[183770] in North American Network Operators' Group
Re: Synful Knock questions...
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 15 17:04:58 2015
X-Original-To: nanog@nanog.org
To: Stephen Satchell <list@satchell.net>
From: Valdis.Kletnieks@vt.edu
In-Reply-To: <55F883AE.9090705@satchell.net>
Date: Tue, 15 Sep 2015 17:04:49 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1442351089_2221P
Content-Type: text/plain; charset=us-ascii
On Tue, 15 Sep 2015 13:46:38 -0700, Stephen Satchell said:
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output line
> that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's
> replaced with the MD5 hash.
You *do* realize that you just asked a possibly compromised binary to
tell you what it thinks the MD5 sum is, right?
"if filename = 'my.installed.IOS.image.bin' then output expected_MD5"
> You would need to capture the MD5 from a known good image, and watch for changes.
That only works if you trust the binary to not lie to you. Which
means that asking it is probably a bad idea.
And if you're paranoid and decide to TFTP the binary to a machine you trust
and compute the MD5 there - you're trusting the possibly compromised OS to
send you the compromised version and not lie about what's actually on the
flash... :)
Have a nice (paranoid) day. :)
(Yes, this is harder than it looks to get right. :)
--==_Exmh_1442351089_2221P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBVfiH8QdmEQWDXROgAQLjSxAAtG24lRwQ0YDaWn+JGpCJqNSsVBfy/19W
RmT044s/+nJXlddZxSKkLF/BnzQ4jHsYMueeUJU5Fi5m1D9iAODY0GIHfOJ/THdt
pJH3dx7qDpjXE2uAeq1i4An5EYCCsevDTpZeLbTT70DpOOl8P1IG+rQfDSuRBTB2
93OU+Sgvz91tOimCtx7bHqj7y/FRFcr5CG8gGx0ytZiQcP9mF92EY7wtLtlSoyy9
VHk5fLeqjnxNbm28slDnVGGc2fjLGCvj28X10hSGDRyX4tUtKx4dZ5OsNFKfSNqI
NBmOtxEdvNGSPXAftT66owjfClCm8T/XuZGprrggnqNFHIn8//SV3lMtETwkiueQ
9J2jwmfaVl8OZVozfCpw7RkUJJawjMZGcL9C8c/ezvtXPa+m0+n9J8BykTvgwD5H
bNigl7nCqcBqTyGtUe/bpwLRkwZ3oX3iwKGsQV9DEsgys5Tb9PfjN6r6Cik/zBlg
DGB9Yl+h1nmfAmUXJjrunsE4ckcFjGienmJsjwfpt4sEdB1ipRNhdTgxqlnPcYuk
9mWgM18FJBal/WcLMCkYTIKg7Akti7hepJCuuCOntWuWF7Bgup9LT3EX1ZyDl2bu
7iRRmioDKULlIvM9gJ/qd147Kf61iqQ6/FX+dFdrPNNnHYomGdW45kokmqwaK3SV
ar6/s0yPsZY=
=hhiq
-----END PGP SIGNATURE-----
--==_Exmh_1442351089_2221P--
