Wednesday, October 31, 2012

Cisco IPV6 t-shoot SLAAC

As we all  know;  "ipv6 is here & cisco is getting more and  more involved with ipv6 features and routing"

 One common error with SLAAC and with it  simple address assignment & that's commonly  made;  is the lack of ipv6 unicast routing enabled global, and the effects of SLACC assignments due to this.


This has caused a few issues in the past, and can easily be identified.

Follow this example.  let's say you enable ipv6 on a interface.


e.g


!
interface GigabitEthernet0/0

 description  HE /48 announcement of mine
 ip address 1.1.1.253 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 ipv6 address 2001:470:C021:1::1/64
 ipv6 enable
end

It looks good right? Wait a minute not so fast :)

Will issue a "show ipv6 int gi 0/0" and it  shows the following ( output truncated );



  FF02::1:FF39:7F00
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
router3825#


Notice how the output speaks nothing about SLAAC,  being enabled on that interface?  Okay so we can correct the problem by enabling ipv6 unicast-routing globally within the router.


e.g

router3825#config t
Enter configuration commands, one per line.  End with CNTL/Z.
router3825(config)#ipv6 uni
router3825(config)#ipv6 unicast-routing
router3825(config)#^Z

and now re-issues that same show command;

router3825#show ipv6 int gi 0/0
GigabitEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21D:70FF:FE39:7F00
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:470:C021:1::1, subnet is 2001:470:C021:1::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF39:7F00
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
router3825#
*Oct 31 21:40:35.931: %SYS-5-CONFIG_I: Configured from console by console


Okay you see the difference now ?

 By default RA ( route advertisements ) are enable,  and the interface is now SLAAC enabled  to  assign address for ipv6 clients.  Without this command, that interface would not assign any  ipv6 address to  any ipv6 clients that  solicit a ipv6 request.

I hope you find this posting useful if you run into any ipv6 assignment issues or lack of clients  receiving their ipv6 addressing information. You can also validate that ipv6 is configured with a simple  "show ipv6 protocol" cmd


e.g

 router3825#show ipv6 protocols  
IPv6 Routing Protocol is "ND"
IPv6 Routing Protocol is "connected"
router3825#



But don't be fooled, the above will populate even WITHOUT unicast-routing enable. The  issuance of ipv6 unicast-routing just now allow the  interfaces that are configured for ipv6 to route and participate in the ipv6 routing.


Ken Felix

Freelance Security and Network Engineer

kfelix " a t " hyperfeed.com



Cisco ASA ikev2 setup

Okay cisco finally got on board with the rest of the  firewall appliance vendors and now finally  supports IKE version2.

1st off why IKE version 2?

Will ike version2 ( aka ikev2) is suppose to be our cake and ice_cream, & with regards to  configuration and setup. Here's some changes in  IKEv2 vrs IKEv1

  • Support for bi-directional authentication  ( I can use one PSK locally and another remotely) or mix-match PSK and certificates between peers
  • quicker setup with regards to ipsec-phase1 
  • and the phase1 setup interval is now shorten by 40%, or maybe more in  setup time
  • DPD and NAT-T is handled within the IKEv2 setup between peers
  • the confusion of when to use  aggressive or main-mode is now eliminated
  • doesn't process the request until the requester is identified ( DoS protection ) 
  • Support EAP authentication of initiator and requester
  • explicit congestion notification is now included in  IKEv2
  • and finally less configuration required in most configurations

Okay the above are what's suppose to be better with IKEv2. Now let's explore IKEv2 supported devices. These are platforms that I'm aware of that supports IKEv2 and that I have configured IKEv2 on.

  • strongswan
  • openswan 2.6 or later
  • pfsense 2.X ( TBD in the near future  still beta code being worked out )
  • later IOS routers running 12.4 code ( 15,X seems to not support IKEv2  under enterprise release from what I can tell on my  ISR hardware )
  • Fortigate Firewall
  • Juniper Firewalls
  • ASA firewalls codeset 8.4 or later
  • Stonesoft Firewall appliances


Okay so that's just a brief listing of firewalls and routers that support IKEv2.  This posting on the other hand, is about the ASA  Security Appliance & the configuration of IKEv2. The ASA since release of code_set 8.4 has IKEv2 support available,  and it's quite interesting, but not overly hard to configured.

VPN configurations with ASA  has always been a struggle for most seasoned firewall admin/engineers, and  very hard to  troubleshoot.

Here's my steps in the configuration process for IKEv2;

1st let's create some  ikev2 policies  that we can call later. We are doing   AES with either 192/256 bit key sizes. The 192/256 represent the key-size in bits. The default is always 128 or AES-128. Also not to be mistaken, AES only support 128bit data blocks regardless of the key size


crypto ikev2 policy 20
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 28000
!

!
!
crypto ikev2 policy 30
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 28000


We are also using  df-group 5 with sha hashing. Now set a transform set and proposal that we will later use in our crypto map definitions.



crypto ipsec ikev2 ipsec-proposal  vpn192
protocol esp encryption aes-192
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal vpn256
protocol esp encryption aes-256
protocol esp integrity sha-1



Now make sure to enable ikev2 on the correct interface that we expect ikev2 traffic on;  in our case we have the classic inside/outside interfaces and will use the latter in this case;


crypto ikev2 enable outside

note: it critical that we enable this. Without that command,  the firewall will not expect or know how to handle ikev2 packets. Okay now let's all put it together & see how it works;


In this case the far-end is addressed at 1.0.0.1

tunnel-group 1.0.0.1 type ipsec-l2l
tunnel-group 1.0.0.1  ipsec-attributes
ikev2 remote-authentication pre-shared-key MkB3stK3yY3t!
ikev2 local-authentication pre-shared-key MyK3yh3r3forUyu0



here's a crypto map using the ipsec-proposals and peer 1.0.0.1;



crypto map vpnout 1 set peer 1.0.0.1

crypto map vpnout 1 match address cryptovpn01
crypto map vpnout 1 set ikev2 ipsec-proposal vpn192 vpn256


and don't forget to enable the crypto map to the interface

crypto map vpnout interface outside



The acl  cryptovpn01   would a be a extended access-list permitting the left/right subnets ) local/remote ) . This would determine what traffic needs to be encrypt


access-list cryptovpn01 extend permit ip 192.168.110.0 255.255.255.0 10.100.100.0 255.255.255.0


you might want to deploy asa  object . This would make acl cfgs simpler to build and managed.


i.e  using objects



object network inside
   subnet 192.168.110.0 255.255.255.0

object network remote-net01
  subnet 10.100.100.0 255.255.255.0

and now how does the acl look when using objects


access-list cryptovpn01 extend permit ip object inside object remote-net01


And lastly, if your using nat-controls. You might need to enable a no-nat or aka nat-exemption for the traffic from left-2-right





i.e using our above objects to simplify

nat (inside,outside) source static inside inside destination static remote-net01 remote-net01


If you did not  create nat-exemptions, than your ASA would try to  nat all traffic if you had a nat statement that did ALL/ANY

Now to troubleshoot this, you will have some options but at minimum;

(packet trace )
packet input inside  tcp 192.168.110.2 2000 10.100.100.100 80

show vpn-sessiondb

show crypto ike sa

debug crypto ikev2  platform 5  ( or higer for more details )
or
debug crypto ikev2  protocol 5  ( or higer for more details )

  
And a snippet of a typical debug output 

IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [1.1.1.1.90]:500->[1.1.1.1.2]:500 InitSPI=0x01b912352a88ea61 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-3: (8): Insert SA
IKEv2-PROTO-2: (8): Retransmitting packet
IKEv2-PROTO-3: Tx [L 1.1.1.1.90:500/R 1.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:01B912352A88EA61 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 01B912352A88EA61 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 502
 SA  Next payload: KE, reserved: 0x0, length: 92
IKEv2-PROTO-4:   last proposal: 0x2, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     06 e8 a3 cf 58 f2 42 f7 93 84 14 3d e5 39 97 e3
     14 22 b5 60 9c 22 88 4a d6 28 27 0e 24 55 27 15
     7e 39 b7 71 bc 76 34 a7 34 a0 cf ae 37 84 97 c7
     c0 94 e1 b5 15 1c ac 2b c6 c5 ee dd b7 3b 02 53
     d7 e8 19 6e 05 ab bd f4 4b 14 9d 4a 71 fc b4 f9
     2a 03 bc 96 32 37 c6 b4 ad b2 f5 7f 2c f3 c4 8d
     d9 95 ca cc 74 e5 f0 f4 90 78 2d 19 ab ae 1d 46
     10 a7 35 bc 8c 85 cc 44 e8 29 e0 55 d5 1d 08 aa
     77 dc b7 d0 a1 33 6c 40 8d af 26 4a 95 9f 4f fe
     a0 b8 d6 10 a0 65 47 fa b6 e8 4e f2 37 a6 d5 eb
     cf b1 92 31 b0 8d 3f a7 a4 35 31 8e 3a a5 bb 34
     3c 93 5b 60 01 e1 fd 17 ac c1 5f 11 11 c6 a8 8c
 N  Next payload: VID, reserved: 0x0, length: 24

     78 93 88 9a 12 20 3d 83 fb fb 3f 72 51 6f 94 e0
     a0 30 66 e7
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     25 1b 55 5d 1f 08 fc 6d 25 8c 73 9c c0 81 d7 df
     de 2b e1 31
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     c2 a8 f7 bb b8 d9 91 4a 4c 4f b5 81 e1 dc 69 48
     c9 96 e9 5c
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [1.1.1.1.90]:500->[1.1.1.2]:500 InitSPI=0x01b912352a88ea61 RespSPI=0x0000000000000000 MID=00000000
no debug all
asaken# 




I hope this was helpful


Ken Felix

Freelance Security and Network Engineer

kfelix " a t " hyperfeed.com

Thursday, October 25, 2012

Jumbo Frames "Nexus 5548P" version 5.X code

If the need comes up for jumbo-frame, than this post will help you around the issues.

1st off the  jumboframe option allows you to pass frames bigger than  the  1514bytes MTU. The feature is globally, and effects all ports.

I'm not sure if you can even set it up port by port,  and that would not be wise if  you have ports in  various vlans and spread across various physical ports.

1st let's inspect the MTU size;

show queuing interface eth1/3

Ethernet1/3 queuing information:
  TX Queuing
    qos-group  sched-type  oper-bandwidth
        0       WRR            100

  RX Queuing
    qos-group 0
    q-size: 470080, HW MTU: 1500 (1500 configured)
    drop-type: drop, xon: 0, xoff: 2938
    Statistics:
        Pkts received over the port             : 0
        Ucast pkts sent to the cross-bar        : 0
        Mcast pkts sent to the cross-bar        : 0
        Ucast pkts received from the cross-bar  : 0
        Pkts sent to the port                   : 0
        Pkts discarded on ingress               : 0
        Per-priority-pause status               : Rx (Inactive), Tx (Inactive)


Okay, fine we see the port is set as 1500bytes MTU. Here's the NX-OS that we are running on this particular switch;

nxcr01-sw01# sh ver  | grep "System version"
  System version: 5.0(3)N2(1)

Okay now we must set a  policy-map and modify the  network-qos settings to effect the system MTU and to allow jumboframes ;

policy-map type network-qos bigfreakingmtu
  class type network-qos class-default
    mtu 9216
    multicast-optimize

As you can see, the network-qos policy-map was created named bigfreakingmtu and we applied the mtu under the  class-default class-map


Now apply this to your systems qos settings;

config t
  system qos
  service-policy type network-qos bigmtu
end

and let's recheck now;

sh queuing int eth 1/3
Ethernet1/3 queuing information:
  TX Queuing
    qos-group  sched-type  oper-bandwidth
        0       WRR            100

  RX Queuing
    qos-group 0
    q-size: 470080, HW MTU: 9216 (9216 configured)
    drop-type: drop, xon: 0, xoff: 2938
    Statistics:
        Pkts received over the port             : 0
        Ucast pkts sent to the cross-bar        : 0
        Mcast pkts sent to the cross-bar        : 0
        Ucast pkts received from the cross-bar  : 0
        Pkts sent to the port                   : 0
        Pkts discarded on ingress               : 0
        Per-priority-pause status               : Rx (Inactive), Tx (Inactive)

  Total Multicast crossbar statistics:
    Mcast pkts received from the cross-bar      : 0


Okay see what happen?

We changed from  1500 to 9216 bytes MTU. 9216 is the biggest MTU size offered and is commonly call jumbo-frames.

I hope this post was interesting. keep in mind the show interface eth X/X cli command  will never reflect the  true mtu  size. You must use the "show queuing interface eth X/X" to validate the  interface MTU size that's configured.


Ken Felix
Freelance Network Engineer
kfelix " at " hyperfeed.com

Understanding ipv6 privacy extensions in SLAAC networks


IPv6 allows for the hidding of your  computed ipv6 / eui64 address from any external objects. With ipv6 privacy extensions, a remote site will not be able to determine your host machine/nic type just by the eui64 addressing.

The eui64 addressing is simple to compute. And as the name suggests, it crafts the  bottom half of the 128bit  ipv6 address ( 64bits ).  With SLAAC, your router/firewall offers the top half of the 128/bit address  which is the 1st 64bits.  The easiest way to remember how this process works;

1: take you mac-address &  within the 6bytes hex values, insert "FFFE" in the middle of your mac-address
e.g

AA:BB:CC:DD:EE:FF  would now become  AA BB CC FF FE DD EE FF


2: Now find the 1st octect to the far left of this value and take bit  #7 and invert it. That mean if the bit is a 1 make it a 0 or if a 0 make it a 1

So using the above  fictitious mac-address, I will now have crafted the eui64  address of A8 BB CC EE FF DD EE FF.

Lastly the router  and it's  ipv6 RA ( route advertisement ) will give you the  network prefix(s) that you belong on, &  creating your interface  ipv6 128bit addressing.


Here's my  computer  ipv6 address for en0

waffen01~ kfelix$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
        ether 40:6c:8f:03:18:c4
        inet6 fe80::426c:8fff:fe03:18c4%en0 prefixlen 64 scopeid 0x4
        inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
        inet6 2001:414:1::426c:8fff:fe03:18c4 prefixlen 64 autoconf
        inet6 2001:414:1::f149:7585:555:b340 prefixlen 64 autoconf temporary
        inet6 2001:414:10::426c:8fff:fe03:18c4 prefixlen 64 autoconf
        inet6 2001:414:10::97d:3bd2:72a0:7980 prefixlen 64 autoconf temporary
        inet6 2001:414:11::426c:8fff:fe03:18c4 prefixlen 64 autoconf
        inet6 2001:414:11::b8b4:46a3:70db:a938 prefixlen 64 autoconf temporary
        media: autoselect (100baseTX <full-duplex>)
        status: active


note: I bold the  ipv6 address that has eui64 computed addresses.


Notice I'm on three unique  ipv6 networks 2001:414:1::/64    ; 2001:414:10::/64  ;  2001:414:11::/64  and each network has 2 unique ipv6 address. One being my eui64 computed address based off my NIC's mac-address and the other one being my  ipv6 privacy ipv6 address which is randomly created.

Now if I should go to a website or use anything external to my networks, the  privacy extended ipv6 address will be used.

e.g ( a simple  ssh to a remote ipv6 cisco router )

waffen01~ kfelix$ ssh cisco@2002:100::2

Password:

ccie02>show user

    Line       User       Host(s)              Idle       Location
*194 vty 0     cisco      idle                 00:00:00
                                                 2001:414:1:0:F149:7585:555:B340
  Interface    User               Mode         Idle     Peer Address
  Se0/0/0                         Sync PPP     00:00:02 1.1.1.1

ccie02>



You notice my  address that was used is the ipv6 private one? and not the eui64 computed address?


I hope this helps with understanding ipv6 privacy extensions & how it can help ensure security by privacy. Read more about this security features on the rfc website readhere

If your too lazy to compute the address or want to confirm the address, this handy site has a eui64 computer

http://www.kame.net/~suz/gen-ula.html  :)


FWIW:  To disable privacy extensions

linux


echo 2 >/proc/sys/net/ipv6/conff/eth0/use_tempaddr

macosx

sudo sysctl -w net.inet6.ip6.use_tempaddr=0

sysctl -a  net.inet6.ip6.use_tempaddr





Are you ready for ipv6 ? I can assist in ipv6 migration strategies and network design for ipv6.

Ken Felix
kfelix " at " hyperfeed.com
Freelance Security/Network Engineer

 

Wednesday, October 24, 2012

NTP security cisco

A lot of Network Engineer teams like to  configured NTP. NTP is great for time sync when used right. 1st let's understand what NTP does.

   NTP provides the protocol mechanisms to synchronize time in principle
   to precisions in the order of nanoseconds while preserving a
   non-ambiguous date, at least for this century.  The protocol includes
   provisions to specify the precision and estimated error of the local
   clock and the characteristics of the reference clock to which it may
   be synchronized.  However, the protocol itself specifies only the
   data representation and message formats and does not specify the
   synchronizing algorithms or filtering mechanisms. 
 rfc958 
 
NTP Network Time Protocol
Protocol UDP
Port 123



Okay so this means without some way to validate client/peers/server, you are open to spoof'd attacks from misbehavior or unethical sources or from intentional actions.

Okay NTP  typical uses a stratum level for accuracy. How much accuracy does one need in a UNIX/WINDOW/NETWORK? (is a topic up for some later debate)

Unless your working  2 space right of the decimal,  most stratum  levels 2-5 is more than adequate.
The lower number in the stratum is consider a more accurate time-source btw

e.g

stratum 1 is more accurate than 2
stratum 2 is more accurate than 4
stratum 3 is more accurate than 5
stratum 4 is more accurate than 6
and so on.....

Let's have some fun with NTP & TIME


Okay so how many levels of stratum do we have ? That's a good question, per the NTP protocol it's 16.

At stratum level 16, your considered as a UN_SYNCRONIZED clock.

Statum 0 clock sources are typically a  atomic clock or high degree of accuracy such as a  LORAN , liked the one on Okinawa that I worked at when  station and in the USAF military :)

These systems; military, planes,missile/space programs, martime marines, etc.... need highly accurate clocks. In some case we are talking about nanosecs vrs millisec. LORAN systems btw, are slowing being phased, due to GPS sat and systems are now more common.

Okay, so now we have an understanding of the stratum level & that's the lowest # are more accurate. Each device,  regardless if it's a local-reference or timed from another device,  uses this time source as it's local reference for time.  Since stratum time sources are  hierarchical, a time-source synchronize to a lower number, will be +1 in his/her rating.

What that means, if I'm sync to a stratum 3 source,  a peer sync'd with me  directly, would see me as a stratum 4. A peer sync'd with my peer, would see him as a stratum 5 and so on. You can use  unix tools like ntptrace , to trace ntp paths.

e.g
 ntptrace  a1.dca1
Unknown option: v
a1.dca1: stratum 4, offset -0.000614, synch distance 0.047490
m1.dca1: stratum 3, offset -0.000342, synch distance 0.046768
198.82.1.202: timed out, nothing received
***Request timed out
NTPtrace also allows for the unethical attacker to identify what routers are  open for "open access" and what  your using for a time sources. For example, a trace route from my office to terremark.com, lists are of the routers in the path. Execution of ntptrace against these routers, will Identified possible hosts that are enabled as ntp-server/peers.

e.g ( output tunacated )
 4  96.120.37.49 (96.120.37.49)  28.997 ms  42.195 ms  28.961 ms
 5  xe-0-1-0-0-sur01.hallandale.fl.pompano.comcast.net (68.85.228.85)  19.081 ms  49.646 ms  13.833 ms
 6  162.151.2.101 (162.151.2.101)  54.124 ms
    te-0-9-0-1-ar03.northdade.fl.pompano.comcast.net (68.87.162.185)  24.058 ms
    te-0-9-0-3-ar03.northdade.fl.pompano.comcast.net (69.139.181.177)  22.514 ms
 7  he-0-8-0-0-cr01.miami.fl.ibone.comcast.net (68.86.93.85)  24.122 ms  30.657 ms  37.148 ms
 8  xe-8-0-0.edge2.miami1.level3.net (4.59.85.45)  17.289 ms  13.370 ms  15.901 ms
 9  ae-1-51.edge2.miami2.level3.net (4.69.138.77)  35.879 ms
    ae-2-52.edge2.miami2.level3.net (4.69.138.109)  42.095 ms
    ae-1-51.edge2.miami2.level3.net (4.69.138.77)  73.704 ms
10  data-return.edge2.miami2.level3.net (4.71.212.66)  25.518 ms  29.417 ms  20.224 ms
11  t9-1.gw1.mia.terremark.net (66.165.161.94)  17.071 ms  17.627 ms  32.947 ms
12  66.165.170.13 (66.165.170.13)  20.253 ms  22.208 ms  16.415 ms
13  72.46.239.73 (72.46.239.73)  15.549 ms  15.146 ms  25.279 ms
14  app.terremark.com (208.39.96.115)  22.889 ms  26.611 ms  17.418 ms
IN NTPdaemon, we typically see items that uses a local time source or has a clock-input make references to a 127.x.x.x address. Will cisco does the same thing in their deployment;


In the above traceroute, the datareturn edge router at hop#10 is open as a possible NTP server;


e.g 
kfelix-waffen01:~ kfelix$ ntptrace 4.71.212.66
data-return.edge2.miami2.level3.net: stratum 3, offset -0.000380, synch distance 0.067326
ntp.terrenap.net: stratum 2, offset -0.000003, synch distance 0.043791
10.1.2.18: timed out, nothing received
***Request timed out

So what this means;

if I wanted to orchestra an attack on that router, a slew of hosts that executed a ntp query, could impact the router performance or memory consumption.  That router should be closed to external queries and filter, and only allows queries from a trusted segment and they should deploy ntp-authentication & ACLs.

To reconfirm it's open, I can use any of my cisco routers and add it as ntp server entries and monitor my association to that host;

e.g

config t
   ntp server 4.71.212.66
end
anonymous-waffen-rtr1#sh ntp ass | i 4.71.212.66
+~4.71.212.66      66.165.160.189    3     0    64  377     3.4    1.28     0.6
anonymous-waffen-rtr1#


As you can see, I gain  association to the open ntp-server.


Moving on, let's look at cisco and it's NTPv3 setup;

Here's my CCIE lab router setup;


 e.g
ccie01#show ntp status
Clock is synchronized, stratum 1, reference is .LOCL.
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D432C93C.D7A64D3C (20:08:28.842 UTC Wed Oct 24 2012)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
ccie01#show ntp ass  

      address         ref clock     st  when  poll reach  delay  offset    disp
*~127.127.7.1      .LOCL.            0    52    64  377     0.0    0.00     0.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
ccie01#


Okay this router think and is acting as a local clock source and at a stratum 1 or is it ?
Will yes, but it's a far no as well. 

We told it to be a ntp master and announced as a stratum level 1 if a host should query it, but in reality it's far from being a accurate clock source, much less  at a stratum 1 level. The onboard  cpu, chip, and clock functions are not very accurate and the time function pips would drift and sway.

We used the following command to make it a master;
:)

ntp master 1

Okay so how would a peer that's associated with the router see the clock source?

      address         ref clock     st  when  poll reach  delay  offset    disp
*~1.1.1.1          .LOCL.            1   179    64  374     1.6    1.88     0.7


Notice the reference clock says LOCL? Okay so fine, we are associated to a guy that has LOCL clock.  Since it can't query or ntptrace to the source of the clock, it's listed as a LOCL_REFERENCE.

Okay how about if we where sync to somebody else as in another ntp source?

mia-sm01>sh ntp ass

      address         ref clock     st  when  poll reach  delay  offset    disp
+~10.100.100.201   38.17.88.1       4    38   512  377     1.0  -40.54     7.3
+~10.100.100.202   38.17.88.1       4    58   512  377     1.1  -41.10     7.3
*~38.17.88.1      38.104.95.25      3   214   512  377    15.3  -49.84    10.5
 ~38.17.88.3      0.0.0.0          16     -  1024    0     0.0    0.00  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

This host sm01 in miami has 4 ntp association, 3 out of four have validate clock sources and the 3rd  at host 38.17.88.3 is not validate and is running in the wild, we can determine that by the ref_clock field being 0.0.0.0 and stratum 16.

Remember when we said earlier, that a stratum 16 is not confirm or a validate clock?

Okay how about if we where not sync'd to a master ? Notice how the  "*" is missing on any peers that are not the sync?

  address         ref clock     st  when  poll reach  delay  offset    disp
 ~1.1.1.1          .LOCL.            1   992    64    0     1.6    1.88  16000.

A router can only be sync to ONE master and that's typically the one with the lowest stratum or if defined, it will follows your prefer statement.  This allows you to select one peer over the other if one host is considered more better, accurate,etc.....

So okay we got that far, now let's look at the security aspect of the NTP. We use NTP to control our time or what we think is time. 1st off time is relevant. What  that means;

Time was created to help humans being to  place some value of time & towards our purpose on planet earth. Yes that means ;

"hey Eric I will meet you at the train station in 10minutes"

or

"I'm 44 years 2months and 1 week old on  June 1 2014"

or

"500 BC"

Okay have I lost you ? :)

Time in the universe could be different and is different depending on what we are measuring and the use for it. I'm a  FCC radio operator,  and we always joke that we use  time to measure distance.

Example, if I want to sent a radio transmission to the sun, it would take  0.000159  light years or 8-9 light minutes depending where we are in orbit to the  Sun :)

Okay see what I did, we used a time measurement to measure distance.  Are you really confused now ? :)

We even use time in calendar events; the  Chinese calendar, Arabic or Indians recording the lunar cycle. How about the julian calendar? Or the fiscal calendar? Then we can compare Absolute and Relative dating.

Okay back on track, we use time within our cisco routers/switches  for a host of reasons. Here's some of those reasons;

time based ACLs
system logging & timestamp
md5 key expiration for dynamic routing protocols
determining system or peer uptime
etc.....


Okay so now back to ntp and time. We need to evaluate  time accuracy and security of ntp. The later is easily to controlled , by using best practices and by using security features within the cisco IOS codeset.

1st we always enable ntp authentication on the server

e.g

ntp authenticate

and creation of keys

 e.g
ntp authentication-key 10 md5 ciscocasio

And if we are using a client it must be set for trusted key

 e.g
ntp trust-key 10

With a md5 key, you now have the means to select some type of hash for md5 authentication between peers. Key are easy to setup. The simple key above, could be deploy against your peers to control NTP queries and updates. Then you reference that key on all of your server or peers.   A peer allow for it to synchronize to you as a peer or server or both ways, where a server statement means you syncrhronize to that source only.

Here's a  few samples;



e.g
config t
  ntp server 1.2.3.4 key 10

or 
  ntp peer 1.2.3.4 key 10

end



2nd we control who and associate to me by ntp access-groups

ntp access-group ?
  peer        Provide full access
  query-only  Allow only control queries
  serve       Provide server and query access
  serve-only  Provide only server access

The options are wide and many. But peer controls  are for  either peers & serve for servers operations.

( stole  this from a INE  blog ;)  )

1) Peer – permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices.
2) Serve – permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted.
3) Serve-only – permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries.
4) Query-only – only accepts NTP control queries. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.

That pretty much determine what ACLs we can provide & how we impact the NTP interaction.

Next, how about we disable peer updates request per interface? Simple, we issue  ntp disable statement on interfaces that we expect no queries on. This is a simple method to  reject external ntp queries.

e.g
 interface Serial0/0/0
 ip address 1.1.1.1 255.255.255.252
 encapsulation ppp
 ntp disable
 ipv6 address 2002:100::1/64
 ipv6 enable
 ipv6 flow ingress
 ipv6 flow egress
end

Next md5 keys, these simple key are very easy to deploy and must match between the 2 NTP hosts. You can use  different keys between the hosts, but typically we deploy a universal key and place some type of life-cycle on these keys  thru out our domain.

If your using keys and have authentication issues, you can issue a "debug ntp authentication" to monitor any authentication issues. The key needs to match all parties that's using that specific key.

So to recap;

ntp can be a configured as server,peer or client function
ntp support simple md5 authentication
ntp can be disable peer interfaces
ntp source interfaces can be selected
ntp keys should  be expired on a regular cycle
ntp max associations should be set to ensure we don't DoS a router/switch time-server

One more tidbit of information pertain if you ever deploy access-group for the server function,  and if your router is configured as a master. You will find that your own router peers with it's self using a virtual ipv4 loopback address 127.127.x.x

So you will need to apply that ip_address locally into your ACLs or you will have problems;

r1#sh run | sec access-list 55
access-list 55 permit 127.127.7.1
access-list 55 permit 10.0.0.2

r1#sh run | sec ntp          
ntp logging
ntp authentication-key 1 md5 00090A0D0142 7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp access-group serve 55
ntp master 1



So r1 is  a master clock source  and uses ACL-55, it has 2 client entries, one being an external host @ 10.0.0.2 and the other it'self;

r1#show ntp status
Clock is synchronized, stratum 1, reference is .LOCL.
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is D49C7477.43835520 (23:47:03.263 UTC Sat Jan 12 2013)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
 

r1#show ntp ass det
127.127.7.1 configured, our_master, sane, valid, stratum 0
ref ID .LOCL., time D49C7477.43835520 (23:47:03.263 UTC Sat Jan 12 2013)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.015
delay 0.00 msec, offset 0.0000 msec, dispersion 0.02
precision 2**18, version 3
org time D49C7477.43835520 (23:47:03.263 UTC Sat Jan 12 2013)
rcv time D49C7477.43835520 (23:47:03.263 UTC Sat Jan 12 2013)
xmt time D49C7477.43835520 (23:47:03.263 UTC Sat Jan 12 2013)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87    6.85
Reference clock status:  Running normally
Timecode:


I spent over 1 hour debugging why my master lost NTP sync to it's self , when deploy ACLs. I hope this tip saves you from having to do the same.

I hope you find this information helpful and useful now, or later

Ken Felix

Freelance Security & Network Engineer
kfelix " at "  hyperfeed.com


 

IPV6 netflow on ios routers


IPV6 netflow is unique and easy to setup for cisco routers that support it. I will concentrate this post only on the ios-based routers that are NOT; 6500/7600 or  NX-OS. 

The commands are similar, but I will point out some differences during this post that you might want to keep in the back of your head.

1st and most IMPORTANT, you need ipv6 cef enabled globally. 

This requirement is also  needed for ipv4 netflow in that ip cef is enabled globally. The 2 ( ipv4 or ipv6 )  are different and protocol sensitive with regards to configurations. If you don't enable it or forget to enable cef, the cisco router will gently remind you of this. The router will displays the following message on  your terminal session and will not  enter the log buffer iirc.

 e.g
%Must enable IPv6 CEF globally first


Next,
 I have not seen a flow-sampler option with regards to any 12.4 code and most lower end ISR. As of this blog, I haven't looked at or investigated the 15.X mainline codesets and it's ipv6 netflow support. So on the interface(s) that you want collection for and after you enable  ipv6 cef globally, we have a few choices as show below

e.g
ccie01(config-if)#ipv6 flow  ?      
  egress   Enable egress IPv6 Flow on the interface
  ingress  Enable ingress IPv6 Flow on the interface
  mask     Configure various masks during netflow capture

The configurations options should be simple to understand, but you have the choice of the directionality of in/out and to set any mask options if any. The mask options by default are FULL and works very similar to  ipv4 netflow mask options.

Now to set up the exporter, the commands are similar. Keep in mind & remember this one note, for ipv6 netflow, the only version support via netflow is version v9. It's funny that cisco still gives you the version option within the cli, but the version and the only netflow version that support ipv6 is v9 or IPFIX ( aka v10 which is not an option in  cisco )

e.g

ccie01(config)#ipv6 flow-export  version ?
  9

Why they did this , is beyond me, unless version 10 is soon to be available or version 11, if I  had to guess and if cisco stays with the odd version number as the next main release.


To export the flow the commands are very similar to our ways of configurations;

!
ipv6 flow-export source FastEthernet0/0
ipv6 flow-export template options export-stats
ipv6 flow-export template options refresh-rate 4
ipv6 flow-export template timeout-rate 2
ipv6 flow-export template refresh-rate 2
ipv6 flow-export destination 172.16.1.1 5000
!

Here' I set a few template options  in order to speed up my testing, but most network engineers, do not adjust the template rates and uses the factory defaults.

And like wise to validate the  flow-exporter, we use the similar show  command but now with  the "show ipv6";


ccie01#show ipv6 flow export
Flow export v9 is enabled for main cache
  Exporting flows to 172.16.1.1 (5000)
  Exporting using source interface FastEthernet0/0
  Version 9 flow records
  17354 flows exported in 909 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

And to view any flow cache, guess what the command is similar to our ipv4

ccie02>show ipv6 flow cache verbose
IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes
  0 active, 0 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
Ver Dir SrcAddress SrcMsk InpIf SrcAS DstAddress DstMsk OutIf DstAS NextHop BGPNextHop Prot TCP  ToS  SrcPrt DstPrt FlowLbl OptHdr LastUse FirstUse  Bytes Packets
ccie02>


To review any template configuration, likewise we use the equal "show ipv6" command


ccie01#show ipv6 flow export  template 
   Template Options Flag = 6
   Total number of Templates added = 5
   Total active Templates = 5
   Flow Templates active = 3
   Flow Templates added = 3
   Option Templates active = 2
   Option  Templates added = 2
   Template ager polls = 22017
   Option Template ager polls = 12069
Main cache version 9 export is enabled
 Template export information
   Template timeout = 2
   Template refresh rate = 2
 Option export information
   Option timeout = 30
   Option refresh rate = 4
ccie01# 
 
And lastly, here's a few decoded ipv6 netflow flow records. Notice the new fields & the following
Type 64 IPV6_OPTION_HEADERS;
 
Cisco NetFlow/IPFIX
    Version: 9
    Count: 2
    SysUptime: 14104732
    Timestamp: Oct 24, 2012 17:16:15.000000000
        CurrentSecs: 1351098975
    FlowSequence: 39
    SourceId: 0
    FlowSet 1
        Options FlowSet: 1
        FlowSet Length: 24
        Template Id: 260
        Option Scope Length: 4
        Option Length: 8
        Scope Type: System (1)
        Scope Field Length: 0
        Type: TOTAL_FLOWS_EXP (42)
        Length: 4
        Type: TOTAL_PKTS_EXP (41)
        Length: 4
    FlowSet 2
        Data FlowSet (Template Id): 260
        FlowSet Length: 12
        Flow 1
            FlowsExp  : 20476
            PacketsExp: 1123
 
 
Cisco NetFlow/IPFIX
    Version: 9
    Count: 6
    SysUptime: 14594748
    Timestamp: Oct 24, 2012 17:24:25.000000000
        CurrentSecs: 1351099465
    FlowSequence: 48
    SourceId: 0
    FlowSet 1
        Template FlowSet: 0
        FlowSet Length: 88
        Template (Id = 259, Count = 20)
            Template Id: 259
            Field Count: 20
            Field (1/20)
                Type: IP_PROTOCOL_VERSION (60)
                Length: 1
            Field (2/20)
                Type: DIRECTION (61)
                Length: 1
            Field (3/20)
                Type: IPV6_SRC_ADDR (27)
                Length: 16
            Field (4/20)
                Type: IPV6_SRC_MASK (29)
                Length: 1
            Field (5/20)
                Type: INPUT_SNMP (10)
                Length: 2
            Field (6/20)
                Type: IPV6_DST_ADDR (28)
                Length: 16
            Field (7/20)
                Type: IPV6_DST_MASK (30)
                Length: 1
            Field (8/20)
                Type: OUTPUT_SNMP (14)
                Length: 2
            Field (9/20)
                Type: IPV6_NEXT_HOP (62)
                Length: 16
            Field (10/20)
                Type: PROTOCOL (4)
                Length: 1
            Field (11/20)
                Type: TCP_FLAGS (6)
                Length: 1
            Field (12/20)
                Type: IP_TOS (5)
                Length: 1
            Field (13/20)
                Type: L4_SRC_PORT (7)
                Length: 2
            Field (14/20)
                Type: L4_DST_PORT (11)
                Length: 2
            Field (15/20)
                Type: FLOW_LABEL (31)
                Length: 4
            Field (16/20)
                Type: IPV6_OPTION_HEADERS (64)
                Length: 4
            Field (17/20)
                Type: LAST_SWITCHED (21)
                Length: 4
            Field (18/20)
                Type: FIRST_SWITCHED (22)
                Length: 4
            Field (19/20)
                Type: BYTES (1)
                Length: 4
            Field (20/20)
                Type: PKTS (2)
                Length: 4
    FlowSet 2
        Data FlowSet (Template Id): 259
        FlowSet Length: 440
        Flow 1
            IPVersion: 06
            Direction: Ingress (0)
            SrcAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
            SrcMask: 128
            InputInt: 2
            DstAddr: 2001::1 (2001::1)
            DstMask: 128
            OutputInt: 0
            BGPNextHop: :: (::)
            Protocol: 17
            TCP Flags: 0x10
            IP ToS: 0x00
            SrcPort: 59327
            DstPort: 53
            Type 31 FLOW_LABEL
            Type 64 IPV6_OPTION_HEADERS
            [Duration: 1.004000000 seconds]
                StartTime: 14566.836000000 seconds
                EndTime: 14567.840000000 seconds
            Octets: 416
            Packets: 4
        Flow 2
            IPVersion: 06
            Direction: Egress (1)
            SrcAddr: 2001:414:1:0:214:6aff:fec4:28ac (2001:414:1:0:214:6aff:fec4:28ac)
            SrcMask: 128
            InputInt: 0
            DstAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
            DstMask: 128
            OutputInt: 2
            BGPNextHop: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
            Protocol: 58
            TCP Flags: 0x10
            IP ToS: 0x00
            SrcPort: 0
            DstPort: 256
            Type 31 FLOW_LABEL
            Type 64 IPV6_OPTION_HEADERS
            [Duration: 5.012000000 seconds]
                StartTime: 14566.840000000 seconds
                EndTime: 14571.852000000 seconds
            Octets: 608
            Packets: 4
        Flow 3
            IPVersion: 06
            Direction: Ingress (0)
            SrcAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
            SrcMask: 128
            InputInt: 2
            DstAddr: 2001::2 (2001::2)
            DstMask: 128
            OutputInt: 0
            BGPNextHop: :: (::)
            Protocol: 17
            TCP Flags: 0x10
            IP ToS: 0x00
            SrcPort: 59327
            DstPort: 53
            Type 31 FLOW_LABEL
            Type 64 IPV6_OPTION_HEADERS
            [Duration: 1.004000000 seconds]
                StartTime: 14570.848000000 seconds
                EndTime: 14571.852000000 seconds
            Octets: 416
            Packets: 4
        Flow 4
            IPVersion: 06
            Direction: Egress (1)
            SrcAddr: fe80::214:6aff:fec4:28ac (fe80::214:6aff:fec4:28ac)
            SrcMask: 10
            InputInt: 0
            DstAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
            DstMask: 128
            OutputInt: 2
            BGPNextHop: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
            Protocol: 58
            TCP Flags: 0x10
            IP ToS: 0xe0
            SrcPort: 0
            DstPort: 34560
            Type 31 FLOW_LABEL
            Type 64 IPV6_OPTION_HEADERS
            [Duration: 0.000000000 seconds]
                StartTime: 14571.840000000 seconds
                EndTime: 14571.840000000 seconds
            Octets: 72
            Packets: 1
        Flow 5
            IPVersion: 06
            Direction: Ingress (0)
            SrcAddr: fe80::426c:8fff:fe03:18c4 (fe80::426c:8fff:fe03:18c4)
            SrcMask: 10
            InputInt: 2
            DstAddr: fe80::214:6aff:fec4:28ac (fe80::214:6aff:fec4:28ac)
            DstMask: 128
            OutputInt: 0
            BGPNextHop: :: (::)
            Protocol: 58
            TCP Flags: 0x10
            IP ToS: 0x00
            SrcPort: 0
            DstPort: 34816
            Type 31 FLOW_LABEL
            Type 64 IPV6_OPTION_HEADERS
            [Duration: 0.000000000 seconds]
                StartTime: 14571.840000000 seconds
                EndTime: 14571.840000000 seconds
            Octets: 64
            Packets: 1
        Padding (1 byte)
 
 

One quick note that I find strange and disturbing. 

It kind of follows my earlier  ipv6 rant from one of my earlier post. Cisco only let you export to a ipv4 collector. So even cisco own ipv6 netflow exporters  are somewhat restricted on who they can export to. So in my CCIE/RS lab ISR, we can only export to a ipv4 addressed flow collector.

I thought that was  very funny when I setup my 1st ipv6 netflow router :)


Ken Felix
Freelance Security & Network Engineer
kfelix " at " hyperfeed.com

 

Tuesday, October 23, 2012

cisco IOS: how to compute flash filename md5 hash

One of the on going task that a network engineer will do, is to upgrade your ioscodeset on a cisco router. So if you have a file in flash or bootflash , how do you know it's valid?

Will one,  you would compute the file hash and compare it to the mfg'er link for the image. So how do yo compute the md5 hash?


Will on most linux/unix systems we used md5 or md5sum utilities, but on a cisco ios router we have the option to use the verify command, the proper syntax is the "verify filelocation:filename"

e.g  ( 3825 router )

cisco3825#verify flash:c3825-adventerprisek9-mz.151-4.M4.bin
Verifying file integrity of flash:c3825-adventerprisek9-mz.151-4.M4.bin...................................................................................................

...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
........................................................................
( output trunacated )

................................................................................................Done!
Embedded Hash   MD5 : E2AB2AAA34FC8F5379C90FF30F7A0E5D
Computed Hash   MD5 : E2AB2AAA34FC8F5379C90FF30F7A0E5D
CCO Hash        MD5 : 7C1DA229831461F90F020C8F15562A71

Embedded hash verification successful.
cisco3825#


After completion the above hash can be compared to a known secured source.

On a unix system we can get the same output by execution of md5 "filename"

e.g
 Ken-Felixs-MacBook:~ kenfelix1$ md5  c3825-adventerprisek9-mz.151-4.M4.bin
MD5 (c3825-adventerprisek9-mz.151-4.M4.bin) = 7c1da229831461f90f020c8f15562a71


I hope you find this useful.


Ken Felix

Your freelance Security and Network Engineer
Kfelix " @ "  hyperfeed.com

A quick Nexus 5500 review




I've been working with the Nexus lineup for some  time now. Mainly on the 7004, 7010, 5010 and lately the 5548.  This review is for the 5548 with the L3 services. The 5500 supports 1 and 10gig interfaces across all of the  30 ports on the chassis supports.  Just like with the  earlier 5000 models, you have the ability to create FEX and VPC for connections to the Layer2 extenders.

The 5548 support limited L3 features due to the hardware specification for the L3 engine and it's core and memory. For example, you could not  manage  full bgp table with in the confinement of the available memory.

Per cisco website i will highlight some of the following;

• Support for up to 8000 prefixes and up to 16000 IPv4 and 8000 IPv6 host entries

And for layer2/3 forwarding numbers


• Cisco Nexus 5548P and 5548UP: Layer 2 hardware forwarding at 960 Gbps or 714.24 mpps; Layer 3 performance of up to 160 Gbps or 240 mpps
• Cisco Nexus 5596UP and 5596T: Layer 2 hardware forwarding at 1920 Gbps or 1428 mpps; Layer 3 performance of up to 160 Gbps or 240 mpps
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-618603.html

Also the  chassis supports  1or 10GIGE interfaces across the chassis. This is a step up from the limits of the 5010 and 5020 with 8 or 16  1gige interfaces within the 1st 8/16 ports of  the 5010/5020 respectively.

The price difference between the L2 5010/5020 and the L2/L3 5548 is marginal and approx 3-7k difference. Like with all  cisco NX-OS, each feature must be enable & a valid license;

i.e
nexcsw01.chi# show feature
Feature Name          Instance  State  
--------------------  --------  --------
Flexlink              1         disabled
adapter-fex           1         disabled
bgp                   1         disabled
dhcp                  1         disabled
eigrp                 1         disabled
eigrp                 2         disabled
eigrp                 3         disabled
eigrp                 4         disabled
fcoe                  1         disabled
fcoe-npv              1         disabled
fex                   1         disabled
hsrp_engine           1         disabled
interface-vlan        1         enabled
lacp                  1         enabled
ldap                  1         disabled
lldp                  1         enabled
msdp                  1         disabled
ospf                  1         disabled
ospf                  2         disabled
ospf                  3         disabled
ospf                  4         disabled
pim                   1         disabled
poe                   1         disabled
private-vlan          1         disabled
privilege             1         disabled
rip                   1         disabled
rip                   2         disabled
rip                   3         disabled
rip                   4         disabled
sshServer             1         enabled
tacacs                1         enabled
telnetServer          1         disabled
udld                  1         enabled
vem                   1         disabled
vpc                   1         enabled
vrrp                  1         disabled
vtp                   1         disabled
 

Notice how all features need to be enabled? Here's a snippet of the L3 module from  the hardware inventory;


NAME: "Module 3", DESCR: "O2 Non L3 Daughter Card"
PID: N55-DL2           , VID: V01 , SN: FOC15366306


and a trunacate show version;

http://www.gnu.org/licenses/gpl.html.

Software
  BIOS:      version 3.5.0
  loader:    version N/A
  kickstart: version 5.0(3)N2(1)
  system:    version 5.0(3)N2(1)
  power-seq: Module 1: version v3.0
             Module 3: version v2.0
  uC:        version v1.2.0.1
  BIOS compile time:       02/03/2011
  kickstart image file is: bootflash:/n5000-uk9-kickstart.5.0.3.N2.1.bin
  kickstart compile time:  6/13/2011 6:00:00 [06/13/2011 08:43:33]
  system image file is:    bootflash:/n5000-uk9.5.0.3.N2.1.bin
  system compile time:     6/13/2011 6:00:00 [06/13/2011 10:33:42]


Hardware
  cisco Nexus5548 Chassis ("O2 32X10GE/Modular Supervisor")
  Intel(R) Xeon(R) CPU         with 8299528 kB of memory.
  Processor Board ID FOC1530606V

  Device name: nexcsw01
  bootflash:    2007040 kB

Kernel uptime is 179 day(s), 13 hour(s), 37 minute(s), 12 second(s)

Last reset
  Reason: Unknown
  System version: 5.0(3)N2(1)
  Service:

plugin
  Core Plugin, Ethernet Plugin


Now keep in mind the L3 services in a 5548 chassis are weak. You don't have netflow, various BGPvpnv4 or other secondary AFI, Ip-N-IP or GRE tunneling, and a host of other layer 3 features or services.

You will also need license to enable a lot of these features,  if you try to enable things that aren't in your license set you will get a error similar to this;


No available license - LAN_ENTERPRISE_SERVICES_PKG error Feature does not have an installed license


A quick show license cli cmd, will show you your license package;

 show license usage
Feature                      Ins  Lic   Status Expiry Date Comments
                                 Count
--------------------------------------------------------------------------------
FCOE_NPV_PKG                  No    -   Unused             -
FM_SERVER_PKG                 No    -   Unused             -
ENTERPRISE_PKG                No    -   Unused             -
FC_FEATURES_PKG               No    -   Unused             -
LAN_BASE_SERVICES_PKG         No    -   Unused             -
LAN_ENTERPRISE_SERVICES_PKG   No    -   Unused             -
------------------------------------



As with all of the  NEXUS platforms, it's easy to maintain, redundant power and fans. The chassis is built strong and simple.

Over all, the chassis was designed as a small DC distribution layer switch. It will not replace a Nexus7K or 6500 core. Nor can it replace a edge-backbone router nor should you use it in some heavy routed services like with multicast  routing.



I hope this posts was useful





Ken Felix
 Your freelance  Security and Network Engineer
kfelix  "a t" hyperfeed.com

Monday, October 22, 2012

Common External web performance monitoring sites

Gomez like  Alertsite;  installs their name in the user_agent  field of the http headers.

To find  gomez  you can do something similar to ;
tshark -n -i eth5 -R 'http.user_agent contains "omez"'

for  alertSite;
tshark -n -i eth5 -R 'http.user_agent contains "AlertSite"'

and for Keynote
tshark -n -i eth5 -R 'http.user_agent contains "KTXN"'

A sample  output;
Hypertext Transfer Protocol
    GET /css/search-nav-mq.1.0.2.min.css HTTP/1.1\r\n
        Request Method: GET
        Request URI: /css/search-nav-mq.1.0.2.min.css
        Request Version: HTTP/1.1
    Accept: */*\r\n
    Accept-Language: en-us\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GomezAgent 3.0)\r\n
    Host: www.overstock.com\r\n
    Connection: Keep-Alive\r\n
    [truncated] Cookie: SSLB=B; mxcsurftype=2; mxclastvisit=20121022; ostk_aggr_year=mxcuserseed^5874340604601831424|mxcskupage^120|language^en|pageresult^120|currency^USD|country^US; se_list=se_list^0|2|55|; ostk_aggr_year2=""; ostk_aggr_sess
    \r\n
Hypertext Transfer Protocol
    GET /foresee/foresee-surveydef.js HTTP/1.1\r\n
        Request Method: GET
        Request URI: /foresee/foresee-surveydef.js
        Request Version: HTTP/1.1
    Host: www.overstock.com\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GomezAgent 3.0)\r\n
    Accept: */*\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Connection: keep-alive\r\n
      [truncated] Cookie: SSLB=B; mxclastvisit=20121022; ostk_aggr_year=mxcuserseed^4448573595864717312|language^en|currency^USD|country^US; se_list=se_list^0|1|; ostk_aggr_year2=""; ostk_aggr_session=gcr^false|cart.item-count^0|dlp^k|billingcou
    \r\n
and
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; AlertSite)\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Host: www.aramco.com\r\n
    Connection: close\r\n
    \r\n
and
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Accept: */*\r\n
    Accept-Language: en-US\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; KTXN B498853546A48324T1414872)\r\n
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Accept: */*\r\n
    Accept-Language: en-US\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; KTXN B498853546A48324T1414872)\r\n
    Host: www.tdameritrade.com\r\n
    Connection: Keep-Alive\r\n
    \r\n


These common external testing sites User_Agents helps distinguish that a monitor site is hitting your URLs. Keep in mind, these could be spoof'd by a unethical hacker.

Ken Felix

Freelance network/security engineer
Ken a t hyperfeed.com