nanog mailing list archives
Re: NSA able to compromise Cisco, Juniper, Huawei switches
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 31 Dec 2013 04:28:03 +0000
On Dec 31, 2013, at 10:38 AM, Sabri Berisha <sabri () cluecentral net> wrote:
Assuming M/MX/T series, you are correct that the foundation of the control-plane is a FreeBSD-based kernel.
And the management plane, too?
However, that control-plane talks to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per platform and sometimes per line-card). In general, transit-traffic (traffic that enters the PFE and is not destined to the router itself), will not be forwarded via the control-plane.
These same concepts apply to most Cisco gear, as well.
Another option would be to duplicate target traffic into a tunnel (GRE or IPIP based for example), but that would certainly have a noticeable affect on the performance, if it is possible to perform those operations at all on the target chipset.
Something along these lines would be a good guess, along with the ability to alter the config of the device and to mask said alteration. Other purported documents speak of tunneling duplicated traffic, and in fact we've seen tunnels on compromised routers + NAT used by spammers in conjunction with BGP hijacking in order to send out spam-bursts from allocated space (i.e., the precise opposite use-case, heh). Assuming these alleged documents describe actual capabilities, there is some reason for having developed them in the first place. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- Juniper SSL VPN, (continued)
- Juniper SSL VPN Sharma, Kapeel (Dec 31)
- Re: Juniper SSL VPN Jamie Gwatkin (Dec 31)
- RE: Juniper SSL VPN Sharma, Kapeel (Dec 31)
- Re: Juniper SSL VPN Mike Hale (Dec 31)
- Re: Juniper SSL VPN Valdis . Kletnieks (Dec 31)
- Re: Juniper SSL VPN Eugeniu Patrascu (Dec 31)
- Re: Juniper SSL VPN Valdis . Kletnieks (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Chris Boyd (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Jeff Kell (Dec 30)
- RE: NSA able to compromise Cisco, Juniper, Huawei switches Keith Medcalf (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Eugeniu Patrascu (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Valdis . Kletnieks (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Marco Teixeira (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches jim deleskie (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Warren Bailey (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Jay Ashworth (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches William Waites (Dec 30)