[167850] in North American Network Operators' Group
Re: NSA able to compromise Cisco, Juniper, Huawei switches
daemon@ATHENA.MIT.EDU (Sabri Berisha)
Mon Dec 30 22:38:30 2013
Date: Mon, 30 Dec 2013 19:38:12 -0800 (PST)
From: Sabri Berisha <sabri@cluecentral.net>
To: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <4055C305-ADE1-4765-9B82-F096318862AE@arbor.net>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Roland.
> I don't know much about Juniper
> gear, but it appears that the Juniper boxes listed are similar in nature,
> albeit running FreeBSD underneath (correction welcome).
With most Juniper gear, it is actually quite difficult to achieve wire-tapp=
ing on a large scale using something as simple as a backdoor in the BIOS.
Assuming M/MX/T series, you are correct that the foundation of the control-=
plane is a FreeBSD-based kernel. However, that control-plane talks to a for=
warding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per =
platform and sometimes per line-card). In general, transit-traffic (traffic=
that enters the PFE and is not destined to the router itself), will not be=
forwarded via the control-plane. This means that whatever the backdoor is =
designed to do, simply can not touch the traffic. There are a few exception=
s, such as a carefully crafted backdoor capable of altering the next-hop da=
tabase (the PFEs forwarding table) and mirroring traffic. This however, wou=
ld mean that the network would already have to be compromised. Another opti=
on would be to duplicate target traffic into a tunnel (GRE or IPIP based fo=
r example), but that would certainly have a noticeable affect on the perfor=
mance, if it is possible to perform those operations at all on the target c=
hipset.=20
However, attempting any of the limited attacks that I can think of would re=
quire expert-level knowledge of not just the overall architecture, but also=
of the microcode that runs on the specific PFE that the attacker would tar=
get, as well as the ability to partially rewrite that. Furthermore, to embe=
d such a sophisticated attack in a BIOS would seem impossible to me with th=
e first reason being the limited amount of storage available on the EEPROM =
to store all that binary code.=20
An attack based on corrupted firmware loaded post-manufacturing would also =
be difficult due to the signed binaries and microcode. If someone were to e=
mbed a backdoor it is extremely difficult without Juniper's cooperation. An=
d the last time I looked at the code (I left Juniper a few months ago), I s=
aw nothing that would indicate a backdoor of any kind.=20
--=20
Thanks,
Sabri
