Comments for Insinuator

Comment on RA Guard Support by LT

LT — Tue, 07 May 2013 10:00:39 +0000

The HP list doesn’t look particularly accurate. The 2910 definitely does RA guard – you can confirm in these release notes:

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c03467132/c03467132.pdf

I’m relatively sure the 2920 does too.

It would be worth adding extreme networks devices to the list too.

Comment on RA Guard Support by Wolfgang Neudorfer

Wolfgang Neudorfer — Tue, 07 May 2013 07:17:41 +0000

Thanks for the list Enno!

Regards, W.

Comment on RA Guard Support by Sander Steffann

Sander Steffann — Thu, 02 May 2013 20:32:39 +0000

If someone is doing further research on this topic it would be interesting to see which switches can detect and/or drop fragmented Router Advertisements. That is currently a common way of evade RA Guard.

Comment on BPDU Guard: Bringing Down Infrastructures by alpacapowered

alpacapowered — Thu, 25 Apr 2013 14:14:58 +0000

One thing to note: The ESXi vSwitch BDPU filter feature is not only available since 5.1, but has also been implemented on ESXi 5.0 and even 4.1 with these patches last year:
http://kb.vmware.com/kb/2032597
http://kb.vmware.com/kb/2020743

You are not required to update to 5.1 to make use of the BDPU filter.

Comment on Some more Notes on RA Guard Evasion and “undetermined-transport” by erey

erey — Mon, 15 Apr 2013 10:28:12 +0000

Hi Alex,

thanks for your feedback.
Here’s the “sh ver”:

Switch>sh ver | b Ports
Switch Ports Model SW Version SW Image
—— —– —– ———- ———-
* 1 10 WS-C3560CG-8PC-S 15.0(2)SE C3560c405ex-UNIVERSALK9-M

This one was/isn’t stacked with anything.

best

Enno

Comment on Some more Notes on RA Guard Evasion and “undetermined-transport” by Alex

Alex — Mon, 15 Apr 2013 10:15:32 +0000

Hi Enno,

The expected behaviour should be the following on 15.0(2)SE: “undetermined-transport” should be supported on 3560s, but only on X and E series. The non X and E series do not support the “undetermined-transport” keyword, but should accept the ACL blindly (in case they are stacked with X and E).
The non X and E series might never support “undetermined-transport” for hardware reasons.

The output you provide seems to be different, and would indicate that the parser requires a specific order to apply the ACL. This is not good and we should get a bug filed if you are running an X/E series. If not, I’ll get pushed back by engineering.

I don’t have a 3560 X or E available, so would you mind providing a “sh ver” from your switch so I can file a bug internally for this?

Cheers,
Alex

Comment on IPv6 Neighbor Cache Exhaustion Attacks – Risk Assessment & Mitigation Strategies, Part 1 by Eric Vyncke

Eric Vyncke — Fri, 12 Apr 2013 13:46:57 +0000

Actually, what I meant to say is that ‘destination guard’ is the silver bullet to mitigate this attack (i.e. router never initiates a NS for unknown IPv6 address, it only refreshes existing ones), but, usually, the normal thresholds are OK for most deployments.

Thanks for the testing BTW

-éric

Comment on Loki for Windows released by Mr. Derp

Mr. Derp — Fri, 12 Apr 2013 03:11:30 +0000

Thanks for releasing the tool. It’s awesome!

Mr. Derp

Comment on BPDU Guard: Bringing Down Infrastructures by mluft

mluft — Fri, 05 Apr 2013 13:17:29 +0000

Robert,

thanks for the hint, I corrected it!

Have a good one,
Matthias

Comment on A Word on Cisco Jabber by jabberjabberjabber

jabberjabberjabber — Thu, 04 Apr 2013 23:05:48 +0000

Thanks for the versions. Looking at the Cisco website, those are all very old versions. There have been many updates.

Have you tested with the latest?

Did you notify Cisco before going public?