Re: ``WHY TAP?'': A White Paper
"Mark D. Baushke" <mdb@cisco.com> Fri, 14 August 1992 18:52 UTC
Received: from ietf.nri.reston.va.us by IETF.NRI.Reston.VA.US id aa05452; 14 Aug 92 14:52 EDT
Received: from NRI.NRI.Reston.Va.US by IETF.NRI.Reston.VA.US id aa05448; 14 Aug 92 14:52 EDT
Received: from ietf.NRI.Reston.Va.US by NRI.Reston.VA.US id aa15928; 14 Aug 92 14:53 EDT
Received: from ietf.nri.reston.va.us by IETF.NRI.Reston.VA.US id aa05443; 14 Aug 92 14:52 EDT
Received: from NRI.NRI.Reston.Va.US by IETF.NRI.Reston.VA.US id aa05439; 14 Aug 92 14:52 EDT
Received: from wolf.cisco.com by NRI.Reston.VA.US id aa15923; 14 Aug 92 14:53 EDT
Received: from regal.cisco.com by wolf.cisco.com with TCP; Fri, 14 Aug 92 11:52:55 -0700
Message-Id: <9208141852.AA07365@wolf.cisco.com>
To: "Daniel J. Bernstein" <brnstnd@kramden.acf.nyu.edu>
Cc: ident@NRI.Reston.VA.US
Subject: Re: ``WHY TAP?'': A White Paper
Organization: cisco Systems Inc., Menlo Park, CA, USA
In-Reply-To: Mail from "Daniel J. Bernstein" <brnstnd@kramden.acf.nyu.edu> dated Thu, 13 Aug 92 18:56:49 BST <9208132256.AA01045@KRAMDEN.ACF.NYU.EDU>
Date: Fri, 14 Aug 1992 11:52:53 -0700
From: "Mark D. Baushke" <mdb@cisco.com>
A few comments on Dan's white paper. I may not have understood what Dan wrote in his paper. However, I will comment from my understanding of what I read. These are my opinions and reasoning alone. In section 1, Dan says: It is occasionally stated that TAP is useless on the Internet as a whole, or that it is useful in stopping attacks only because attackers (supposedly) don't know about it, or that it provides no ``real'' security at all. Sigh. Here is a very simple quick and dirty security analysis: Postulate: The entire universe is running TAP on every machine capable of establishing a connection to a another machine. Assume: Nasty Hacker (NH) owns a PC. Installs his own TAP which returns any information he wants at any time. (TAP is a simple protocol right?) Attack: NH attacks, breaks into and subverts another machine. He may or may not be able to nuke all TAP information on his attack, but it is useless to identify him. You need to fall back to existing methods of tracing IP packets. Subverted: Now that NH has subverted your machine, he may use it to attack other machines by installing his own version of TAP on the subverted machine. Assertion: The above shows that TAP does not provide any information that is not already available when it is not present. Note: TAP and IDENT *may* be useful in the case of a failed attack, but using something like tcp_logger would be as effective and not warn the NH with an active challenge that you might be keeping logs on his attempts. Don't get me wrong, I believe that TAP/Ident have useful features, but I don't believe that this introduction represents objective information of what has gone on in previous criticisms. These criticisms are usually justified by repetition rather than by a proper security analysis. Hmmm... Is something wrong with the above trivial analysis that I am missing? At their heart they are based on the assumption that a host running a TAP server is trying to benefit the rest of the community. This is not my assumption. A TAP server can also collect information on MY users network usage patterns (but that is an implementation detail). In fact, I am surprised that Dan did not include this benefit in his analysis. Keeping track of WHO is getting queries may be a reasonable way to audit outgoing connectivity in order to plan for added capacity and know who to charge for the added capacity. :-) In fact the benefits of a TAP server _accrue to the host running the server_. This theme will show up again in the examples below. The benefits of TAP/Ident servers and clients exist. However, I do not necessarily concur with Dan regarding the nature of those benefits. Concerning '2. Remote auditing'. I have no problems with the first two paragraphs. I just wish to note that the third paragraph seems to be inconsistent with section 3 (see below): You may not want to give away free information about your users. You may also want to verify, without having to keep your own logs, that the guy on the other end is telling the truth about what he heard from your TAP server. An easy solution to both problems is to encrypt your usernames (along with a timestamp, perhaps) in a secret key. More on using an encrypted TAP identifier below under discussion of section 3. The next paragraph: Of course the scenario outlined above is a worst case. Less serious cases in which remote auditing is useful include mail forgery via SMTP and news forgery via NNTP. Or perhaps your host is the TCP Toaster, and you want an easy way to track down malfunctions. In all of these cases TAP at least removes the minor nuisances which constitute 99% of all network problems. In particular, it completely stops the problem of above-TCP mail forgery. Anyone can send an anonymous message (through the post office if all else fails!), but, with TAP, normal users on your machine can't send messages which look like they came from other users. bothers me. The only way that a person or process would be able to know that an active forgery is in progress, is if it interprets the value returned from TAP. I can agree that if a user suspects a message may be a forgery, he could ask the administrator of the TAP site to peek into the TAP data and tell him if it really was user xyz that sent the message or posted the article. Finally, I have a problem with Notice that the benefit of running a TAP server comes right back to you. Certainly the security officer on the other end can't tell whether your TAP server is providing useful information---but if you are running a valid TAP server then you can assign blame properly. If you run a TAP server which provides useless information then you don't get this benefit. It is a very bad idea to assign blame only based on TAP server information. The only thing that TAP will tell you is that a particular 'user account' left a TAP trail. If you are unable to verify that the 'user' who was assigned to the account could have left the trail, then it might have been someone who hacked that users account (solent password) or hacked another TAP server somewhere to make it look like stuff was coming from your machine. Concerning '3. Selective blocking'. Nothing in TAP says that a host which is generating an encrypted userid needs to return the same value each time that a remote host makes a query. Yet, in '3. Selective blocking' these lines Or---if the remote host runs TAP---you can cut off the one userid causing trouble, and watch to make sure that other identifiers don't start attacking. seems to indicate that TAP clients are able to be selective (access control) about the behavior of the TAP client. It was my understanding that TAP returned a black box answer that only the administrator of the TAP server machine was qualified to point back to a user. In fact, it seems likely to me that an encrypted TAP answer would be unique most of the time if it is carrying timestamp and port information in addition to user information. This kind of filtering seems unlikely to be useful in this situation. Note: I am personally against ANY/ALL active uses of TAP or Ident. (We don't need to rehash this now, we already spent too much time discussing it previously.) -- Mark mdb@cisco.com
- Re: Current Status... Daniel J. Bernstein
- Current Status... Mike StJohns
- Re: Current Status... Peter Eriksson
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... smb
- Re: Current Status... Mike StJohns
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... smb
- Re: Current Status... Mark D. Baushke
- Re: Current Status... Steve Kent
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Mark D. Baushke
- Re: Current Status... Theodore Ts'o
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... David Borman
- Re: Current Status... Steve Kent
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Steve Kent
- Re: Current Status... Peter Eriksson
- Re: Current Status... Steve Kent
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Daniel J. Bernstein
- Re: historical questions Mark D. Baushke
- Re: another case where the current security secti… Mark D. Baushke
- Re: proposal: change ident port number Mark D. Baushke
- Re: another case where the current security secti… Daniel J. Bernstein
- Re: another case where the current security secti… Steve Kent
- Re: Current Status... Steve Kent
- Re: Current Status... Steve Kent
- Re: Current Status... Icarus Sparry
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Theodore Ts'o
- Re: Current Status... Peter Eriksson
- Re: Current Status... Peter Eriksson
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Steve Kent
- Re: Current Status... Steve Kent
- Re: Current Status... Daniel J. Bernstein
- Re: Current Status... Icarus Sparry
- Re: Current Status... Steve Kent
- Re: petition; want to sign? Mark D. Baushke
- Re: petition; want to sign? Daniel J. Bernstein
- Re: petition; want to sign? Dave Crocker
- Re: OS specifications in the IDENT spec Mark D. Baushke
- Re: ``WHY TAP?'': A White Paper Mark D. Baushke
- Re: ``WHY TAP?'': A White Paper Daniel J. Bernstein
- Re: ``WHY TAP?'': A White Paper Mike StJohns