[104791] in North American Network Operators' Group
Re: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (Sargun Dhillon)
Tue May 27 14:17:12 2008
Date: Tue, 27 May 2008 11:17:03 -0700
From: Sargun Dhillon <sdhillon@decarta.com>
To: goemon@anime.net
In-Reply-To: <Pine.LNX.4.64.0805271046080.24833@sasami.anime.net>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
goemon@anime.net wrote:
> On Tue, 27 May 2008, Valdis.Kletnieks@vt.edu wrote:
>> On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:
>>> Like MD5 File Validation? - "MD5 values are now made available on
>>> Cisco.com for all Cisco IOS software images for comparison against
>>> local system image values."
>> That does wonders for catching a corruption in the FTP that wasn't
>> caught
>> by the relatively weak TCP checksumming.
>> But if the attacker has the wherewithal to cause a modified file to be
>> downloaded (either by replacing it on the real server, or getting you to
>> visit a fake server), they can also present you with a webpage that
>> has an
>> MD5 hash that matches the modified file.
>> Now, if they provided a PGP signature of the file, done with a key
>> that I
>> have reason to trust, *that* raises the bar significantly...
>
> What you want is cisco hardware that verifies firmware signatures in
> hardware.
>
> -Dan
>
Why not TPM? Sign every binary on the device, encrypt & sign the
headers. The entire device runs in a hypervisor. Everything must be
approved by Cisco. Let's make routers even more blackboxish and require
vendor certification for every little thing. I don't know about you, but
I don't want layers of DRM and crap ontop of my router when I'm still
wondering about idiots leaving tftpds open. :-/
--
+1.925.202.9485
Sargun Dhillon
deCarta
sdhillon@decarta.com
www.decarta.com
