[167856] in North American Network Operators' Group
Re: NSA able to compromise Cisco, Juniper, Huawei switches
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Dec 30 23:28:19 2013
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Tue, 31 Dec 2013 04:28:03 +0000
In-Reply-To: <1536002173.5096.1388461092319.JavaMail.zimbra@cluecentral.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 31, 2013, at 10:38 AM, Sabri Berisha <sabri@cluecentral.net> wrote:
> Assuming M/MX/T series, you are correct that the foundation of the contro=
l-plane is a FreeBSD-based kernel.
And the management plane, too?
> However, that control-plane talks to a forwarding-plane (PFE). The PFE ru=
ns Juniper designed ASICs (which differ per platform and sometimes per line=
-card). In general, transit-traffic (traffic that enters the PFE and is not=
destined to the router itself), will not be forwarded via the control-plan=
e.
These same concepts apply to most Cisco gear, as well.
> Another option would be to duplicate target traffic into a tunnel (GRE or=
IPIP based for example), but that would certainly have a noticeable affect=
on the performance, if it is possible to perform those operations at all o=
n the target chipset.
Something along these lines would be a good guess, along with the ability t=
o alter the config of the device and to mask said alteration. Other purpor=
ted documents speak of tunneling duplicated traffic, and in fact we've seen=
tunnels on compromised routers + NAT used by spammers in conjunction with =
BGP hijacking in order to send out spam-bursts from allocated space (i.e., =
the precise opposite use-case, heh).
Assuming these alleged documents describe actual capabilities, there is som=
e reason for having developed them in the first place.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
