Kramses blog

Practical Packet Analysis, 2nd Edition

Thu, 15 Sep 2011 01:08:21 +0200

Practical Packet Analysis, 2nd Edition

Using Wireshark to Solve Real-World Network Problems by Chris Sanders

ISBN: 978-1-59327-266-1

Paperback: 280 pp

Publisher: No Starch Press July 2011

Review by Henrik Lund Kramshoej, hlk@kramse.org

September 2011

Get started in packet sniffing

About the book

This book is about packets, sniffing packets, deciphering packets, analyzing them with wireshark (http://www.wireshark.org). This is also an easy book to use and learn from, if you are interested in packets.

The main focus is providing easy to follow instructions that will enable you to make use of wireshark efficiently and how to use this awesome program to investigate - and then solve problems in networks.

Target audience

Occasional network operators are the primary audience for this, or newcomers in network administration. Those that mostly spend time working with servers can bring out this tool and use wireshark to work with the network to understand root causes on a very low level.

The technical requisites to use this book are very few and anyone with an interest can learn how to work wireshark to their bidding - but will have to spend years understanding all the protocols used in networks.

The book has 11 chapters which start from the basics of sniffing in two chapters with hardware needed and terminology. Then from chapter 3 on page 35 and onwards the rest of the book is about detailed wireshark use and common protocols. The main point that differentiates this book from others are the chapters from 8 to 11 which detail basic real-world scenarios and common problems which the reader during their life with networks are sure to stumble upon. The last part of the book introduces the differences when sniffing wireless networks and has a good appendix with pointers to further reading and tools to use.

Summarized - Good stuff

Extremely well laid out with examples that will enable anyone with basic computer skills to get started with wireshark. The content goes from introduction which is simple yet covers all the basics needed to start sniffing. The 4th chapter about working with packets will tell how to save, load, find, mark and more making wireshark a joy to work with. Then upon these basic wireshark features the book introduces a good part of the most used/useful advanced features in the program.

All features are explained and some discussion as to why the feature is needed is included - why is committing this feature to human memory worth it. This helps me a lot when deciding which things I will need to remember and which parts I can lookup in the future, should the need arise.

The Protocols covered are also the bare necessities from ARP, IP(v4), TCP, UDP and upper layers DHCP, DNS, HTTP - enough to get started and solve real problems, but not everything that wireshark can decipher.

The detailed table of contents is extremely good and points the reader directly to the specific pages needed, FAST!

Having the capture files available in a single zip-file and manageable size of 86MB also makes it possible to work with the book in places without internet connection, and not having to install a lab for testing. I know there are lots of packets captures in the wireshark community, but finding beginners examples is not trivial.

The appendix is also very important part of these relatively short books from No Starch. While some might not think much of these, they are time savers when an experienced author lists the best references they know. The references are to critical tools like tcpdump, windump and then both user friendly GUI tools and nerdy stuff like scapy. Excellent.

Throughout the book there is also a number of crisp figures and tables supporting the mission and showing the key information so it can easily be found.

The Bad stuff

The book cannot cover everything, this is not bad - just fact - make sure you do not expect it to cover each and every protocol in wireshark. Actually I myself think protocols should be covered in books like Stevens, Comer etc.

Mostly leaves out IPv6, and even though I love IPv6 there will be some specific problems when having dual stacks. Think for instance a web server which have IPv6 DNS records that point to it, but IPv6 is not working. Some clients are IPv4 only and will not have a problem, while others with dual-stack will have problems, before fall-back to IPv4 connections.

So in general I haven't got much to complain about with this book. The author has in-depth knowledge and wrote an indispensable reference - which should be in the box, if wireshark was sold in physical boxes.

Conclusion

This book is highly recommended for people that have downloaded wireshark - but is overwhelmed by the many options in the awesomest of sniffers. I certainly have plans to let my son of 12 years use this book soon, so he can solve network problems, and act as backup when I am not at home ;-)

World IPv6 day, danish measurements

Tue, 7 Jun 2011 20:16:29 +0200

Hi All

Today is World IPv6 day, you know about it right?! http://www.worldipv6day.org/

in that spirit I asked a few of our customers at Solido Hosting if they would like to join the fun.

They did :-)

So today on World IPv6 Day we have at least two danish sites running IPv6 - and also our own home page etc.

The sites are:

http://www.information.dk major danish newspaper
http://www.computerworld.dk major computer information site

Great and thank you!

How fast is it?

I wanted to test the availability - of course, don't want the customer to have bad performance right.

The site used for testing was my home which is in Kastrup, connected through provider Bolignet.dk, which uses TDC fiber connection (previously DONG fibernet). Nice and fast - you would think, and mostly it works as expected. One thing though - my firewall at home has the external IP 10.98.0.185 - thank you. I have had some idea that this use of multiple layers of NAT, one NAT done in my Soekris running OpenBSD and some NAT device at Bolignet sucks, and it does.

I was sensing that my connections were not opening as fast as I would imagine, so I decided to test using Nping from Nmap - go download Nmap now if you do not have it installed. Using this nice Nping program it can do measurements on TCP, much like the regular ping does on ICMP.

but wait, before we go further lets have the traceroutes from home to a site at Ballerup, where Solido Hosting has most servers:

traceroute www.computerworld.dk

traceroute to www.computerworld.dk (91.102.90.146), 64 hops max, 52 byte packets
 1  10.0.42.1 (10.0.42.1)  0.519 ms  0.331 ms  0.300 ms
 2  10.98.0.1 (10.98.0.1)  0.699 ms  0.775 ms  0.629 ms
 3  10.29.200.30 (10.29.200.30)  0.895 ms  0.994 ms  0.572 ms
 4  10.29.200.34 (10.29.200.34)  1.348 ms  0.802 ms  0.588 ms
 5  10.29.200.38 (10.29.200.38)  0.909 ms  0.674 ms  0.595 ms
 6  10.29.200.42 (10.29.200.42)  0.849 ms  0.787 ms  0.638 ms
 7  10.29.200.5 (10.29.200.5)  1.013 ms  0.998 ms  1.051 ms
 8  10.6.8.109 (10.6.8.109)  1.253 ms  1.267 ms  1.167 ms
 9  10.6.8.109 (10.6.8.109)  1.182 ms  1.201 ms  1.193 ms
10  * * *
11  * * *
12  193.162.95.1 (193.162.95.1)  1.974 ms  1.664 ms  1.556 ms
13  193.162.95.2 (193.162.95.2)  1.508 ms  2.123 ms  1.543 ms
14  bgp1-dix.prod.bolignet.dk (79.142.224.1)  1.688 ms  2.037 ms  1.768 ms
15  bolignet.crt01.dix.zensystems.net (78.111.162.241)  1.887 ms  2.169 ms  1.763 ms
16  zensystems-ic-142370-kbn-horsk-i1.c.telia.net (213.248.68.94)  2.187 ms  3.345 ms  2.389 ms
17  kbn-horsk-i1-link.telia.net (213.248.68.93)  2.662 ms  3.413 ms  4.832 ms
18  kbn-b3-link.telia.net (80.91.249.193)  2.549 ms  10.397 ms  2.478 ms
19  kbn-bb1-link.telia.net (80.91.246.252)  64.211 ms
    kbn-bb2-link.telia.net (80.91.249.50)  2.655 ms
    kbn-bb2-link.telia.net (213.155.130.98)  2.803 ms
20  s-bb2-link.telia.net (213.248.65.165)  14.019 ms
    s-bb2-link.telia.net (80.91.247.162)  14.128 ms
    s-bb1-link.telia.net (213.155.130.172)  12.214 ms
21  s-b2-link.telia.net (80.91.246.149)  12.247 ms  12.429 ms
    s-b2-link.telia.net (213.155.131.31)  12.514 ms
22  s-akix-i1-link.telia.net (80.91.247.111)  41.298 ms  13.055 ms  12.512 ms
23  te8-3-10g.ar2.arn3.gblx.net (64.208.110.41)  16.002 ms
    te7-4-10g.ar2.arn3.gblx.net (64.208.110.5)  14.369 ms
    te8-3-10g.ar2.arn3.gblx.net (64.208.110.41)  15.672 ms
24  64.211.195.226 (64.211.195.226)  16.102 ms  14.861 ms  16.029 ms
25  fw.armadahosting.com (91.102.95.135)  14.931 ms  16.410 ms  16.454 ms
26  * * *

and the IPv6 traceroute:

traceroute6 www.computerworld.dk

traceroute6 to www.computerworld.dk (2a02:9d0:2999:1::101) from 2001:16d8:dd0f:cf0f:216:cbff:feac:1d9f, 64 hops max, 12 byte packets
 1  2001:16d8:dd0f:cf0f::1  0.380 ms  0.394 ms  0.308 ms
 2  gw-27.cph-01.dk.sixxs.net  5.382 ms  5.014 ms  4.629 ms
 3  3229-sixxs.cr0-r72.gbl-cph.dk.ip6.p80.net  5.572 ms  5.490 ms  5.541 ms
 4  fe0-1-800.pling.v6.ngdc.net  6.158 ms  6.366 ms  7.150 ms
 5  te2-6.cr1.taa.cph.ngdc.net  6.178 ms
    te2-3.cr1.gl.cph.ngdc.net  6.449 ms  6.572 ms
 6  te3-1.cr0.gl.cph.ngdc.net  6.390 ms  6.365 ms  6.027 ms
 7  2a02:9d0:95::3  6.699 ms  6.928 ms  6.495 ms
 8  2a02:9d0:2999:1::101  7.110 ms  7.080 ms  6.824 ms

Note: this traceroute6 hides the real hops on the way, but yes - this is an IPv6 tunnel, where traffic is converted into IPv4 packets, sent across the internet as v4, converted to v6, sent along to the destination, and vice versa in return. Sounds slow ehh?

The measurements - repeated multiple times tuesday evening, probably a time were lots of people are at home and using their internet connection. First lets see the IPv4 testing:

nping -4 www.computerworld.dk

Starting Nping 0.5.51 ( http://nmap.org/nping ) at 2011-06-07 22:09 CEST
SENT (0.3476s) Starting TCP Handshake > www.computerworld.dk:80 (91.102.90.146:80)
RECV (0.3631s) Handshake with www.computerworld.dk:80 (91.102.90.146:80) completed
SENT (1.3484s) Starting TCP Handshake > www.computerworld.dk:80 (91.102.90.146:80)
RECV (1.3635s) Handshake with www.computerworld.dk:80 (91.102.90.146:80) completed
SENT (2.3498s) Starting TCP Handshake > www.computerworld.dk:80 (91.102.90.146:80)
RECV (2.3651s) Handshake with www.computerworld.dk:80 (91.102.90.146:80) completed
SENT (3.3514s) Starting TCP Handshake > www.computerworld.dk:80 (91.102.90.146:80)
RECV (3.3664s) Handshake with www.computerworld.dk:80 (91.102.90.146:80) completed
SENT (4.3528s) Starting TCP Handshake > www.computerworld.dk:80 (91.102.90.146:80)
RECV (4.3678s) Handshake with www.computerworld.dk:80 (91.102.90.146:80) completed
 
Max rtt: 15.487ms | Min rtt: 15.014ms | Avg rtt: 15.170ms
TCP connection attempts: 5 | Successful connections: 5 | Failed: 0 (0.00%)
Tx time: 4.00635s | Tx bytes/s: 99.84 | Tx pkts/s: 1.25
Rx time: 4.02136s | Rx bytes/s: 49.73 | Rx pkts/s: 1.24
Nping done: 1 IP address pinged in 4.37 seconds

and IPv6:

nping -6 www.computerworld.dk

Starting Nping 0.5.51 ( http://nmap.org/nping ) at 2011-06-07 22:09 CEST
SENT (0.1115s) Starting TCP Handshake > 2a02:9d0:2999:1::101:80
RECV (0.1190s) Handshake with 2a02:9d0:2999:1::101:80 completed
SENT (1.1123s) Starting TCP Handshake > 2a02:9d0:2999:1::101:80
RECV (1.1196s) Handshake with 2a02:9d0:2999:1::101:80 completed
SENT (2.1139s) Starting TCP Handshake > 2a02:9d0:2999:1::101:80
RECV (2.1216s) Handshake with 2a02:9d0:2999:1::101:80 completed
SENT (3.1160s) Starting TCP Handshake > 2a02:9d0:2999:1::101:80
RECV (3.1232s) Handshake with 2a02:9d0:2999:1::101:80 completed
SENT (4.1176s) Starting TCP Handshake > 2a02:9d0:2999:1::101:80
RECV (4.1249s) Handshake with 2a02:9d0:2999:1::101:80 completed
 
Max rtt: 7.716ms | Min rtt: 7.284ms | Avg rtt: 7.441ms
TCP connection attempts: 5 | Successful connections: 5 | Failed: 0 (0.00%)
Tx time: 4.00738s | Tx bytes/s: 99.82 | Tx pkts/s: 1.25
Rx time: 4.01471s | Rx bytes/s: 49.82 | Rx pkts/s: 1.25
Nping done: 1 IP address pinged in 4.13 seconds

and yes, I ran these multiple times and they were very consistent - the IPv6 is much faster!

Conclusion

It seems that the speed gain from not using a NAT device, or the routing between me and the SixXS tunnel server is extremely effective, is clear. There is no need to postpone the use of IPv6 for more sites - get moving!

Building the Ostinato Packet/Traffic Generator and Analyzer

Sat, 4 Jun 2011 10:46:15 +0200

I love networks.

Ostinato Packet/Traffic Generator and Analyzer is a nice tool that too few people know about, lets see if we can change that :-)

First of all, what are we talking about? From the homepage of Ostinato

Ostinato is an open-source, cross-platform network packet crafter/traffic generator and analyzer with a friendly GUI. Craft and send packets of several streams with different protocols at different rates. For the full feature list see below. Ostinato aims to be "Wireshark in Reverse" and become complementary to Wireshark.

Nice a tool for building and sending packets - and it runs on Windows, Linux, BSD and Mac OS X!

Building Ostinato on Mac

You can go to the home page and download the tool, also a few binaries exist for Windows and Mac, but the Mac version is 0.3 and the current source is 0.4.1 - so lets build it from source as described on http://code.google.com/p/ostinato/wiki/BuildingFromSource, but install some prerequisites first, I choose Macports and I found out the following ports are needed for building Ostinato:

$ port installed | egrep "dbus|qt4|protobuf"
  dbus @1.2.24_1 (active)
  protobuf-c @0.13_0 (active)
  protobuf-cpp @2.4.1_0 (active)
  qt4-mac-devel @4.7.0-beta2_3 (active)
  qt4_select @0.3_3 (active)

Most other prerequisites are already installed. Note: I did a complete uninstall and rebuild of installed ports yesterday, that is sometimes good - to clean up the mess of many versions installed and getting updated software. I usually do this once a year or so, using a command like this:

port installed | cut -f 3-4 -d ' ' | sed "s/^/sudo port uninstall /g" > run.sh;sudo sh run.sh

Followed by manual install of the above named packages and other stuff I use, iperf, hydra, dblatex, pdksh etc.

Back to building Ostinato, the home page says: Run the following commands from the top level directory - $ qmake -spec macx-g++ $ make $ sudo make install make install will, by default, install the application bundles in /Applications/bin. To provide a custom install path, pass PREFIX=/absolute/path/to/prefix/dir to qmake. The bundles are installed in $PREFIX/bin/. You can use the qmake options -config debug or -config release to force either debug or release mode.

Running Ostinato

Then we can run the tool: open /Applications/Ostinato/Ostinato.app

Hmm, it makes sense - it needs more privileges, like Wireshark needs privileges to sniff the network. You can fix this in multiple ways, being lazy today I did:

sudo /Applications/Ostinato/Ostinato.app/Contents/MacOS/Ostinato

which then gives the main window

and you should be ready to use Ostinato - and try out the quickstart from the homepage

Postscript: Bit-Twist

While installing pcap stuff I noticed another tool, Bit-Twist

Bit-Twist is a simple yet powerful libpcap-based Ethernet packet generator. It is designed to complement tcpdump, which by itself has done a great job at capturing network traffic. With Bit-Twist, you can now regenerate your captured traffic onto a live network! Packets are generated from tcpdump trace file (.pcap file). Bit-Twist also comes with a comprehensive trace file editor to allow you to change the contents of a trace file. Generally, packet generator is useful in simulating networking traffic or scenario, testing firewall, IDS, and IPS, and troubleshooting various network problems.

Nice, Ostinato tries to complement Wireshark and this tool tries to complement Tcpdump, best of two worlds :-) Oh well another day another post :-)

Reporting about IPv6

Fri, 15 Apr 2011 13:23:55 +0200

Hmm, does my blog still work ;-)

So, I work with IPv6 - as some might know already. I also know a lot about IPv6, at least I think so myself :-)

I really hate reading about IPv6 these days, except when reading news like:

The last one even has the impressive graph

Did they just allocate more than half a /8 in 10 days? Yes! Source: http://www.apnic.net/community/ipv4-exhaustion/graphical-information

also watch the fantastic video APNIC 2010 - year in review from http://www.youtube.com/watch?v=VNk8Frb9BcA APNIC kids, I love you!

Sorry, getting carried away by the good stuff about IPv6 - it really will happen this year :-)))))

What makes me sad (and mad) is the load of crap that is being written about IPv6 currently!

We have "security consultants" (I am a security consultant also) that take a small IPv6 thing and blows it out of proportion, like the fucking SLAAC "0 day" that got so much hype that I wont even include a link about it. Quite nifty you might say to get hosts to send their traffic to you, but people forget that this "attack" is not really new or interesting - there are easier ways to accomplish the same, so WTF - stop posting shite about IPv6 "security". A configuration file and sending router advertisements is not "exploit code", get a hold of yourself! I WILL mock you if I ever hear you in person telling this.

You are WELCOME to send me articles with NDAs and I will HAPPILY fact check your IPv6 security stuff before you make a fool of yourself.

Note: there are people reporting very nice things with IPv6 security, THC yes awesome job, I will send you patches to the IPv6 attack toolkit - promise!

Oh well, today I came across an IPv6 article in a danish media, translated and repeated - it sucked. (I regularly scan using google: ipv6 site:dk and then some recent timeframe). The translation was not even very good - but I decided to find the original. Baaaaad idea. Very bad idea indeed.

First, I presume it was written from an american and intended for them, and yes americans in general don't know shit about IPv6. Sorry, Microsoft, ARIN and the few others trying to change this - I know you have very good people doing IPv6 - but the rest does NOT care much. I really don't expect much when a journalist writes about IPv6 and I can accept a few mistakes.

This article though was so bad it hurt my eyes, and I decided to rip it apart, and why dont I paste this to my blog. ;-)

Sent to letters@pcworld.com - they were so "nice" to include a rating system on the article making it easy to send feedback, thank you pcworld.

Subject: My feedback on Why You Shouldn't Worry About Switching to IPv6 Now (221965)

I was so sad to read a translation of the article

http://www.pcworld.com/businesscenter/article/221965/why_you_shouldnt_worry_about_switching_to_ipv6_now.html

so I searched and found the original.

what a piece of crap.

sorry if this sounds harsh but you missed the point, or Mr Logan G. Harbaugh did.

Yes, I have been using IPv6 for many years and know a lot about IPv6, but this mainstream piece

if so bad it hurts my eyes, sorry for being dramatic.

Let me try to summarize - objectively - some of the bad things in the article.

Ex A)

"Since the late 1970s, Internet Protocol version 4 has been the standard address system for identifying and locating computers, routers, and other hardware on the Internet."

truth, IPv4 was implemented on the internet in 1981

Even wikipedia got this right

http://en.wikipedia.org/wiki/IPv4

"IPv4 is described in IETF publication RFC 791 (September 1981), replacing an earlier definition (RFC 760, January 1980)."

Ex A - part 2

Incidently you link to http://www.pcworld.com/businesscenter/article/218602/icann_assigns_its_last_ipv4_addresses.html

which says "ICANN Assigns Its Last IPv4 Addresses" and then proceeds to say, as the first sentence

"The Internet Assigned Numbers Authority (IANA) has handed out its last IPv4 addresses, "

Hint: IANA is the right organization, check on their web site http://www.iana.org/ if you want to know more :-)

Wauw, we just started the article and facts are wrong :-(

Ex B)

" To fix the problem, a second protocol, IPv6, debuted a few years back,"

erhh, ok, I may not be a native english speaker, but IPv6 is from around middle of the 1990s and we are in 2011?

"IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated IPv4 address exhaustion, and is described in Internet standard document RFC 2460, published in December 1998."

- maybe this article was written in 2005 ;-)

The first IPv6 specification RFC was RFC-1883 from December 1995

OK, we can let this one slide, but the knowledge presented is definitely NOT from a person that knows IPv6 in detail - I can tell that easily.

Ex C)

"IPv4 is the original network protocol, initially designed to connect university and government mainframes."

hmm, if it meant to say the original internet network protocol it would be wrong, since IPv4 replaced NCP, and there have been so many protocols

Some old timers might remember IPX, Banyan Vines etc. DECNet, Aloha, Ethernet, lots of protocols

Ex D)

"Now that IPv4 addresses are all assigned, the pressure on many organizations to move to IPv6 is growing steadily."

Technically they are not assigned, as of today ARIN has about 5.15 times /8 available in a pool and RIPE has also about 5 times /8 they can give out.

It seems APNIC just announced the "end game" by reaching into the last /8 they have - going into a policy change and stuff, worth a news article actually

Check ARIN, RIPE and APNIC homepages

This part suggest that Mr Logan really does not know about IP addresses enough, or don't care about telling things as they really are?

He is right though that the move to IPv6 is right here and now.

... skipping a few minor points ...

Ex E)

"Many older PCs, network switches, routers, print servers, and other network devices may not support IPv6."

A switch does not care, and as such does not NEED to support IPv6, so this line is just spreading FUD. I have in my home a generic Xerox Phaser

which supports IPv6 just fine, lots of other devices do, and still - if the print server can talk to the printer, who cares HOW.

and older PCs? People have rapidly changed into visiting sites and "the internet" from mobile devices, if your device can visit facebook.com - it can surely run IPv6

Ex F)

"While a server could run both IPv4 and IPv6, and permit both types of connected devices to talk to one another, this arrangement introduces additional complexity and can contribute to the load on the server. In addition, network administrators will need to switch the setup over, a process that can take at least a few minutes for each device on the network."

Two things, a modest Netbook - you know a small device with limited memory can run dual stacked no problem, even my iPad and iPhone does run dual-stacked, so this

is just pure crap and FUDDING. Running dual stack does NOT contribute to the load, with complexity - really IPv6 is NOT that hard.

Switching over (second thing) does NOT require minutes of time, work stations have IPv6 enabled by default and the rest of the devices might need a one time change, and you should really compare that to the work load of the monthly security patches and reboots required for other reasons. No IPv6 is NOT hard, why say it is?

Ex G)

"Many organizations may not even need to switch at all until their ISP does. The Internet will run both IPv4 and IPv6 for many years to come, and your ISP will translate automatically for you if your network is still using IPv4. "

One thing is correct, the internet WILL run both IPv4 and IPv6 for MANY years, but sadly NO - I don't expect most ISP to translate IPv4 for you to reach IPv6 only sites - when they start to appear. They will have a hard time doing the "carrier NAT" stuff and providing the same for IPv4-only customers will be more work than enabling IPv6 in their networks.

Ex H) multiple places same problem

"First, you'll need to get a new address, and second, you'll need a router (or firewall/router) that supports IPv6."

Get a new address (singular) WTF?

Everybody looking into IPv6 just casually will know that you get at least a prefix, but it is discussed if you would get like a /48 or /56. Nobody in their right mind would give you a single IPv6 address. IPv6 is about connectivity and having a subnet (another name for prefix) is needed, as you are sure to have multiple devices at home, even when having a mobile phone providing a hot spot functionality you would need multiple addresses. No, a single address is not used - anywhere!

"Once you have a new IPv6 address, you'll also need a router or firewall that supports IPv6. Such products are still hard to find, especially in less-expensive, small-business-oriented versions. Cisco and other top-tier products have IPv6 support--although even there, often the only way to know which products support it is to read the manuals."

- another example, and yes finding IPv6 capable devices can be tricky, as some vendors still sell a lot of non-IPv6 capable devices.

ALL of the MAIN vendors does however have lists of devices supporting IPv6, allowing you to compare their products. You do not need to read manuals, why talk about such nonsense?

google it using "vendor Ipv6 devices

HP has a nice list at http://h10026.www1.hp.com/netipv6/Ipv6.htm and other vendors have similar lists.

Ex I)

"If you have an IPv6 address, and your router or firewall has IPv6 support, you may not need anything more. The router should be able to translate between your internal IPv4 network and the Internet, and unless or until you need to connect more systems than just an e-mail or Web server directly to the Internet, you might not have to make any more changes."

Sorry, but this makes me cry. It can be a bit hard to find devices that support IPv6, but none of the smaller devices will easily translate IPv4 to IPv6 for you, they will expect you to run IPv6 internally. Misleading statements from author ...

Ex J)

"Eventually--when all your PCs are running Windows 7 or later and your servers are running Windows Server 2008 R2 or later,"

Yeah, when all my PCs are running Windows 7?! It will be a cold day in hell ...

The authors is being very ignorant to the fact that both earlier versions of Microsoft Windows clients and servers can work very well with IPv6, it is supported by MS even!

Worse he neglects to inform that all of the main clients Windows, Linux, Mac OS X work well with IPv6

as does servers running, Windows, Linux, Mac OS X - and AIX, and Solaris, and network devices F5, Cisco, Dell, etc etc.

Damn, even the DRAC cards for remote access to server hardware, for resetting, booting, installing etc. run IPv6 fine! Blade chassis from Dells

IPv6 is not really hard, but this article spreads the notion that IPv6 is a bit of a problem, so stay away, forget about it for now.

ARIN and others are working hard to inform the general public, providers and professionals in a timely manner, read https://www.arin.net/knowledge/v4-v6.html,

but your article works against that. Shame on you!

Best regards and thank you for reading this far, have a nice weekend :-)

Henrik

--- end of email ---

Am I too picky about IPv6? Did you think the article was alright? Should we just accept that articles in the media ignore our field of expertise and completely disregard the proper wording - like when not distinguishing between allocated, assigned and so on with addresses. It is easy to find the proper wording about RFCs and APNIC has a very nice description about address status at http://www.apnic.net/services/manage-resources/address-status .

Oh, I can see they article on the danish site got a shorter comment, but along the same lines "Hmm, somebody should go to a network course" ... :-)

I will try to find some more positive to report soon - and restart the blog - again :-)

Using Junos to connect to serial console

Wed, 29 Dec 2010 13:33:12 +0100

OK, lets say you have a nice router running Junos in a remote location.

This device is running nicely, but you want to make sure you can control it, even while doing updates and other stuff from console. Enter the console server, conserver and some multiport seriel adapter - everything is fine. Usually I buy a Soekris from Wim at KD85.com for this purpose. The reason to use Soekris are, pretty cheap, very small, can run from Compact Flash even, runs OpenBSD, multiport serial cards make them perfect for this.

... but what if the console server has problems or you want to upgrade it? (like mine has currently, and far away ...) wouldn't it be nice to have a console on that console server, just add another console server, ERROR recursion not allowed!&€

Problem statement:

I have a Junos router
I need a console for a soekris device
Do not mess with the Junos installed (not much ;-) )

The solution:

Use a USB-serial device, I used FTDI USB-seriel device
Use tip from Junos - but link it to the name cu for ease of use

Login to Junos

How to use tip/cu from Junos to connect to Soekris

First login to shell, either using root login which defaults to shell:

hlk@bigfoot:hlk$ ssh root@10.0.42.39


==========================================================

Access to this device is limited to authorized users only.

 WARNING: All unauthorized access is prohibited.

==========================================================

--- JUNOS 10.4R1.9 built 2010-12-04 10:20:16 UTC
root@bluebear%

or use regular user for login - with privileges for shell - and switch to root user:

hlk@bigfoot:hlk$ ssh 10.0.42.39
==========================================================

Access to this device is limited to authorized users only.

 WARNING: All unauthorized access is prohibited.

==========================================================

--- JUNOS 10.4R1.9 built 2010-12-04 10:20:16 UTC
hlk@bluebear> start shell 
% su - root
Password:
root@bluebear% id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator), 10(field), 11(floppy), 31(guest), 73(config)

Getting root requires the root account, and Junos does not include sudo - let me know if we can make this work without somehow ;-)

Run terminal program

So we have root on the device, and attaching the USB serial device can be seen in system messages:

% dmesg
TNPv3: adding neighbor 0x00000001 to interface fxp2.
TNPv3: adding neighbor 0xffffffff to interface fxp2.
...
mld6_input: src :: is not link-local (grp=ff02::00fb)
if_msg_ifl_addr_del 70 0xc2a6dcd6 0xc2a6dcea 64 0x1
ucom0: FIDI usb serial converter, rev 1.10/4.00, addr 4
% ls -l /dev/cuaU0
crw-rw----  1 uucp  dialer    0,  90 Dec 29 22:46 /dev/cuaU0

OK, the device was recognized as ucom0 supported device and we have an entry in the /dev/cuaU0, nice! Do we have any terminal programs?

% cu
cu: Command not found.
% tip
tip: unknown host bluebear

We have tip, but not cu - and /etc/remote is on read-only filesystem, and we would prefer not to mess to much ... let's try something else:

root@bluebear% which tip
/usr/bin/tip
root@bluebear% ln -s /usr/bin/tip cu
root@bluebear% ./cu
usage: cu [-ehot] [-a acu] [-l line] [-s speed] [-#] [phone-number]

Great, cu is easy to use! Just add line and speed? YES! Note: this works because tip and cu is the same executable, but when executed using different name it behaves differently, like a lot of other Unix tools.

root@bluebear% ./cu -l /dev/cuaU0 -s 9600
Connected
Invalid Command.

> 

> show

ConSpeed = 9600
ConLock = Enabled
ConMute = Disabled
BIOSentry = Enabled
PCIROMS = Enabled
PXEBoot = Enabled
FLASH = Primary
BootDelay = 5
FastBoot = Disabled
BootPartition = Disabled
BootDrive = 80 81 F0 FF 
ShowPCI = Enabled
Reset = Hard

>

This is just the regular Soekris comBIOS environment :-)

So using the Junos routers it is possible to add another serial connection, which might come in handy controlling a console server, or another device directly. Especially since the Soekris devices has a built-in reset functionality that allows you to power cycle the device using '+++' sequences.

Junos Security, book review

Sun, 14 Nov 2010 12:35:37 +0100

Junos Security

A Practical Guide to Junos Enterprise Services Gateways, Software, and Certification by Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, and James Quinn

ISBN: 978-1-449-38171-4

Paperback: pages

Publisher: O'Reilly August 2010

Review by Henrik Lund Kramshoej, hlk@kramse.org

November 2010

The best in-depth Juniper SRX knowledge transfer

Disclaimer: I am hooked on Junos and love it. I do not get proceeds from the book, but I do sell Juniper devices to customers through my company Solido Networks.

Content

This book is about Junos - but Junos on the SRX models! You will immediately notice from browsing the table of contents that SRX is the main focus. This is good. Another thing you might also notice right away is the size of the book - it is huge, this is also good.

Having a huge book allows for a lot of detailed information about the SRX series from the hardware models, history of Junos and all the way to practical examples of designing infrastructures using SRX devices, along with switches and routers.

The introductory Junos chapters will give you an overview while the detailed chapters about security policies, NAT, IPsec, attack mitigation, IPS features and threat management will make your devices able to combat just about anything from the internet. After these chapters there are chapters about high availability and routing that will help make your network resilient to other problems that would otherwise cause outages. The last two chapters cover transparent mode and SRX management.

Target audience

Junos and Juniper SRX administrators are the primary targets for this book. Either coming from Junos router and moving into doing filtering in the networks, ScreenOS firewall administrators or enterprise people moving from separated firewalls into integrated security gateways. The technical requirements for using this book are few, so I would recommend to put it on a wish list when purchasing Juniper SRX. You can even use it to verify and validate a design before ordering devices for a planned rollout.

Especially the walkthrough of the models will be useful for deciding which models to use where. Note however that new models are added from time to time. A new model is the SRX220 with Gbit interfaces which look very interesting and also the new SRX1400 looks interesting.

Summarized - Good stuff

Nice figures - showing network layouts is one of the best ways to convey best practice and you can almost copy paste these directly into a design document for your solutions. Practical - the level of details great without making it hard to read. The flow of information progress nicely throughout the book and you can take one chapter at a time. After reading the book I have also used it as a reference multiple times and will continue to do that for years to come.

Quite advanced and quite complete - given the length of the book it really has a lot of links and references, so currently I only have a few small things that I would have liked to see treated with more "respect".

The Bad stuff

As specified it is about the SRX series - so if you bought this book thinking it would be about everything Junos then hurry out and buy a small SRX :-)

I also have a problem in some cases were the authors simplify too much, such as the treatment of ICMP. ICMP as most people know is the Internet Control Message Protocol, synonymous with the Ping program. Unfortunately this is not the full story and ICMP has many other important functions.

So I have a problem when the authors suggest blocking ICMP altogether when talking about stateless filtering, why?

They specify a lot about ICMP, so I am pretty puzzled when they say "For example, in some situations you might not be able to block all ICMP packets" - of course, you are NEVER allowed to block all ICMP packets?! (you might be so paranoid as to block ANY ICMP, but then you would be in a network so secure that it should not use networks ;-) )

ICMP has a lot of uses in which getting the response back is essential for quick response to the user, so DONT BLOCK ALL ICMP!

My list of ICMP messages to allow for ICMP on a client system are icmptypes 3,4,11,12:

3 unreach Destination unreachable
4 squench Packet loss, slow down
11 timex Time exceeded
12 paramprob Invalid IP header

My list of ICMP messages to consider for allow for ICMPv6 are:

# Allow ICMPv6 destination unreach
$fwcmd6 add pass ipv6-icmp from any to any icmptypes 1
# Allow NS/NA/toobig (don't filter it out)
$fwcmd6 add pass ipv6-icmp from any to any icmptypes 2
# Allow timex Time exceeded
$fwcmd6 add pass ipv6-icmp from any to any icmptypes 3
# Allow parameter problem
$fwcmd6 add pass ipv6-icmp from any to any icmptypes 4
# IPv6 ICMP - echo request (128) and echo reply (129)
$fwcmd6 add pass ipv6-icmp from any to any icmptypes 128,129
# IPv6 ICMP - router solicitation (133) and router advertisement (134)
$fwcmd6 add pass ipv6-icmp from any to any icmptypes 133,134
# IPv6 ICMP - neighbour discovery solicitation (135) and advertisement (136)
$fwcmd6 add pass ipv6-icmp from any to any icmptypes 135,136

Why are these important?

Because your appllications will get a response, and thus they can react more quickly to services not responding - which is important for users. IF ICMP is not allowed the applications will have to time out instead, which can result in annoyances for users. Path MTU is another example where blocking ICMP removes features and makes the internet a little bit less efficient - not something you want when buying the latest and greatest security gateway.

Another thing I would change is the chapter Transparent Mode, which I would have removed altogether - just don't use it. It may sound nice to just insert a bump in the road for network traffic, no changes needed. The problem is that you cannot easily see if it is inserted correctly and is in place. Debugging just got a lot harder, so don't go there. That is my opinion, YMMV.

Missing chapters

To fulfill the mission of getting a Junos production environment running - the target audience typically has this mission, you need a few more resources and I would have liked a more detailed treatment of ICMP.

Also since they use a lot of time and places in the book describing TCP protection they could have included a state machine or SYN, SYN-ACK, ACK figures earlier in the book - there is one on page 366 deep inside the book.

One thing I also miss are things like BGP induced black holes, prefix lists used for filtering with some dynamic update (I use a cron job and a script to update these on my SRX devices) - things to do when the bad stuff on the internet hits the 10G connection. Something like a cookbook for doing high performance security gateways, including template configurations - ready to implement.

The authors have in depth knowledge and they have made a wonderful book, but more wants more :-)

Conclusion

This book is mandatory reading for Juniper SRX administrators from Juniper Day One booklets to this huge treasure chest of information. The book is very clear and I have from the first few pages until the last one read learnt a lot of new stuff. Mind you I have also read a lot of other available materials from Juniper but this book takes you further.

I can highly recommend this to anyone working with SRX or Junos.

Get into Junos

Start out with the first free bits, the Day One booklets.
Join the mailing lists and read at the Juniper site to get information about new releases and technical bulletins
Then buy the Enterprise Routing book, if you want to learn about routing with Junos
Then buy the Junos Security book, if you are planning on using SRX series and do security filtering.
When you are ready to get more advanced and have a running network turn to the scriptorium and automate the management of your network using netflow monitoring, SNMP, automation with scripts etc.

BTW do not buy the Junos cookbook currently, it was nice but should be updated. Perhaps an update of the Junos cookbook with new examples and including the SRX series would be appropriate?

Network flow analysis by Michael W. Lucas, review

Thu, 19 Aug 2010 09:45:55 +0200

Network Flow Analysis by Michael W. Lucas

ISBN: 978-1-59327-203-6

Paperback: 224 pages

Publisher: No Starch Press June 2010

August 2010

Fantastic and very complete information about network flows

Content

This book is a easy guide to the world of netflow logging and analysis. The content ranges from basic configuration of flow logging and easy customer friendly graphing methods to detailed custom reporting features in the software presented.

While this book does not cover each and every netflow tool available it has a complete walk through allowing you to get started and immediately produce important information for decision makers and troubleshooting.

This book also cover some details that a lot of beginning network people haven't noticed yet, but which are critical for doing netflow analysis. Things like ICMP types and codes and defining what a flow is. Michael also presents filtering and does so while showing you how to build these from simple primitives into fully working and usable examples that you can reuse in production.

The chapters about reporting both show textual representations, hard numbers, and nice graphing tools - suitable for management and others not needing the same level of detail. While showing reporting he not only show the reference, which options are available, but does interpretation of the sample reports.

The book finishes strong by listing common use cases for netflow analysis and if you reach this level in your own network you will have improved things a lot.

Target audience

Focus in this book is on making use of data available from network devices and thus the network administrator is the one doing the actual work. If you are a decision maker you should buy this book for your network guy and benefit from the awesome output he will generate.

You will need a bit of effort if you are not skilled in running tools from the command line, and setting up the tools can seem hard. Fortunately Michael Lucas has already selected a fine list of tools and how to install those.

The strategy of the book is to get you up and running with netflow easily which really works. Then later when you have seen the benefit from netflow you can dig deeper and deeper into reporting and advanced filtering of the data collected.

To summarize the Good stuff

Short - this book is easy to read and short
Practical - if you follow the strategy and layout you will get going quickly
Very advanced and complete - given the length of the book it really has a lot of links and references

The Bad stuff about this book

The subject of netflow is hard to ease into and there are some great tools not described. If possible I would enjoy a follow up book that would connect netflow, intrusion detection, syslogging and monitoring with the same detail - using some selected tools.

Conclusion

This book is mandatory reading for network people, even if they already use netflow. There are sure to be tips and hints that you will enjoy. I read this book in a few days, but I will use the knowledge gained for years to come.

IPv6 is coming, except in Denmark?

Thu, 1 Jul 2010 08:06:04 +0200

IPv6 is coming, no doubt.

The level of interest at tech news sites like Version2.dk is growing - search for IPv6. The danish Science Minister Charlotte Sahl-Madsen was reported this week for talking about IPv6 (terrible article but hey, interest)

But still the level is nowhere close to being enough. So lets get started, push IPv6 now!

Why push IPv6

It has gained momentum - enough that it will be the new version
Making the transition will require some thought - better be preparing now, instead of having to quickly add IPv6
Keep transition period short - yeah yeah, we will have IPv4 on the big internet for 10+ years, but no way in hell am I going to do dual stacking for so long.

I have started to run IPv6 in production at home for some years, but now I am also running IPv6 in production at our company Solido Networks and I will probably switch IPv6 on by default for new customers. The old customers will soon get statistics about how many clients are asking for IPv6 AAAA records when doing lookups, and then they can select for themselves when they want to add AAAA.

My goal will be to enable everything for IPv6 this year, and probably start turning IPv4 off on the inside next year. We have devices that can still serve users using IPv4, even if the inside is becoming IPv6-only.

What are others doing?

This is just a quick examples, you can sign up for a newsletter at The IPv6 portal newsroom for more news about IPv6.

this one I got from QpoX on IRC and it is very nice, T-Mobile is pushing IPv6. Hard.

"T-Mobile USA makes heavy use of NAT44 and bogon addresses. Going forward, this isn't sustainable. So they've decided that future cellular deployments will be IPv6-only, with NAT64 to access the "legacy" IPv4 Internet (slides | video)."

Wauw, they are going for the full monty, so why are Denmark so far behind?

So my proposal now to you is, ask for IPv6 whenever you buy equipment, demand IPv6 when you get new devices - you are going to be using those devices for some years right?

In fact I kicked Juniper twice yesterday - because their line of SSL VPN appliances does NOT support IPv6. Yeah, thats right - I will NOT buy devices in 2010 that does not support IPv6, and I dont think you should either. What is even worse is that I cannot seem to find any information about plans to support IPv6 on those specific Juniper devices.

In other news I know that the Cisco ASA line does support IPv6 in their VPN.

Get started

OK, lets say I have convinced some of you to look at IPv6, how to get started. This is a short list, but should be enough for a start:

Ask your ISP for IPv6, show them you care - create demand
Get IPv6 - go to tunnelbroker, SixXs or Hurricane Electric are both recommended
or use 6to4 - Uni-C has a 6to4 gateway so performance can be great, if you are close to it.
Buy the O'Reilly book IPv6 Network Administration by Niall Richard Murphy, David Malone (no we dont get proceeds :-) )
Join us! Join the mailinglist on this site and at Digitaliser.dk IPv6 i Danmark

The book of Xen, review

Thu, 24 Jun 2010 09:22:13 +0200

The book of Xen: a practical guide for the system administrator by Chris Takemura and Luke S. Crawford

ISBN: 978-1593271862

Paperback: 312 pages

Publisher: No Starch Press October 8, 2009

Review by Henrik Lund Kramshoej, hlk@kramse.org

June 2010

Practical use and short cut to running Xen quickly.

Content

This book is a how-to and a Xen guru standing behind you guiding you into the wonderful world of the Xen hypervisor.

Beginning from a nice and readable overview of virtualization technologies and the Xen hypervisor it goes through every major component of a Xen installation.

The second chapter begin with installing Xen without too much detail and then quickly allows you to run a Xen environment - getting your feet into the matter immediately. Further it quickly in chapter 3 moves into the various ways you can start creating and installing virtual systems in very different ways - using easy tools, quick and dirty tools and the right ways to install systems - named domU's.

The result of the first three chapters, if you follow instructions and read the 40 pages - you will have Xen running. Wauw that was fun and in itself a feat. The next chapters 4,5,6 are dedicated to providing more nuts and bolts to explore the storage areas, networking options available and management tools available for Xen - required reading if you expect to run Xen in production.

Running Xen in production also requires you to have expert knowledge and chapter 7, 9 and 10 contains exactly the experience from the authors, which will save a lot of your time. Since the authors have also tried Xen with other Unix-like operating systems and running various OS under Xen they give good advise to some pitfalls, and what is possible with Xen. Since this is a moving target the content in this areas will vary according to the releases of these operating systems, but an overview is always welcome. A short chapter 11 is also included outlining the possibilities for getting a support, commercial version of Xen Citrix XenServer.

The remaining chapters and appendixes not listed above are tips and tricks for running Xen and reference documentation allowing you to quickly find the bits you need to tune your Xen installation.

Target audience

Focus of this book is about guiding a Linux system administrator into the world of Xen. This target audience will quickly feel at home by being pointed in a specific direction in the first chapters and then having all the options presented afterwards. The compressed version of all the existing material regarding Xen will allow even a busy administrator to pick up the book and install a Xen server while the advanced chapter will allow them to change bits and pieces later.

If you are an absolute beginner you will need to read more information about installing the example CentOS - but you will be able to get a running Xen server in a short while.

Practical book

The structure of this book is very workbook-like and encourages you to run the many examples and experiment while doing them. Each one of the labs can also be performed in a short while allowing you to make use of short breaks from other stuff and do these.

The books does not have a lot of pages, but a lot of insight and the author clearly has great knowledge and experience in the reverse engineering arena. He also brings you up to speed by allowing you to start running the programs immediately, and while they run you can read the manuals how to do more advanced stuff by yourself later :-)

The techniques and methods described will also allow you to dive into programs that are not meant for debugging, because the author describes how to attack programs - while manuals typically tell you what options you have, but not the situations you should use those options.

To summarize the Good stuff

Short - this book is short, so you can actually finish it
Practical - using the procedures described you will easily get some things running
Complete - this book is very complete in that it describes enough for you to use Xen

The Bad stuff about this book

The subject of Xen and virtualization move very quickly so by the time you have finished the book there will probably be more features available in the world of Xen. The good part though is that you have an understanding of the basics, to allow you to learn the rest for yourself.

Conclusion

This book is very recommended if you like me have a hard time getting started with Xen. The book outlines the steps for an easy start and give you in depth basic knowledge of Xen. Even if the book is published years ago the advise is sound and enough to get you started using Xen.

I noticed that some updates are available, but I don't think I really needed them while installing my Xen setups - I did a few to make use of more of the book :-)

Juniper SRX210 Junos 10.2 flow based IPv6 forwarding

Wed, 2 Jun 2010 11:50:46 +0200

I have previously talked about Juniper SRX and IPv6 forwarding, where it is possible to get them to forward IPv6 packets. In packet-based mode:

[edit security forwarding-options]
hlk@bender# show
family {
    inet6 {
        mode packet-based;
    }
}

I was thus very interested when I got hold of the release notes for JUNOS 10.2 which told about flow-based forwarding. I downloaded the 10.2 relase and upgraded my small testsystem which is a SRX210B - low memory model. It needed some cleanup to free space, and update went smoothly - but slowly! Good dammmmmn slow!

But sorry, getting ahead of myself here. To change your SRX device into flow-based go to security and forwarding options:

[edit security forwarding-options]
hlk@bender# set family inet6 mode flow-based
[edit security forwarding-options]
hlk@bender# exit
[edit]
hlk@bender# commit
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete
[edit]

Then reboot using:

hlk@bender# exit 
Exiting configuration mode

hlk@bender> request system reboot 
Reboot the system ? [yes,no] (no) yes 

Shutdown NOW!
[pid 1274]

hlk@bender>                                                                                
*** FINAL System shutdown message from hlk@bender ***                        
System going down IMMEDIATELY

and you are done - and have an IPv6 capable firewall :-)

I will suggest that you try to change this option immediately after upgrading, so consider this post a heads-up for that :-) Especially since it takes about 5 minutes from reboot requested until system is running again - maybe my configuration is somehow borken?!

work work work 2010 is busy!

Wed, 28 Apr 2010 10:59:32 +0200

Wauw its been a while!

I will start blogging RSN, so watch out - just checking that everything is still running smoothly with the Ecto blog editor.

I have a few book reviews, done - but not posted

i have done a lot of amazing stuff lately, ok maybe not epic - but funny things that I would like to share.

Tonight is also DNSSEC at BSD-DK, so maybe we will meet?

Ohh and BTW, communication from me on blog, twitter, company homepage, etc. is going to be in english from now on. Tired of writing things in two languages!

DNSSEC in your BIND

Sat, 9 Jan 2010 12:56:23 +0100

This is a blog entry I have wanted to write for so loooong, and why didn't I?

Perhaps because I thought it would be hard and complex, but it isn't hard to DNSSEC enable your resolving/caching nameserver!

Luckily for me Tykling has done all the hard work and thus I asked him and he helped me :-)

So this entry is a 3..2..1 step to DNSSEC enabling your resolving/caching BIND DNS server, mine runs on OpenBSD with the built-in chrooted BIND, so the config is in /var/named/etc/named.conf and the resulting parts are:

Step 1 - enable DNSSEC

To enable DNSSEC then add option dnssec-enable yes, *doh* sounds easy and it is!

But Since DNSSEC is not implemented on all domains and TLDs there is a DNSSEC Look-aside Validation which can be enabled, and you can read more about it at ISC.org. To use it in BIND just add the DNSSEC options for DLV also, and my options in named.conf became:

options {
        random-device "/dev/random";
        directory "/";
        //listen-on    { any; };
        listen-on    { 10.0.42.1; };
        listen-on-v6 { any; };
        version "";     // remove this to allow version queries
        allow-query { any; };
        //allow-recursion { clients; };
        allow-recursion { localnets; }; 
        
        #dnssec stuff
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside . trust-anchor dlv.isc.org.;
};

Remember to also add the DLV key:

trusted-keys {
        dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y6
2ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};

Step 2 - enable logging and reload

Then I recommend adding/changing your logging, to see if it all is okay - remember to turn off logging you dont want afterwards!

logging {
        category lame-servers { null; };
        #category "default" { default_log; };
        category "default" { null; };
        category "general" { null; };
        category "resolver" { null; };
        category "queries" { null; };
        #category dnssec { dnssec_log; };
        category dnssec { null; };
        category "unmatched" { null; };
        category "notify" { null; };
        category "xfer-out" { null; };
      channel default_log {
            syslog local5;
            print-category yes;
            print-severity yes;
            severity debug 3;
      };
      channel dnssec_log {
            syslog local5;
            print-category yes;
            print-severity yes;
            severity debug 3;
      };

};

This concludes changes to BIND config, and you can reload - using rndc reload is the recommended way. If you haven't configured rndc then do that while you are messing with BIND :-) Information about rndc, rndc-confgen etc. can be found in the official BIND documentation.

I also had to flush before it worked for me, so please do a rndc flushname isc.org before doing the testing :-)

Step 3 - testing with dig +dnssec

Testing can be done using dig and isc.org, such as: dig +dnssec isc.org which should return something like this - note the flags: qr rd ra ad

hlk@bigfoot:hlk$ dig +dnssec isc.org

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6172
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 15

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.			IN	A

;; ANSWER SECTION:
isc.org.		5858	IN	A	149.20.64.42
isc.org.		5858	IN	RRSIG	A 5 2 43200 20100204224723 20100105224723 8496 isc.org. dlNvDaFZz5j+t5ofBf3qxXzGBuU4GcSXp8CG88VNV0Gq6jQ1q9i3JR8v DAltKQDrqU4HF0Lb4j6esDG0LchxDPtKkSsXSOK7kkWKyHOAH6PyZJV7 pnHkPbTi34/JVeAIQbtTsBKVgpCDWRZQf+n+XRXJLeXR+J8YEmYZbaw1 byA=
isc.org.		5858	IN	RRSIG	A 5 2 43200 20100204224723 20100105224723 60726 isc.org. qPCMrR7ZU9m5I6YRWpkZAaOG2tuROiTpNUHEYfDTv6OefvZ+Gza8LnzL 1jc4FloQ7QnoD77yRWFX4kb2tHTL2UtwecxGDdNdlXJz+plvkkkNzoZQ ZmFcPIQyI7HgseEU7CDQti/SCOKQauy5b/C9/vyNTYdI3eUAUxFuMchn 7+4=

;; AUTHORITY SECTION:
isc.org.		85058	IN	NS	sfba.sns-pb.isc.org.
isc.org.		85058	IN	NS	ns.isc.afilias-nst.info.
isc.org.		85058	IN	NS	ams.sns-pb.isc.org.
isc.org.		85058	IN	NS	ord.sns-pb.isc.org.
isc.org.		41858	IN	RRSIG	NS 5 2 43200 20100204224723 20100105224723 8496 isc.org. kunUxOBMfD3KKzz+KSKcPBUH4MpP0bsDAf/sDrm46TdOgnAhAIwUsIyX 5Fmu4zZq+98SJvinGZBqZRL6PNkIXpgAdA8veQkfXmrI+15j9lt2rLCA 9nqpTI1pNpYcQn9xwa6LaZff3Iczwgp+nuk1K3QNA7nDbxvoT/WVy66p tkE=
isc.org.		41858	IN	RRSIG	NS 5 2 43200 20100204224723 20100105224723 60726 isc.org. ULyIuNNZuwbEYPJARrqODsz4p8NNevFlcNSFa7cH5py/Z5ryh7somzv/ F4RsYWNcjMIHwXIWuocBOJuPItd4o6ScAxZhZWqVU2JktPENTYK8DeH5 MRlIZ9ybbNNQTJOsoboBSqdLfsKxqJpVHWbD/bYY4wk1piIvU2FWyU1+ LCQ=

;; ADDITIONAL SECTION:
ns.isc.afilias-nst.info. 83696	IN	A	199.254.63.254
ns.isc.afilias-nst.info. 83696	IN	AAAA	2001:500:2c::254
ams.sns-pb.isc.org.	83696	IN	A	199.6.1.30
ord.sns-pb.isc.org.	83696	IN	A	199.6.0.30
sfba.sns-pb.isc.org.	83696	IN	A	149.20.64.3
sfba.sns-pb.isc.org.	40496	IN	AAAA	2001:4f8:0:2::19
ams.sns-pb.isc.org.	40496	IN	RRSIG	A 5 4 43200 20100204224723 20100105224723 8496 isc.org. Xy6vkzeaEyCDLKsd6j8e3cdoNjSRcRAz62j1+6+UskWMjK2KA7sTiGDL MqYqQmclPB+T5RTKEG8yp/EJajlJ4YfTHI9FAJ6ZVlY9gnMhGxlt4nXc oB0wG4NYjWWk0htXK3c3AFNDTKon/hjC/1ADVf3jQ8f3L7hyYR/GONi8 nnM=
ams.sns-pb.isc.org.	40496	IN	RRSIG	A 5 4 43200 20100204224723 20100105224723 60726 isc.org. rr1JzQ0CmcShnEgWcvQWmwcLrJ5w+YrPDBfyKW2KDnWlF/PlMhgZ1dZG WkuMdy5W7ctEBQIFaONsOhqmkmBv+qpuns0Zi7UvHLic5Ue4ejEqRXRg 9T+AfwAC9mhsSKqVk++mk9CsvVWS5IAuInp1RjrSnKSN40h1nLxqB1Gu P2U=
ord.sns-pb.isc.org.	40496	IN	RRSIG	A 5 4 43200 20100204224723 20100105224723 8496 isc.org. tyYY1ai9P8RF5W0Uh77TDvK7EP9wQhZvI3SiKpqyBFUZFZgconO9RT4m WFpA/qMjyOZkQpiF2XYrLnhB/inom0oPoP3bEtmz/bGGfuA3+A37Xt4O +0wlP4dUABbRiVfZaq0OLLgGuARb3MId/0U0nfOZzEI2HE8XJ6CU1lfr 3wQ=
ord.sns-pb.isc.org.	40496	IN	RRSIG	A 5 4 43200 20100204224723 20100105224723 60726 isc.org. Nh30w6C2qdo/4i+SGgAZTVTO3DgS26VaqNKn4D22F3XMzaB/NUKHTmfV CQAHcP2H1Nhe4wKpBT5dgA5V3mVy8AQx3hqUIM8v0sC30+wA2cWo21W2 WiM+JMRvgnVUPsakf3cC/4mnkCMaCtOAz1qCp/YejW/o4oQw/JElcB+Z opk=
sfba.sns-pb.isc.org.	40496	IN	RRSIG	A 5 4 43200 20100204224723 20100105224723 8496 isc.org. UtMbLiGx6wYueq1BKK2xxqRzwMFG5mGhEbRedebCN/9xIffNddXejgjB 7M5K7t3Lnw4xbuLUS6a4QXp1HeEjs0/ZvSSe8/SQ2F4ss5kXltsqB0Uw NAofTaKVt29sHKFbeCR9jQZQ5veSAYA2SIRuiMU0Xo2zYHCEQS8sJ0wp ORs=
sfba.sns-pb.isc.org.	40496	IN	RRSIG	A 5 4 43200 20100204224723 20100105224723 60726 isc.org. sB1jkBcC0Q2+aeUwKU7QtIX1iGpmykDCYKqjKg28iZyMkfDG/YQUexh7 qZyZWzggWK/uhMNbV2yI4MtLpr4cdlO+f6b6lsXOA5p2BAMo3xkC+4a+ w6tm1jUZKvUOwPIqGlokiP80GKa27XqqRi/2/MqbuypbmhkH0NIUMUfc N4g=
sfba.sns-pb.isc.org.	40496	IN	RRSIG	AAAA 5 4 43200 20100204224723 20100105224723 8496 isc.org. ksZMMvnO8DliFjtXOiB2Qa6+n000DA/glF+qsxG/3Pd7y4j70UY8XjGB mJunm2jsDK6JsXdVDIGZK4qErE0sWDCj0kYoL9nkOPbB/PGVsfMpJ57f ZSc5OcOFunevHkoq/Q3ptTNxI+OrVIMVI+IKqtr8FsCyP4aCKBh6D84I GhU=
sfba.sns-pb.isc.org.	40496	IN	RRSIG	AAAA 5 4 43200 20100204224723 20100105224723 60726 isc.org. puTPShhX8KT7ufaPNkRPVjli2Iavnayn86ygUdIpsTisQYf72Gj63yTc NC46hiz7rXOgE5DizNj22UFKJWjhDuCBPGTYB7OEDVShLZglJeqfWfxt 2DRK7cvweORlUT7spPam8d0AmoioUOwe/drwbWPnNg7jW7Z8oiPPb74E ZcE=

;; Query time: 12 msec
;; SERVER: 10.0.42.1#53(10.0.42.1)
;; WHEN: Sat Jan  9 15:42:12 2010
;; MSG SIZE  rcvd: 2275

Thats all, and copy pasting the blog entry took longer than actually doing it :-) Thanks to Tykling, now I will go bother him to help me get a domain configured with DNSSEC.

PS since there are some problems with firewalls and filtering of IPv6 fragments .org domains don't work after doing above - Tykling has a workaround for PF YMMV and expect another blog entry later about that.

Juletip 12: SYN scan IPv6 with scapy

Mon, 14 Dec 2009 17:57:20 +0100

Så er der blevet tid til at skrive næste indlæg, øv hvor kan tiden flyve når man har det sjovt - eller arbejder.

De planlagte indlæg tager også længere tid end forventet, måske fordi jeg leger så godt :-) Planen for de indlæg der mangler er nogle helt nede på jorden eksempler med pakker, til rigtige formål. Altså eksempler på programmer som man reelt kan bruge i sit eksisterende arsenal med Nmap, Python, Perl, Nemesis osv.

Det første som er blevet mere færdigt er en lille sød IPv6 portscanner, som snildt kan udvides med mere funktionalitet. Ideen med portscanneren er at scanne porte på IPv6, med SYN pakker - hvor eksempelvis Nmap scanner med connect scans :-). Lad os ikke forhale det længere, jeg er jo bagude i forvejen:

#! /usr/local/bin/python2.5
# Simple SYN portscanner for IPv6
# Henrik Kramshoej, december 2009
import sys
from scapy.all import *

def main():
	from optparse import OptionParser
    
	parser = OptionParser()
	parser.add_option("-d", "--dest",
                      dest="target", default="::1",
                      help="Target for port scan")
	parser.add_option("-g", "--source-port", 
                      dest="sport", default=23,
                      help="Use given port as source port")
	parser.add_option("-1", "--port1",
                      dest="port1", default=1,
                      help="Starting port in port range to scan.")
	parser.add_option("-2", "--port2",
                      dest="port2", default=10,
                      help="End port in port range to scan.")
	(options, args) = parser.parse_args()

	print "Simple IPv6 SYN Portscanner"
	print "Target: "+ str(options.target) + " ports: " + str(options.port1) + "-"+ str(options.port2)
	a=IPv6(nh=06, dst=options.target, version=6L, hlim=255, fl=0L)
	print a.show()
	b=TCP(sport=options.sport, dport=(int(options.port1),int(options.port2)))
	ans,unans=sr(a/b)
	
	print "Source\t\t\tport\t\tflags"
	ans.summary( lambda(s,r) : r.sprintf("%IPv6.src% {TCP:%TCP.sport%}\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}"))
main()

Hent det på http://www.kramse.org/files/tools/net/misc/syn6can.py Når man afvikler programmet mod min ene OpenBSD server får man (port 37 er åben):

hlk@bigfoot:scapy$ sudo  ./syn6can.py -d 2001:16d8:dd0f:cf0f::1 -1 30 -2 38 
Simple IPv6 SYN Portscanner
Target: 2001:16d8:dd0f:cf0f::1 ports: 30-38
###[ IPv6 ]###
  version= 6L
  tc= 0
  fl= 0L
  plen= None
  nh= TCP
  hlim= 255
  src= 2001:16d8:dd0f:cf0f:223:6cff:fe9a:f52c
  dst= 2001:16d8:dd0f:cf0f::1
None
Begin emission:
...*.*.*Finished to send 9 packets.
.*.*.*.*.*..*
Received 21 packets, got 9 answers, remaining 0 packets
Source			port		flags
2001:16d8:dd0f:cf0f::1 30		RA
2001:16d8:dd0f:cf0f::1 msg_auth		RA
2001:16d8:dd0f:cf0f::1 32		RA
2001:16d8:dd0f:cf0f::1 dsp		RA
2001:16d8:dd0f:cf0f::1 34		RA
2001:16d8:dd0f:cf0f::1 35		RA
2001:16d8:dd0f:cf0f::1 36		RA
2001:16d8:dd0f:cf0f::1 time		SA
2001:16d8:dd0f:cf0f::1 38		RA

og med Wireshark kan man se at det er et SYN scan, med det fleste porte som svarer med RESET - undtagen "time":

Mangler i programmet er dog pt.:

Flere options ville være rart, blandt andet afkodning af Nmap style portnr i stil med: -p1-1024,1580,6000-6010
Måske noget OS detection - med p0f?
Pænere præsentation af resultaterne, så man fik både portnr som tal og som tekst, "37 vs time"

Konklusionen idag er at man godt kan bruge Mac OS X med Scapy 2.0.1 fra Mac ports, men skal huske at kalde den rigtige python - check det før du kører programmerne! Ligeledes er der noget at lære om afkodning af options og Python - som jeg stadig er nybegynder i. Programmet ovenfor er sådan set vildt avanceret, men Scapy gør en stor del af arbejdet for os. Hvem havde troet man kunne lave en portscanner på så få linier?

Email address change for Henrik Kramshoej

Mon, 14 Dec 2009 07:16:24 +0100

Hi There

I am changing my email adress, the one I thought I would keep until I die ... hlk@kramse.dk

You should update your address book if you want to continue sending me email. The new address is: hlk@kramse.org

The new address has been available for some time and the old one will be removed December 2010

Thanks in advance Henrik

PS You can always find updated contact information at: http://kramshoej.tel

Juletip 11: N900 tcpdump

Sat, 12 Dec 2009 09:32:36 +0100

Update 15:14: Jeg er en tumpe, tcpdump virker - hvis man vælger det rigtige interface :-)

Hovsa, jeg tror julemanden kom forbi, for jeg har fået fat på en N900 til lidt leg :-)

Jeg har tidligere snakket en del om min Nokia N810 som jeg har leget en del med, både med tcpdump, airodump osv. - det er en sød lille hackerplatform. Dog er den lidt begrænset med specs:

Procesor TI OMAP 2420, 400Mhz
Memory DDR RAM 128MB
Flash 256MB
Storage Up to 2GB internal memory

Men den virker fint - bortset fra at Metasploit er for langsomt, men dog kan starte op.

Nå men en Nokia N900 har vist disse specs:

Processor: TI OMAP 3430: ARM Cortex-A8 600 MHz,
Grafik PowerVR SGX with OpenGL ES 2.0 support
Memory Up to 1GB of application memory (256 MB RAM, 768 MB virtual memory)

Vrooooom tænker jeg straks - udover at en N900 jo også er en telefon. Så i med et SIM kort, det gjorde jeg igår efter en 12 timers arbejdsdag. Sorry derfor juletip er forsinket, men de kommer!

Hvis du støder på en N900 er der dog lidt tip, blandt andet skal du smide flere repositories ind. Det vigtigste lige for julekalenderen er nok fremantle tools der blandt andet giver tcpdump :-).

Nokia-N900-42-11:~# apt-get install tcpdump
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libpcap0.8
The following NEW packages will be installed:
  libpcap0.8 tcpdump
0 upgraded, 2 newly installed, 0 to remove and 2 not upgraded.
Need to get 404kB of archives.
After this operation, 926kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
WARNING: The following packages cannot be authenticated!
  libpcap0.8 tcpdump
Install these packages without verification [y/N]? y
Get:1 http://repository.maemo.org fremantle/tools/free libpcap0.8 0.9.8-5+0m5 [93,9kB]
Get:2 http://repository.maemo.org fremantle/tools/free tcpdump 3.9.5-2osso2 [310kB]
Fetched 404kB in 0s (629kB/s)
Selecting previously deselected package libpcap0.8.
(Reading database ... 22804 files and directories currently installed.)
Unpacking libpcap0.8 (from .../libpcap0.8_0.9.8-5+0m5_armel.deb) ...
Selecting previously deselected package tcpdump.
Unpacking tcpdump (from .../tcpdump_3.9.5-2osso2_armel.deb) ...
Setting up libpcap0.8 (0.9.8-5+0m5) ...
Setting up tcpdump (3.9.5-2osso2) ...

NB: ovenstående er copy-pastet fra en SSH session, jeg har selvfølgelig smidt gainroot og OpenSSH server ind også :-) Derefter kan man starte tcpdump som vi plejer:

Nokia-N900-42-11:~# tcpdump -n icmp
tcpdump: WARNING: wmaster0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wmaster0, link-type IEEE802_11 (802.11), capture size 96 bytes
13:32:03.561267 IP 10.0.42.104 > 10.0.42.95: ICMP echo reply, id 34528, seq 0, length 64
13:32:04.600025 IP 10.0.42.104 > 10.0.42.95: ICMP echo reply, id 34528, seq 1, length 64
13:32:05.514087 IP 10.0.42.104 > 10.0.42.95: ICMP echo reply, id 34528, seq 2, length 64
13:32:06.545337 IP 10.0.42.104 > 10.0.42.95: ICMP echo reply, id 34528, seq 3, length 64

Hmm der er noget galt - for vi ser kun pakkerne ud af vores interface. Øv, det begrænser jo brugbarheden en del - det ryger på todolisten. Min N810 sniffer fint både med tcpdump, dsniff osv. - ligesom en Nmap nemt udføres med den platform.

Tcpdump virker, hvis man vælger interface wlan0, altså tcpdump -ni wlan0

Men et andet værktøj kan installeres fra samme repository, hcidump fra pakken bluez-hcidump som er værktøjer fra http://www.bluez.org/ - vupti så har jeg altså (endelig) fået fat i noget Bluetooth sniffer værktøj.

Nokia-N900-42-11:~# hcidump -?
HCI sniffer - Bluetooth packet analyzer ver 1.42
hcidump: invalid option -- ?
Usage: hcidump [OPTION...] [filter]
  -i, --device=hci_dev       HCI device
  -l, --snap-len=len         Snap len (in bytes)
  -p, --psm=psm              Default PSM
  -m, --manufacturer=compid  Default manufacturer
  -w, --save-dump=file       Save dump to a file
  -r, --read-dump=file       Read dump from a file
  -s, --send-dump=host       Send dump to a host
  -n, --recv-dump=host       Receive dump on a host
  -d, --wait-dump=host       Wait on a host and send
  -t, --ts                   Display time stamps
  -a, --ascii                Dump data in ascii
  -x, --hex                  Dump data in hex
  -X, --ext                  Dump data in hex and ascii
  -R, --raw                  Dump raw data
  -C, --cmtp=psm             PSM for CMTP
  -H, --hcrp=psm             PSM for HCRP
  -O, --obex=channel         Channel for OBEX
  -P, --ppp=channel          Channel for PPP
  -D, --pppdump=file         Extract PPP traffic
  -A, --audio=file           Extract SCO audio data
  -B, --btsnoop              Use BTSnoop file format
  -V, --verbose              Verbose decoding
  -Y, --novendor             No vendor commands or events
  -N, --noappend             No appending to existing files
  -4, --ipv4                 Use IPv4 as transport
  -6  --ipv6                 Use IPv6 as transport
  -h, --help                 Give this help list
      --usage                Give a short usage message
Nokia-N900-42-11:~# hcidump -w hcidump-test.cap      
HCI sniffer - Bluetooth packet analyzer ver 1.42
device: hci0 snap_len: 1028 filter: 0x0
^C
Nokia-N900-42-11:~# ls -ltr
-rw-r--r--    1 root     root     16613337 Dec 13 13:55 hcidump-test.cap

Jeg prøvede at åbne filen i Wireshark og den åbner fint, men afkodningen er ret basal. I developer tools er der yderligere arping, traceroute osv. Så platformen, som er bygget på Linux og vist med en open source Wireless driver denne gang!, er godt på vej til at blive spændende.

Nu kunne man jo fortsætte i samme stil og opremse hvad en N900 kunne bruges til, men pointen er (i modsætning til iPhøne) at en N900/N810 er en Linux baseret platform og mange af vores sædvanlige værktøjer kan oversættes til denne platform, med få eller ingen ændringer.

Kort konklusion er altså at man ikke behøver en hel computer, selvom netbooks er små, men at håndholdte begynder at kunne nok til at lave pentest on the road - mens man spiller Mahjoong hvis nogen spørger :-)

Kramses blog

Practical Packet Analysis, 2nd Edition

Practical Packet Analysis, 2nd Edition

About the book

Target audience

Contents

Summarized - Good stuff

The Bad stuff

Conclusion

Links

World IPv6 day, danish measurements

How fast is it?

Conclusion

Building the Ostinato Packet/Traffic Generator and Analyzer

Building Ostinato on Mac

Running Ostinato

Postscript: Bit-Twist

Reporting about IPv6

Using Junos to connect to serial console

Login to Junos

Run terminal program

Junos Security, book review

Junos Security

Content

Target audience

Summarized - Good stuff

The Bad stuff

Missing chapters

Conclusion

Links

Get into Junos

Network flow analysis by Michael W. Lucas, review

Content

Target audience

To summarize the Good stuff

The Bad stuff about this book

Conclusion

Links

IPv6 is coming, except in Denmark?

Why push IPv6

What are others doing?

Get started

The book of Xen, review

Content

Target audience

Practical book

To summarize the Good stuff

The Bad stuff about this book

Conclusion

Links

Juniper SRX210 Junos 10.2 flow based IPv6 forwarding

work work work 2010 is busy!

DNSSEC in your BIND

Step 1 - enable DNSSEC

Step 2 - enable logging and reload

Step 3 - testing with dig +dnssec

Juletip 12: SYN scan IPv6 with scapy

Email address change for Henrik Kramshoej

Juletip 11: N900 tcpdump