October 2008 Archives

1.5 Factor Authentication?

By Ryan Hicks on October 23, 2008 10:03 PM | No Comments | No TrackBacks

So, with all the recent concern over PCI and similar security requirements, lots of people are considering multi-factor authentication technologies whenever the cost/convenience tradeoff makes sense.  VPN and other remote access technologies are places where this kind of technology makes good sense.  About a year ago I was asked to help implement a two factor authentication scheme for VPN using a Cisco ASA firewall.  There was a sincere desire to avoid having to pay for RSA tokens or smart cards, so we decided to use the technology that the customer had available, certificates.  In theory, one could use a certificate as something you have and then provide a username and password during x-auth as something you know

To implement this, I changes the ISAKMP profile to use RSA-SIG authentication instead of pre-shared keys.  I set up the remote access VPN as normal, including X-AUTH.  When the VPN client connected, we discovered that everything we did actually worked!  Since making something work the first time is not typically my specialty, I knew something must have been wrong.  A bit of thinking and testing later, the other shoe finally dropped!  We connected to the VPN using USER1's certificate, but tried USER2's username and password.  Much to my dismay, it worked. 

While this does technically pass the definition of two factor authentication, at least as far as the auditors are concerned, I wouldn't call it a good long term plan.  TAC to the rescue!  My confidence was shattered when I was informed that this was a new feature according to the design engineers and wouldn't be available until spring-ish 2008.  Fast forward about a year and guess where I am?  In the past few months I happened to notice a command that I thought enabled the X-AUTH username to certificate CN check.  Apparently I was wrong, as it doesn't work.  Well to be exact, the command I am referencing, username-from-certificate, works when paired with another command, pre-fill-username.  Unfortunately, but not surprisingly, the latter command only applies to WebVPN/SSLVPN!

I am planning on opening a TAC case in the morning on this as well as calling my local SE, in the mean time I am going to assume this is another sign of the death of IPSec (the other sign being no 64-bit OS support).

UPDATE: It turns out that this feature was requested and supplied in version 8.0(3) 1.  Unfortunately only for AnyConnect.  There are no plans to support the IPSec client with certificate CN validation.  Ouch, another nail in the coffin for the good old IPSec VPN client.  I guess I better spend some time snuggling up next to the WebVPN/SSL VPN command reference guides!

Cisco 4500 Intermittant High CPU Utilization

By Ryan Hicks on October 23, 2008 9:23 AM | No Comments | No TrackBacks

troubleshooting.jpgRecently a problem came up on a single site of a multi-site network.  This one site had a problem with high CPU utilization on thier Cisco 4510R layer-3 switch.  This switch is the core of this particular site, and there are other similarly configured locations with similar hardware.

Troubleshooting begins with all the usual suspects: show ver, show mod, show proc cpu, show log.  Nothing stands out except the show proc cpu shows Cat4k Mgmt LoPri is taking up 70-80% of the CPU.  I am relatively new to the Catalyst 4500 Sup 6 card, and spend most of my time on the 6500 platform.  I quickly discover that this is a process with many threads.  The details can be seen by executing a differenet command, show platform health.  This command breaks down all the different threads that make up the management processes within a Catalyst 4500 switch.  It also details target and actual CPU utilization statistics. 

In this case, I find that K5CpuMan Review is taking up a lot more CPU than it is supposed to.  Now I must say the name of this process surely means something to someone, but not to me.  Apparently this is the name of the process that handles all CPU switched packets.  (That was my first guess obviously!)  Now packets can be CPU switched for many reasons.  They might be destined for the CPU, there could be a misconfiguration, or they could be marked in a way that forces intermediate systems (routers and switches) to look at them.

The next step is to determine what traffic is being directed at the CPU and why.  This step will probably invoice some debug commands.  The good news to those out there that shiver at the idea of using debugs in a live production network is that the commands we will use have to impact on the performance of the equipment.  Essentially, the platform is doing this stuff already; the commands just make it log the information so it is visible.  Oh, these commands do NOT survive a reboot and don't show up in when a show debug is executed.  What I would like to know is why not just leave these features on all the time?  If we want to see where packets are coming from that are destined for the CPU, we execute debug platform packet all count.  After the debug has been running for a bit, we can display the results with show platform cpu packet statistics.  Unfortunately in this case nothing stands out as an obvious source for the problem. 

For grins I decided to look at some other old standby commands: show interface stats and show ip trafficshow interface stats will normally show what traffic is switched by which mechanism.  Unfortunately, process switched traffic is at 0 for all interfaces.  We did learn something though; the traffic affecting the processor is destined for the processor.  The next command, show ip traffic, is actually very telling.  Below is an example capture of what this symptom might look like.  Notice that there is a non-zero value for packets with options?  Out of the 3.4 million packets handled by the processor in this example, 1.8 million of them have an IP option defined.  Upon further examination, all of the 1.8 million packets have the router alert option defined!

LAB Router#show ip traffic
IP statistics:
  Rcvd:  3249411 total, 2367891 local destination
         0 format errors, 0 checksum errors, 200092 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 1857133 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 1857133 alert, 0 cipso, 0 ump
         0 other

I know what you are thinking, "What are IP options, and why is this important?"  Well, IP options were flags created to allow hosts and routers to be informed about the special nature of a packet.  RFC 2113 created the Router Alert, IP Option 20.  This option tells the router to inspect any packet with this option passing through it, even if it is not destined for it.  This inspection provides value when implementing RSVP and other similar protocols.

So lets see what's causing these packets to be marked with the Router Alert option.  Another platform specific and non-impacting debug command can create a 1024 packet deep circular sniffer trace buffer.  To enable this feature we execute debug platform packet all buffer.  To view the results, we show platform cpu packets buffered.  Now that's odd!  I know packets are going to the processor, but they are not getting logged by the debug command we just executed.  I am going to blame that on the difference between the Sup-6e and the other processors.  The Sup-6e doesn't always do what the others are capable of.  However other options exist!  A sniffer hooked to the switch might just do the trick, but what interface do we monitor?  Well, the CPU of course!  The change we would make from the normal SPAN setup is in the source: monitor session 1 source cpu queue all rx.  Now we just keep capturing until the options value of the show ip traffic command starts to increment...

Other things to consider here is the possibility of a Denial of Service (DoS) attack.  A few years ago Cisco released a field advisory that explains a vulnerability in IOS when a router is subjected to packets with certain IP options set.  However, if this issue was a DoS attack, one would expect to see a spike in traffic coming from one port, but as we have already seen, the show platform cpu packets statistics shown no specific spike in traffic, meaning the traffic is coming from everywhere, and is most likely normal traffic.

The sniffer is truly the tool to solve this particular issue.  Once the packet capture came back, IGMP packets correlated with the increase in the alert option in the show ip traffic counters were discovered.  Most of the IGM packets were multicast joins to 224.0.0.251: mDNS.  mDNS is very rare in production networks, typically isolated to HP printers that are set to thier defaults.  Apparently Mac OSX has and application called Bonjour that performs dynamic discovery on the network.  One of the protocols in use by this application is mDNS.  This application was discovered because the source MAC address in the sniffer trace ties to an Ethernet OUI registered to Apple.

The troubleshooting steps I have lined out here are a combination of personal experience and things TAC suggested.  Afterwards, TAC emailed me a link to a document that contains a lot of these steps, some of which may be more applicable to other situations.

http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml

Welcome!

By Ryan Hicks on October 23, 2008 8:56 AM | No Comments | No TrackBacks

Welcome to my new blog!

I have always had a desire to share my knowledge and experiences with others, as this is the way I have learned best in the past.  I hope others can make use of any information I present here and forgive me my rants. 

This blog is running on Movable Type.  I have utilized this platform in the past, but it has been a while.  It has been even longer since I played with HTML or CSS directly, so I have a bit of a learning curve to get this thing looking decent.  Forgive any format changes that occur while I am in the setup period.

I am hoping to make this at least a daily posting, maybe more often, since I generally try to learn at least one new thing a day.  I am going to focus on bugs, problems, frustrations, and successes related to networking, predominately Cisco, in my daily work as a consultant.  Since I, like most other people, strive to learn all we can, and achieve applicable industry certifications, I will likely post on my progress in those areas as well.

Main Index | Archives | December 2008 »

Search

About this Archive

This page is an archive of entries from October 2008 listed from newest to oldest.

December 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.