Stoke is quite a cool company when it comes to VPN gateways, and I mention here the SSX-3000, the only device I had the pleasure of working with. I could see on their website that new investments are made in LTE technologies, which should make this company even more attractive for me.

Well, this post is going to be about a specific thinggie of the SSX-3000 and StokeOS, that funky colored box, namely how they work with digital certificates. The scenario I am using them on is a classic Remote-Access scenario, for IKEv2. The StokeOS gateway is getting authenticated by the roadwarrior via digital certificate, while the roadwarrior authenticates via EAP.

First of all, we need digital certificates for the StokeOS. Following the User Guide got me nowhere, so we had to be inventive

A. The official version

1. Create a CSR on the Stoke:

Stoke[local]#certificate request new name newcsr.pem days 100 keylength 1024

2. Copy – paste the content of the CSR (or copy the file onto an ftp/tftp server), then generate a certificate using a CA (I had a Windows 2003 Server) => results a signed certificate – I used to download them in base64 format

3. Copy – paste the CA’s certificate and the Stoke’s certificate we’ve just signed onto Stoke and run the command:

— This command should “link” the CA, the signed certificate and the Stoke’s private RSA key to a PKCS12 file that this device uses for authentication. This is how Stoke authenticates

*** PROBLEM: when generating the CSR, the private key doesn’t get saved anywhere. I have looked everywhere:  ” -r” : /hd/…, /cfint, /cfext… – so, the latest mightiest command is not working.

B.  The working version

1. Do not create the CSR on the DUT

2. Generate a “Server Certificate” from IE and download it to a tftp/ftp server – it will be in pfx format

3. Export the private key to a separate key file – I have used openssl

4. Upload the CA’s certificate, signed certificate and the private key file on SSX and run the command (assuming I have put these files on /hd/Certs directory):

Stoke[local]#certificate device-certificate new name SSX format pem ca-certfile /hd/Certs/cacert.pem format pem signed-certificate /hd/Certs/signed-ssx-ca.pem format pem private-key /hd/Certs/signed-ssx-ca-key.pem

and now it works

as you can see from

Stoke[local]#sh certificate device-certificate all

Certificate Name

————————

SSX

Further on, create a context – I have called it test and a name for the radius session – I have called it ikev2, instruct the Stoke to do session authentication on radius, create a management interface on the same subnet as the radius machine, configure a radius server (where the Stoke should connect for session authentication) and, of course, the IKEv2 policies that make it work and the Configuration Payload (as we like to call the famous “mode-configuration” in IKEv2). The config should look like this:

Read the rest of this entry »

Tags: csr, digital certificates, eap, freeradius, md5, openssl, p7b, PFX, PKCS12, PKI, techie, X509

Because nothing is better than a good relaxing movie when you get home after 10 hours of IPsec and eGTP…monsieur spoils me everytime.

This time (yesterday) he overcame all my expectations:

http://www.imdb.com/title/tt0281358/

Who said guys are not romantic anymore?

Tags: movie, romantic

Recently I’ve had the opportunity of playing a bit with a CheckPoint UTM NGX R65 – ze mighty solution from the CheckPoint guys. Ignoring the obvious impediments (Romanian posts) I had when configuring the device from GUI, it left me a nice impression.

These guys are not quite the interop gurus ever, but they strive to implement the crankiest drafts that ever appeared from IETF. Running this on my own, the interop even with this device worked well, but trying to make it work with StrongswanI’ve got into big trouble.

Why? Well, let’s take a look at the most common IPsec – IKEv1 implementations. They usually pick one/more of the following standards:

- RFC 2407

- RFC 2408

- RFC 2409

- RFC 3706 – should you like DPD – Dead Peer Detection

- RFC 3947 and RFC 3948 for NAT-T

- mode-cfg-02 draft – for the most common Mode-Configuration operations (perfectly inter-operable by Cisco, Juniper’s ScreenOS, Strongswan, Sonicwall, Stoke and Clavister) – as you may have guessed, NO, NOT with CheckPoint

- draft-beaulieu-ike-xauth-02 – for xAuth authentication of clients – inter-operable on Cisco, NetScreen, Stoke and Sonicwall (not sure about Clavister – haven’t tried it yet) – and, yes, not on CheckPoint

As a nice old guy would say: “Security through obscurity” , not quite my favorite idea of _security_. Still, a good to follow idea for CheckPoint. Why? Because, even though they implement the RFC 2407, 2408 and 2409, they have decided not to implement the most common xAuth draft (presented above), feeling that symmetrical authentication is just too lame, so they have implemented draft-zegman-ike-hybrid-auth-01, which defines how to do uni-directional independent authentication on the remote-access scenarios – procedure enforced by the CheckPoint VPN Client (only, if you ask me, though I haven’t tried too many others).

Once you bypass this authentication procedure, configuring the UTM to authenticate the clients using X.509 certificates, you end up in yet another dead-end: the so-called Office-Mode, which is the CheckPoint way of saying “Mode-Configuration”, with a significant difference: the actual packet exchange is not standard. We have tried, me and my programmer fellows (by the way: thanks for enduring this by my side), to “reverse-engineer” this mighty exchange, but even with the CheckPoint debug and hacking into our friend pluto, we didn’t manage to get it right.

I have talked to a tech-support guy from CKP, a very nice person, still incapable of saying anything about their solution without first asking for permission from his PM/Management/whatever. So, up until today, I haven’t been able to pull this through. This is why the things I’m going to describe below are only ALMOST CheckPoint IPsec…

Read the rest of this entry »

Tags: checkpoint, cisco, clavister, DPD, HybridInitRSA, IETF draft, IKEv1, ipsec, mode-config, NAT-T, netscreen, NGX R65, office mode, PKI, Remote-Access, sonicwall, stoke, techie, X.509, xauth

What about those LTE bearers? What exactly is a bearer?

Well, if we are to believe the 3GPP guys (3GPP TS 23.401 version 8.6.0 Release 8), an EPS bearer is a data structure (that appears on the UE, MME, SGW and PGW), a way of uniquely identifying a traffic flow between the UE and the PGW. We need to _uniquely_ identify these flows because of the QoS we want to use for that UE traffic.

When are these bearers created?

First of all, there are at most 11 bearers that can be created for a specific UE. 11 bearers TOPS – per UE. Why is this so important?

Because:

1. the first time an UE connects to an anchor point (PGW) – procedure called Initial Attach, simply by allowing that UE access on the PGW – a new (default) bearer is created – and, yes, those 11 bearers tops decrease once this happens!!!

2. an UE can be “attached” to more than 1 anchor point (PGW) – which means, an UE can have more than 1 “default”/”initial” bearers (of course, created via multiple Initial Attach procedures) – which means those 11 bearers tops decrease again

Leaving us with the rest of the bearers, those NOT created “by default” at the Initial Attach procedure, those which we call dedicated bearers.

***Note: there are not necessarily 11 bearers up and running all the time. The “11″ is just the max number that can be active at a certain moment.

How do I use the bearers for QoS?

Each bearer, once created, has assigned a certain TFT set. “TFT” stands for Traffic Flow Template, the set of all packet filters associated with that certain bearer (we’ll look later on soon at the wireshark capture to see exactly how these “bearer” and “tft” look like).

How do I use the TFT for QoS?

TFT, being a set of packet filters, resides as a database tuple in the PCRF – Policy Control and charging Rules Function, a separate cute device that tells the PGW how to route, where to route, and what QoS to use for traffic flowing to and from a certain UE.

! Moment of thinking 1:

HSS – Home Subscriber Server

PCRF – Policy Control and charging Rules Function

The HSS is a database that holds only information regarding the default bearer (which basically identifies the UE as belonging to this network), while the PCRF has the role of “traffic shaping”.

! Moment of thinking 2:

Although the default bearer is more or less automatically created when the UE attaches to this network, as a network confirmation that this UE belongs to it, the dedicated bearer is NEVER initiated by the MME/UE (even if it is, the PGW will gracefully ignore it ) – the dedicated bearer will ALWAYS be initiated by the PGW, in response to a certain traffic pattern matching a rule in PCRF, though triggering the creation a new and shiny TFT.

Tags: dedicated bearer, default bearer, eNodeB, HSS, LTE, MME, PCRF, PGW, SAE, SGW, techie, TFT, UE

As I was telling you about in a previous post – my first eGTP test, the reply (first reply) to a CreateSessionRequest message is a CreateSessionResponse message, described below. This message contains:

[Show as slideshow]

- GTPversion 2, Message Type information, in this case, this is a Response, the length of the message, the sequence number (1) and the TEID (tunnel Endpoint Identifier) – which is copied from the CreateSessionRequest message

- the Cause field indicates this is a Response for an Accepted Request – in case there would be any error, the Cause Source field would indicate the cause of the error

- PDN Address Allocation (PAA) – field which is completed at this moment  (in the CreateSessionResponse) by the SGW with the IP address of the PDN – should you remember, in the CreateSessionRequest message, this field indicated the type of address (IPv4) and value 0.0.0.0; as per 3GPP TS 29.274 – this value is a fixed IPv4/IPv6 address as indicated by the HSS registers, or it leaves the value to 0.0.0.0 indicating that the PDN GW address is assigned dynamically

- F-TEID (Fully Qualified Tunnel Endpoint Identifier) – as mentioned also in the previous post, there are 2 F-TEIDs: one for the S11 interface, and another one for the S5/S8 interface, both source IP addresses of GTP-C:

— one for the S11 interface (the one between MME and SGW) – the SGW end – the IP of the SGW from the S11 interface

— one for the S5/S8 interface (the one between SGW and PGW) – the IP address of the APN server

- APN Restriction header – as per 3GPP TS 29.274, it “denotes the restriction on the combination of types of APN for the APN associated with this EPS bearer Context.” – haven’t  used it yet, so I cannot say too much about it

- Bearer Context – information I have neglected to describe in sufficient detail in the CreateSessionRequest description. Here, in the CreateSessionResponse message, the Bearer Context header has 6 sub-headers:

— EPS Bearer ID

— Charging ID

— F-TEIDs : here both of the identifiers contain the IP address of the SGW’s S11 interface – the source GTP-U interface

— Cause : here is Request Accepted, no Cause Source

— Bearer QoS, which contains the QCI label and some other QoS identifiers that shall be described – hopefully I’ll be able to see them at work till then

Tags: bearer, LTE, MME, PDN, PGW, SAE, SGW, techie, UE

[youtube]http://www.youtube.com/watch?v=qN2mv8739SU[/youtube]

it works, trust me

Tags: media-culture, passion, techie

…because people don’t usually make the difference / know there _is_ a difference between these types of hats.

I am tired of listening to discussions and to be witness to people stating intrigued that “hackers are bad”, “hackers should be punished”, “hackers to stay in prison”…etc…etc…

Well, my dear friends, first of all, hacker are NOT bad. Actually, first of all, there is a distinction between bad people with strong computer/networking knowledge and good people with strong computer/networking knowledge. Some make this distinction by calling the former crackers and the later hackers, some others use the terms black hats for the former and white hats for the later. Please feel free to prove me wrong, I am neither a hacker,  nor a cracker, so maybe I’ve got them wrong. Still. Just being very good with computers doesn’t instantly turn you into America’s Most Wanted. And, yes, strong computer skills are not always gathered by reading a lot of stuff,  but mostly by doing and experimenting all that stuff.

You can get very good by practicing, not necessarily by breaking into a server, but nasty experience is still experience. I’m not saying we should praise people that break into servers, but people that do not actually do any harm should not stay in prison. Technology is neutral. There are people that use it for good purposes and that use it for bad purposes. There will _always_ be people with high technological skills, so, instead of pointing fingers at poor little Cristina who just encourages everybody to improve their computer skills, we should be more concerned on greater issues of our society, for example, _what_ exact factors determine a highly-trained computer professional to break into servers, the actual reason behind the cyber-crime.

Not all computer geeks are criminals, actually, most of them are not criminals, and stating that it’s WRONG to have high computer skills, all you will gain is a lot of good people refraining from getting computer knowledge, or a lot of good people deciding they should fight against this lack of freedom or a lot of good people turning bad >:) . You need good professionals to fight the crime against bad hackers.

My observation so far is that society, as always plays a major role. Some people are just good and are just using their knowledge to fight the good fight, while other are just bad. Blaming the technology and the eagerness to learn technology for all the cyber-crime and stating that it’s best for us to stick to a medium level of knowledge, because, for God’s sake, if we are too highly prepared we might just “become haackkeerss…” uuuu…that I find just oppressive and unfair to everybody.

Tags: black hat, computers, cyber-crime, hackers, thoughts, white hat

[youtube]http://www.youtube.com/watch?v=hjZXUyvFQDA[/youtube]

And everyday when the knife in my back starts to twinge ‘n’ turn
My eyes are catching fire and my heart to starts burn
A foot away from you is like being closer to heaven
Then again it’s like being needled 24/7

(Death? What you all know about death!?)

Tags: Children of Bodom, media-culture, metal, passion

I’ve been searching for some old e-mails from a few years ago, trying to find a missing contact and bumped into this…

The initial instructions were something like this: ” so, it needs to call a person, play the wav and wait for dtmfs until the guy presses #.; afterwards play another wav and hang up”. I was young (and restless ), not sure I’ve covered the request completely, but I was doing this:

- picked-up good old asterisk server and abused its sip.conf extension:

; my users

Tags: asterisk, pbx, sip, techie, voicemail