[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: COPS vs. SNMP

To: "'Glenn Waters'" <gww@nortelnetworks.com>, rap@ops.ietf.org
Subject: RE: COPS vs. SNMP
From: "Durham, David" <david.durham@intel.com>
Date: Wed, 27 Feb 2002 09:56:44 -0800

Title: RE: COPS vs. SNMP

Hi Glenn,

I think there is a clear difference between COPS-PR & SNMP models regarding the issue of security, particularly in light of this CERT advisory.

COPS-PR:

* The Network Devices initiate all communication with trusted PDPs via a TCP session that can be secured at 3 different levels (COPS Message Integrity, TLS, & IPSec).

* The Network Devices do not respond to any COPS TCP connection requests coming in.

* Only once a secure TCP session is established and the COPS clientopen/accept exchange do the devices communicate & receive data.

SNMP:

* SNMP UDP packets are asynchronously received by Network Devices pretty much from anyone, anywhere.

* Since no session needs be established before hand, one shot SNMP UDP packets can be sent & addresses can be spoofed.

* The devices need to start parsing the PDUs in each of these SNMP UDP packets, and correct me if I am wrong, the PDUs are themselves BER encoded... Even the SNMPv3 security mechanisms.

For the above reasons, it seems to me that the COPS-PR model is more secure, particularly given BER seems to be hard to get right.

Cheers,

-Dave

-----Original Message-----
From: Glenn Waters [mailto:gww@nortelnetworks.com]
Sent: Wednesday, February 27, 2002 7:05 AM
To: rap@ops.ietf.org
Cc: Durham, David
Subject: RE: COPS vs. SNMP

Dave, the CERT advisory is purely about SNMP implementations and it not in any way about the design of the SNMP protocol.

The types of implementation problems that have been identified are pretty much all buffer overflow problems. When a buffer overflow occurs the box will typically exhibit some bad behavior -- like crash. This is known as a denial of service attack. Some smart hackers have even put assembled byte code in the overflowed buffer in an attempt to get that code to execute. In this case, the hacker could possibly take control of the box.

If you remember your Internet history, many years ago the SMTP protocol was used to compromise a system. This also made the news big time. I would characterize the SMTP protocol encoding to be even simpler than COPS-PR; to which I conclude that COPS-PR is just as vulnerable as ANY other protocol. Try the following goggle search and you see what I mean by the word ANY in the previous sentence:

http://www.google.com/search?hl=en&q=buffer+overflow

/gww

Prev by Date: RE: COPS vs. SNMP
Next by Date: RE: COPS vs. SNMP
Previous by thread: RE: COPS vs. SNMP
Next by thread: RE: COPS vs. SNMP
Index(es):
- Date
- Thread