nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IOS Rookit: the sky isn't falling (yet)

From: Sargun Dhillon <sdhillon () decarta com>
Date: Tue, 27 May 2008 11:17:03 -0700
goemon () anime net wrote:

On Tue, 27 May 2008, Valdis.Kletnieks () vt edu wrote:

On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:

Like MD5 File Validation? - "MD5 values are now made available on
Cisco.com for all Cisco IOS software images for comparison against
local system image values."

That does wonders for catching a corruption in the FTP that wasn't
caught
by the relatively weak TCP checksumming.
But if the attacker has the wherewithal to cause a modified file to be
downloaded (either by replacing it on the real server, or getting you to
visit a fake server), they can also present you with a webpage that
has an
MD5 hash that matches the modified file.
Now, if they provided a PGP signature of the file, done with a key
that I
have reason to trust, *that* raises the bar significantly...


What you want is cisco hardware that verifies firmware signatures in
hardware.

-Dan


Why not TPM? Sign every binary on the device, encrypt & sign the
headers. The entire device runs in a hypervisor. Everything must be
approved by Cisco. Let's make routers even more blackboxish and require
vendor certification for every little thing. I don't know about you, but
I don't want layers of DRM and crap ontop of my router when I'm still
wondering about idiots leaving tftpds open. :-/


-- 
+1.925.202.9485
Sargun Dhillon
deCarta
sdhillon () decarta com
www.decarta.com
Previous By Date Next
Previous By Thread Next

Current thread: