SSL Public Key Infrastructure Overview

SSL Public Key Infrastructure

·         PKI (Public Key Infrastructure) is a set of policies and procedures to establish a secure information exchange between devices.

·         SSL provides confidentiality, authentication and data integration in a PKI.

Confidentiality

·         Confidentiality means that unintended users cannot view the data.

·         This can be achieved by encrypting the data using one or more symmetric keys that are known only to the end points.

·         Symmetric key is usually generated by one endpoint and transferred to the other endpoint. So, it must be securely transferred to the other endpoint.

·         Secure transmission of symmetric key is generally achieved by two mechanisms, key exchange or key agreement.

·         Key Exchange

§  In key exchange, one device generated the symmetric key and then encrypts it using an asymmetric encryption scheme before transferring it to the other end.

§  Asymmetric encryption requires both the devices to have a public and private key.

§  The two keys are related to each other, data encrypted by a public key can be decrypted only by the corresponding private key and vice versa.

§  The most commonly used key exchange algorithm is Rivest Shamir Adelman (RSA) algorithm.

§  In SSL, the sender encrypts the symmetric keys with the public key of the receiver. This ensures that the private key of the receiver is the only key that can decrypt the transmission.

·         Key Agreement

§  In key agreement, to two sides involved in the data transmission cooperate to generate a symmetric (shared) key.  

§  The most commonly used key agreement algorithm is Diffie-Hellman algorithm. DH algorithm depends on certain parameters to generate the symmetric key.

§  Some people exchange the symmetric keys over phone or mail, which is not advisable.

Authentication

·         Authentication is necessary for one or more devices involved in the data exchange to verify that the party to whom they are talking is really who they claim to be.

·         SSL facilitates this authentication using Digital Certificates.

·         Digital certificates are a form of digital identification to prove the identity of the client to the server and vice versa.

·         A Certificate Authority (CA) issues digital certificates.

·         A certificate ensures that the identification information is correct, and that the public-key actually belongs to the client or server.

·         Upon receiving a certificate from a server, a client connects to the CA and verifies the validity of the certificate using issuer’s public key.

·         This ensures that the certificate was actually issued by the CA.

·         A certificate remains valid until it is expired or terminated by the CA.

·         In short, “A” trusts “B” and “B” trusts “C”, therefore “A” trusts “C”.

Message Integrity

·         Message integrity is a mean of assuring the recipient of the message that the content of the message have not be tampered during the transit.

·         SSL achieves this by applying a message digest to the data before transmitting it.

·         A message digest is a function that takes an arbitrary length message and outputs a fixed length string that is characteristics of the message.

·         It is extremely difficult to the reverse a digest message.

·         SSL supports two different message digest algorithms: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm).

Interface macro in Cisco IOS Switches

I often use the interface-range command in Cisco switches while configure multiple ports. Especially, in an environment like Offshore Development Centers where there are more number of Vlans each for individual customers.

Last week, I discovered a long existing command define interface-range <macro_name>. Using this command you can group multiple interface of a switch together and address them by a name.

(config)#define interface-range UPLINKS FastEthernet0/47, FastEthernet0/48

(config)#define interface-range CITI_VLAN123 FastEthernet0/1 – 10

(config)#define interface-range IS_VLAN124 FastEthernet0/11 – 20

(config)#interface range macro UPLINKS

(config-if-range)#switchport mode trunk

(config-if-range)#switchport trunk encapsulation dot1q

(config-if-range)#switchport trunk allowed vlan 1,123,124

(config-if-range)#no shutdown

(config-if-range)#end

(config)#interface range macro IS_VLAN124

(config-if-range)#description IS_User_Ports

(config-if-range)#switchport mode access

(config-if-range)#switchport access vlan 124

(config-if-range)# spanning-tree portfast

(config-if-range)# spanning-tree bpduguard enable

(config-if-range)#no shutdown

Had I discovered this command couple of years back, would have been very helpful. Anyways, better late than never.

Why /30 why not /31?

May be a year ago, I was reading a document in which /31 subnet addressing was used for a point-to-point link. The document didn’t talk much about it as it was written for something else. The /31 interested me. I started thinking about it. Why /30 why not /31?

What impact will it make if we use /31 for addressing a point-to-point link? I could imagine nothing. With /31 there won’t be a network and a broadcast address, we will be having two host addresses only. Do we really need a network and broadcast addresses for point-to-point link? It looks actually not. All we have is just two network end points or two hosts connected to each other with nobody else. There is no need for a broadcast in this network.

Choosing a /31 will leave us with no directed broadcast address for that network which is anyways of no need in a point-to-point link.

Google’ing on the same showed Cisco started supporting /31 since IOS 12.2(2)T and usage of /31 on point-to-point links has been well discussed in RFC 3021 (published in Dec-2000, oh man!! How many years am I lagging). Juniper and other vendors do support this.

What do we achieve by starting to use /31? – Well dude, you save two IPv4 addresses per link. If you are an ISP, especially in APNIC, you might have already be facing tough time in getting new IPv4 address blocks. We are almost out of any free subnets. If you have 1000 links already in /30 then by switching to /31 you can provision to 1000 more links, means 1000 more customers.

Until the entire world in ready for IPv6, IPv4 addresses are gold dude, spend them as little as you can. Next time you reserve a subnet for addressing point-to-point link, do remember to do /31 not /30.

TIPS:

If you are an engineer who often needs to find the address of the circuit interface at the other end of a /30 by looking at your end IP address and you are doing the binary/math calculation every time, next time you don’t have to, in a /30 subnet the lower address will always be odd and the higher address will always be even.

e.g.: If 192.168.10.10/30 is what is assigned to your end of the link, by looking at it - the last octet .10 is even - the other end IP address will be 192.168.10.9 which is one lower from 192.168.10.10

Up on reading this post, if you have decided to use /31 going forwardJ, then the rule for calculating the other end IP just reverses. In /31 subnet the lower address will always be even and the higher address will always be odd.

Configuring Cisco router as a DHCP client

A Cisco router interface can be configured to obtain an IP Address from DHCP server.

Router(config-if)# ip address dhcp

Once I was configuring a router via console which I had to replace with the current production router in the site over the weekend. It was a broadcast network; I had to connect the router to the LAN to pull the standard IOS image from the TFTP server. I didn’t want to get a static IP assigned to the interface – it takes time to get an unused static IP - so I configured one unused interface on the router to be a DHCP client and connected to the network to gain access to the TFTP server temporarily.

Well, the router got an IP address assigned; I could reach the TFTP server and was loading the image. While the image was loading, I started getting alerts stating that DHCP server is not reachable. What? It can’t be!! I just got an IP assigned from the server. Soon helpdesk started receiving complaints that users are not getting IP assigned by DHCP server. It seems like I was the last one to get an IP address from the server. No one is able to reach the server after.

I too couldn’t ping the server. When I did a traceroute it was not taking the default gateway instead it was dropping at the first-hop which seems to be an IP address that doesn’t belongs to any device. Wait a second….. Is it not the IP that the new router been assigned just now? Yes it is!! How could this happen?

When I checked the routing table on the new router, I could see a /32 entry for the DHCP server address in it.

S*    0.0.0.0/0 [254/0] via 10.31.34.1

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

S        10.31.13.214/32 [254/0] via 10.31.34.1, FastEthernet0/0

C        10.31.34.0/23 is directly connected, FastEthernet0/0

L        10.31.34.182/32 is directly connected, FastEthernet0/0

When a Cisco router gets an IP address assigned to an interface by a DHCP server, it installs a static host route (/32) for the DHCP server (10.31.13.214) pointing it to the exiting interface. To make things worse, I already configured the router which had EIGRP and “redistribute static” statement in it. The new router formed an EIGRP neighborship with the existing site router and distributed the host route of the DHCP server to the entire network. This attracted all the traffic for DHCP server towards the new router black holing the DHCP server.

I can imagine why Cisco wanted to do this; they always wanted the router to prefer the interface via which the IP address was assigned to reach the server if you configure more than one interface on the same router to be a DHCP client.