Re: tcp/ip hardware offload

[Ron DuFresne <dufresne () winternet com>]

Richard,

The closest discussion I've seen from time to time related to this, and
again recently on the firewalls list has been the hp printer cards and
their poor handling of simple variances in TCP params that send the
printers they are installed in into failure modes requireing a full
recycle.  The results of simple nmap scans are known to either fully
freeze up the printers or send them into garbage page spewing moeds, yet
they all require a recycle to correct.  Course, I have seen no mention of
new hp direct cards with corrected firmware released over the years, and
this is an old known issue.  Perhaps the code to be used in the devices
you mention is going to be much more stable, but, you make a good point in
that it's possible that future exploits might well make such devices
expensive door-stops of the future.  Hopefully the design folks are
throughly testing the stacks and exercising them to discover their
potential limit prior to production and marketing...

Thanks,

Ron DuFresne


On Tue, 26 Feb 2002, Richard Masoner wrote:

> I'd like to bring up for discussion a topic I don't think I've seen before
> -- that of possible vulnerabilities in networking code in hardware
> devices.  Specifically, several vendors are developing network adapters
> with full TCP/IP offload in the hardware.  These aren't just cards with a
> network stack in firmware; a lot of these actually have the protocol
> implemented in silicon.
>
> iReady <http://www.iready.com> is selling the "iChip," which is targeted
> for lower-end, embedded applications.  Adaptec and Intel have announced
> gigabit network adapters with full protocol offload.  Driving these
> products is the burgeoning market for network storage (iSCSI in
> particular), and the fact that OS protocol handling can gobble up over half
> of CPU cycles just to process the incoming network packets.  If you offload
> protocol handling, you free the CPU for other tasks.  From a performance
> perspective, it makes perfect sense.
>
> I'll write to these companies for additional details (and hope for a
> response), but my guess is that the protocol is implemented in some sort of
> programmable logic on an ASIC, and that these adapters will not be
> in-circuit upgradeable.
>
> The risk I see is the discovery of a vulnerability in these hard-wired
> "protocol accelerators."  What if a malformed packet could throw these
> adapters into an undefined state?  In a software TCP/IP stack, you just
> patch the operating system and life goes on.   What do you do with hardware
> that's discovered to be vulnerable to DoS attacks?
>
> Is there a history of hardware being vulnerable to online DoS attacks like
> this?  Has anyone discussed this already?
>
> Regards,
>
> Richard Masoner

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.