Worst Current Practice Lutz Donnerhacke IKS GmbH.

Slides:

Advertisements

Similar presentations

Pharos Uniprint 8.3.

Advertisements

IPv6 Near-Unique Site Local Addresses draft-francis-ipngwg-unique-site-local-00.txt.

Netprog: IPv61 IPv6 Refs: Chapter 10, Appendix A.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Socket Programming with IPv6. Why IPv6? Addressing and routing scalability Address space exhaustion Host autoconfiguration QoS of flow using flowlabel.

 Reference:  Vehicle has 2 MANET routers, interconnected via Ethernet  Vehicle has access to 3 wireless networks  Applications on MANET Routers use.

5: Link-Local Addresses Rick Graziani Cabrillo College

NETS Training Troubleshooting Scot Colburn and David Mitchell 5/1/07.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.

E-business Infrastructure

1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.

Unit 6- Operating Systems.  Identify the purpose of an OS  Identify different operating systems  Describe computer user interaction with multiple operating.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

 Network Management  Network Administrators Jobs  Reasons for using Network Management Systems  Analysing Network Data  Points that must be taken.

1 Firewalls Types of Firewalls  Screening router firewalls  Computer-based firewalls  Firewall appliances  Host firewalls (firewalls on clients and.

Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.

بسم الله الرحمن الرحیم. Why ip V6 ip V4 Addressing Ip v4 :: 32-bits :: :: written in dotted decimal :: :: ::

11 NETWORK PROTOCOLS AND SERVICES Chapter 10. Chapter 10: Network Protocols and Services2 NETWORK PROTOCOLS AND SERVICES  Identify how computers on TCP/IP.

Hands-on Networking Fundamentals

Internet Packet eXchange Protocol (IPX) Network Documentation

IP (Internet Protocol) –the network level protocol in the Internet. –Philosophy – minimum functionality in IP, smartness at the end system. –What does.

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

COEN 252 Computer Forensics

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

Microsoft ® Official Course Module 10 Optimizing and Maintaining Windows ® 8 Client Computers.

Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.

NETWORK FILE ACCESS SECURITY Daniel Mattingly EKU, Dept. of Technology, CEN/CET.

Links and LANs Link between two computers via cross cable The most simple way to connect two hosts is to link the two hosts with a cross cable.

Understanding Networking Joe Cicero Northeast Wisconsin Technical College.

Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.

TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:

SYSTEM ADMINISTRATION Chapter 8 Internet Protocol (IP) Addressing.

Keeping Network Monitoring Current using Automated Nagios Configurations (WIP) Greg Wickham APAN July 2005.

Chapter 1 Introduction to Databases. 1-2 Chapter Outline   Common uses of database systems   Meaning of basic terms   Database Applications  

OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.

Birgit Bonham: Prospect High School ARP….or What’s your MAC address?

NMS Case Study-I NetScreen Global Manager CS720H.

Network Operating Systems : Tasks and Examples Instructor: Dr. Najla Al-Nabhan

Networking Material taken mainly from HowStuffWorks.com.

Is Cyber Security IPv6-Ready? HEPiXX – Vancouver, BC Bob Cowles October, 2011.

TESTING THE WIRELESS NETWORK INTERFACE CARD

Linux Operations and Administration

OCS NOVELL SOFTWARE. Novell Clients Typical Novell Configuration Novell Server Print jobs retained in server queue(s)

Objectives Understand Corrective, Perfective and Preventive maintenance Discuss the general concepts of software configuration management.

Static Routes Static routing occurs when you manually add routes in each router's routing table.

MICROSOFT TESTS /291/293 Fairfax County Adult Education Courses 1477/1478/1479.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring Windows Server 2008 Printing.

+ Lecture#4 IPV6 Addressing Asma AlOsaimi. + Topics IPv4 Issues IPv6 Address Representation IPv6 Types.

Elements of an ICT networks COMMUNICATION DEVICES: 1.Network interface card 2.Hub 3.Switch 4.Router STANDARDS AND PROCEDURES: 1.Enable devices to communicate.

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

COMP1321 Digital Infrastructure Richard Henson March 2016.

11 MAINTAINING A NETWORK INFRASTRUCTURE Chapter 9.

Operating Systems FreeBSD and Monowall Joel Jaeggli For AIT Wireless and Security Workshop.

Introduction to Networks

Introduction to the IPv4 Course

IPv6 Overview Address space Address types IPv6 and Tunneling.

Computing Fundamentals

Chapter 4: Routing Concepts

Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) practice-questions.html.

Introduction of Week 6 Assignment Discussion

Chapter 5 Networks Communicating and Sharing Resources

Network Hardware – LO’s

How to Fix Brother Printer Offline Status with Free Brother Printer Support? VISIT WEBSITE.

Lecture#5 :IPV6 Adressing

IT OPERATIONS Session 7.

Presentation transcript:

Worst Current Practice Lutz Donnerhacke IKS GmbH

Worst Current Practice Not a talk about “simple” bugs – Too many WTFs to talk about – Sometimes instructive anyway SEOS: IPv6 packets crash Ether Channels: Card reload SEOS: Loopback take status from management interface nPA software not for Solaris, NeXT STEP or VMS – Worst case reaction: Documentation bug – Typically caused by too limited testing facilities Solution: Urge your suppliers to include your case!

Worst Current Practice Talking about network design choices – Based on reasonable (but wrong) assumptions You can’t throw away the concept at meetings – Requires manual corrections at unrelated places Extensive recovery procedure handbooks – Long term job security Experience necessary to maintain the network The way to hell is paved with good intentions

IPv6 addressing ipv6 address autoconfig set-route – Centralized infrastructure – Self healing ipv6 address 2001:db8::/64 eui64 – Copy and paste – Unique addresses ipv6 address 2001:db8::169:254:1:3/64 – Common identifiers for each family ipv6 address 2001:db8::1/64 – Usage based addressing

IPv6 addressing ipv6 address autoconfig set-route ipv6 address 2001:db8::/64 eui64 – Address changes at hardware exchange or reboot – Manually configured routes need to be changed ipv6 address 2001:db8::169:254:1:3/64 – EUI64 requires special handling of the two MSBs – Renumbering causes double headache ipv6 address 2001:db8::1/64 – Hard to add a second device

IPv6 addressing Windows 2008R2 and beyond – Set an unique identifier at initial setup – Add a fixed offset per interface – Survives hardware change and extension Privacy extensions and reverse DNS – Clients should update DNS (daemon easy to write) – Monitor router log files to update DNS Firewall “enforce EUI64”: bad choice – Checks for …ff:fe…WTF?

Simple DNS errors $ dig ds +dnssec +nottl +nocl ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN DS ;; AUTHORITY SECTION: com. SOA a.gtld-servers.net. nstld.verisign-grs.com

Simple DNS errors Google claims Public DNS supports DNSSEC – Service does not handle DS correctly – Fundamental software design bug – Internal data structures are insufficient Result of this “bug” – is an alias for (BOGUS (security failure)) – has IPv6 address 2a00:1450:8007::6a (BOGUS (security failure)) – Reason: no DNSSEC records from for DS com. while building chain of trust Google can’t resolve – wwwneu.iks-jena.de/ger/Tools/DNSSEC/Pruefen

Windows basics DNS servers assigned to interfaces – Single use to update the DNS in each network – Ask all servers on all interfaces to resolve DNS – Stay on the fastest server until errors – DNSSEC for remote access, required by DirectAccess VPN – adds an new extra interface – modifies routing table – Host route to VPN peer to “old” default gateway – Optional new default route with metric to VPN peer

VPN into Windows network All AD discovery procedures use _TCP.do.main VPN fails constantly in China or via DTAG – DNS server (CPE) reachable despite VPN – NXDOMAIN rewriting gives wrong results – Join to AD via VPN fails Solutions 1.Internal DNS reachable via public DNS resolution 2.route add via 3.Block external DNS traffic at VPN gateway

Advanced DNS errors Microsoft DPM for Backup – Huge data can cause congestion – Backup data is sensible – Separate infrastructure recommended How DPM works – Lookup IP of DPM server via DNS – Connect to DPM, transfer data – Transfer Snapshots DPM does not accept non-AD clients (or so)

Advanced DNS errors Failover in DPM – All devices update DNS regularly on all interfaces – Microsoft DNS expires dynamic updates – Microsoft DNS avoids round robin in this zone – Applications use first entry first – DPM server has an network priority override DPM connects to the “secondary” address On failure, the entry times out: other net used

Ignore Lifetimes Common error Application takes DNS result as forever – Reboot regularly Firewalls use DNS results forever – Manual update on customer demand iPhone takes DHCP result forever – Lease never renewed – Assumption: User leaves before lease expires

Questions? Lutz Donnerhacke dig NAPTR e164.arpa. +dnssec OpenPGP: DB C 1C EF 09 D8 19 E BE BF B6 C9 CB