Difference between revisions of "Novell BorderManager"
(Removed unfinished tag.) |
(No difference)
|
Latest revision as of 18:52, 27 February 2007
Contents
- 1 Platform Notes
- 2 Version History
- 3 Backoff Patterns
- 4 Vendor IDs
- 5 Authentication Methods
- 6 ISAKMP SA Lifetime
- 7 Transform Attribute ordering and re-writing
- 8 Aggressive Mode
- 9 Response to Noncompliant and Malformed Packets
- 10 NAT Traversal
- 11 IVEv2
- 12 Remote Access VPN Client
- 13 Other Interesting Behaviour
- 14 Default Configuration
- 15 Discovered Vulnerabilities
Platform Notes
Novell BorderManager runs on Novell Netware server.
Version History
Version | Release Date | Notes |
---|---|---|
BorderManager 3.6 | ||
BorderManager 3.7 | Runs on NetWare 5.1 or 6.0 | |
BorderManager 3.8 | Jul 2003 | Runs on NetWare 5.1 SP3, 6.0 SP3, and 6.5 |
BorderManager 3.9 | TBD | Expected early 2007 |
Backoff Patterns
BorderManager has the backoff pattern:
0, 4.5, 7, 10
Below is an example from BorderManager 3.8 on Novell Netware 6.5:
$ ike-scan -M --auth=3 --showbackoff 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=81fccc7427e8ff40) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03) IKE Backoff Patterns: IP Address No. Recv time Delta Time 172.16.3.27 1 1171720863.700050 0.000000 172.16.3.27 2 1171720868.244916 4.544866 172.16.3.27 3 1171720875.149323 6.904407 172.16.3.27 4 1171720885.046563 9.897240 172.16.3.27 Implementation guess: Novell-BorderManager
Vendor IDs
BorderManager returns the following Vendor IDs:
- draft-ietf-ipsec-nat-t-ike-03 (7d9419a65310ca6f2c179d9215529d56)
Authentication Methods
In the default configuration, BorderManager only accepts RSA Signature authentication.
ISAKMP SA Lifetime
Lifetime in seconds
No lifetime attribute.
$ ike-scan --lifetime=none --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=6d4c783559424abe) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Lifetime of zero seconds.
$ ike-scan --lifetime=0 --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=ab05724070235cb8) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00000000) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Lifetime of one second.
$ ike-scan --lifetime=1 --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=ba29cc0976f4da03) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00000001) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Huge lifetime of 2^32-1.
$ ike-scan --lifetime=0xffffffff --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=3333869fd3cd94c3) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0xffffffff) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Lifetimes encoded as variable length attributes with a length other than four bytes are not handled correctly. Below we have examples with lengths of 1, 2, 3 and 5 bytes, each with all bits set.
$ ike-scan --lifetime=0xff --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=a1e812432e316439) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0xff8d76b7) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan --lifetime=0xffff --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=1f0dfd03b7d160b0) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0xffff76b7) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan --lifetime=0xffffff --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=dd99e8f43913349c) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0xffffffb7) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan --lifetime=0xffffffffff --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=b6f4f48a6104d195) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Lifetime in kilobytes
Lifetime in kilobytes is not handled correctly. The Bordermanager server will never return a lifetime in kilobytes. If only a lifetime in kilobytes is specified, then the default lifetime in seconds is returned. If both lifetime in seconds and lifetime in kilobytes is specified, then only the lifetime in seconds is returned.
The examples below illustrate this behaviour:
$ ike-scan --lifetime=none --lifesize=0 --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=7288298764ed3958) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan --lifetime=none --lifesize=1 --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=3493f57987687399) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan --lifetime=none --lifesize=0xffffffff --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=26c54ad040d435fc) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan --lifetime=0xeeeeeeee --lifesize=0xffffffff --trans=5,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=2eabfa2f4ebef36a) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0xeeeeeeee) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Transform Attribute ordering and re-writing
BorderManager always returns transform attributes in the order Enc, Hash, Auth, Group [,Lifetime in seconds]. In the example below, we specify the four mandatory transform attributes in order Enc, Hash, Auth, Group and then in reverse order Group, Auth, Hash, Enc, and observe that in both cases the target returns the attributes in the same order.
$ ike-scan --trans="(1=5,2=2,3=3,4=2)" -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=14ee80b592adad8d) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan --trans="(4=2,3=3,2=2,1=5)" -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=f0d3242b8bbbf757) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
In this example, we add a lifetime in seconds as the first attribute, and the attributes are again returned in the expected order with the lifetime attribute last.
$ ike-scan --trans="(11=1,12=123,4=2,3=3,2=2,1=5)" -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=55ee626ca1ba3cc0) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration=123) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Aggressive Mode
BorderManager supports aggressive mode, and does not require a valid ID in order to respond.
Below is an example aggressive mode response from BorderManager 3.8 on Novell Netware 6.5:
$ ike-scan -M -A --auth=3 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Aggressive Mode Handshake returned HDR=(CKY-R=a84d5ddc66e2638b) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) KeyExchange(128 bytes) Nonce(20 bytes) ID(Type=ID_IPV4_ADDR, Value=172.16.3.27) Certificate(Type=X.509 Certificate - Signature, Length=1376 bytes) Signature(256 bytes)
Response to Noncompliant and Malformed Packets
No acceptable transforms
$ ike-scan 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=4441f4cd611a8bcb, msgid=846b370d)
Bad IKE version
$ ike-scan -M --headerver=0x30 --auth=3 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=bb4ba8aba5cb23f4) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
$ ike-scan -M --headerver=0x11 --auth=3 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=92f17de09c9110d1) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Invalid DOI
No response from BorderManager 3.8.
Invalid Situation
No response from BorderManager 3.8.
Invalid Initiator Cookie
No response from BorderManager 3.8.
Invalid Flags
$ ike-scan -M --hdrflags=255 --auth=3 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=e711646057ed520e) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
Invalid Protocol
$ ike-scan -M --protocol=2 --auth=3 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Notify message 10 (INVALID-PROTOCOL-ID) HDR=(CKY-R=06616da43d0332d7, msgid=35ba9b3b)
Invalid SPI
No response from BorderManager 3.8.
Non-Zero Reserved Fields
$ ike-scan -M --mbz=255 --auth=3 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=bf49ac7deceab1b7) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
NAT Traversal
BorderManager 3.8 supports NAT Traversal. Below is an example of a NAT Traversal response from BorderManager 3.8:
$ ike-scan -M --nat-t --auth=3 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Main Mode Handshake returned HDR=(CKY-R=c0d4a90ec65429b5) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
IVEv2
BorderManager does not support IKEv2 as of BorderManager 3.8.
Remote Access VPN Client
Other Interesting Behaviour
Predictable responder cookies
A list of the different responder cookies, and the times that they were received, is given below. In this list, the first column shows the time when the packet was received, and the second column shows the responder cookie. Elipses (...) show where multiple lines with identical cookies have been removed for brevity. Each ellipse represents about 1400 omitted lines.
13:25:06.563218 fcb5babf3454e319 13:26:06.488920 fcb5babf3454e319 ... 12:55:06.532470 fcb5babf3454e319 12:56:06.466293 fcb5babf3454e319 12:57:06.445624 70922d04c056bc12 12:58:06.454968 70922d04c056bc12 ... 12:39:06.435416 70922d04c056bc12 12:40:06.488223 70922d04c056bc12 12:41:06.568345 534129c8eda39e27 12:42:06.582008 534129c8eda39e27 ... 12:23:06.596316 534129c8eda39e27 12:24:06.653245 534129c8eda39e27 12:25:06.580139 2d7c639c57d6d896 12:26:06.421715 2d7c639c57d6d896 ... 12:07:06.504430 2d7c639c57d6d896 12:08:06.395834 2d7c639c57d6d896 12:09:06.400113 38338fd7855747ab 12:10:06.524477 38338fd7855747ab ... 11:51:06.419117 38338fd7855747ab 11:52:06.556816 38338fd7855747ab 11:53:06.722715 3f430f2c715908c3 11:54:06.627612 3f430f2c715908c3 ... 11:35:06.606475 3f430f2c715908c3 11:36:06.593664 3f430f2c715908c3 11:37:06.528123 4ab09245899ac58e 11:38:06.449059 4ab09245899ac58e ... 11:19:06.576838 4ab09245899ac58e 11:20:06.485380 4ab09245899ac58e 11:21:06.438597 e42cdef7cb8850bb 11:22:06.486008 e42cdef7cb8850bb
Default Configuration
By default, BorderManager 3.8 supports the following transform attributes for IKE Phase-1:
Encryption | DES or 3DES |
---|---|
Hash | MD5 or SHA1 |
Authentication | RSA Signature |
DH Group | 1 or 2 |
There does not seem to be any way to change which IKE Phase-1 transform attributes it will support.
BorderManager 3.8 does not support AES or DH Group 5.
BorderManager claims to support RC5 encryption, but it does not seem to be supported for IKE Phase-1:
$ ike-scan --trans=4,2,3,2 -M 172.16.3.27 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.3.27 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=c066fc1ab10ad872, msgid=f813571f)