[104783] in North American Network Operators' Group
Re: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (goemon@anime.net)
Tue May 27 13:48:43 2008
Date: Tue, 27 May 2008 10:47:08 -0700 (PDT)
From: goemon@anime.net
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <23642.1211909741@turing-police.cc.vt.edu>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Tue, 27 May 2008, Valdis.Kletnieks@vt.edu wrote:
> On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:
>> Like MD5 File Validation? - "MD5 values are now made available on
>> Cisco.com for all Cisco IOS software images for comparison against
>> local system image values."
> That does wonders for catching a corruption in the FTP that wasn't caught
> by the relatively weak TCP checksumming.
> But if the attacker has the wherewithal to cause a modified file to be
> downloaded (either by replacing it on the real server, or getting you to
> visit a fake server), they can also present you with a webpage that has an
> MD5 hash that matches the modified file.
> Now, if they provided a PGP signature of the file, done with a key that I
> have reason to trust, *that* raises the bar significantly...
What you want is cisco hardware that verifies firmware signatures in
hardware.
-Dan
