been released a couple of days ago.

pfSense now has a acme package (also available for the previous release, 2.3.2p1), which can be found right at the top of the list under System -> Package Manager -> Available Packages.

When the package is installed, there's a new service available, Services -> Acme Certificates. Even though the pfSense wiki currently doesn't seem to have any documentation on this module, activation is relatively straightforward for everyone who has seen the Let's Encrypt workflow:

Create an account key with the Let's Encrypt production CA, create a certificate (I had to add a folder name for the webroot local folder verification method, the path is shown in the first example of the pfSense web UI), issue certificate. The certificate is then available in the SSL Certificate selection for the Web Configurator. The UI has options for auto-renewal and additional jobs to run on certificate updates - I'll see if those work in about 60 days ;)

(Admittedly, things are not quite self explaining for first time Let's Encrypt users... *cough*)

I only have a pfSense test system, so I don't have much of an idea about the other changes in this release.

full Kælan Mikla debut album on Youtube

Alexander Bochmann Tuesday 21 of February, 2017

Kælan Mikla have uploaded all of their debut album as Youtube playlist.

CD can still be bought on the Fabrika Records shop.

Internet Society publishes "The IANA Timeline" document

Alexander Bochmann Tuesday 21 of February, 2017

The IANA Timeline is available here (cache) in HTML format (and as optional PDF download).

It has some of the early history, but it's focus is on the IANA stewardship transition, over to a new non-profit, operating under contracts with ICANN:

“Public Technical Identifiers” (PTI) is incorporated in California as a non-profit public benefit corporation. (The company was originally referred to as PTI, Post-Transition IANA, in the transition documents, thus giving birth to the awkward final name.) This company will be responsible for performing all of the IANA functions regarding DNS names, IP Addresses, and Protocol Parameters under three separate contracts with ICANN

(Via Lutz Donnerhacke on Google+)