>> My name is Omar Eissa. I am here with Wojtek, we are from a security company based in Heidelberg, Germany and today’s talk will be about network automation and a specifically autonomous networks. So what is it about? Haven’t we all had that problem that we send a technician to the site and he doesn’t have the running configuration for that author? Haven’t we had this problem that while configuring something, we had a type of mistake that we kept troubleshooting for days and days? What if I said to you this is now from the past? What if I said to you that now there’s a technology that will make you use your routers and switches as if you are using a USB? You’re just connected and its starts working. This is it. You can build networks of hundreds and hundreds of nodes just me- an- a-, just a matter of minutes. While this would be the first part of today’s presentation, I’ll introduce to you a new technology that will ease your life. But this is technology is introduced from Cisco. Everything is proprietary and we cannot understand it and we cannot see what’s there in our network. And this would be for the second part of today’s presentation. We will reverse engineer everything in the protocol and we will understand everything. If you are interested in attacking, hacking and crashing devices, the third part will be for you. We have multiple demos, we have multiple vulnerabilities, so we hope you enjoy it.

[applause]

So everything started by IBM 2001. So they had the idea that systems are getting more and more conflicts by time and we need system that can manage themselves. When we thought about it or IBM thought about it it thought that we need system that can configure themselves, you don’t need to configure anything. They can optimize themselves. Optimize their running resources, they can even secure themselves. We don’t have any problems in that just the machine will do everything for you.

Yeah, this sounds a little bit optimistic, but in 2013 Cisco and people for ITF decided to make this into reality. Decided to implement something which we call autonomic network. What’s the idea of autonomic network? It’s just one device. One router. And anything that connects to this router after that will be configured automatically. You don’t need to configure anything that far, but the question comes like how many configuration commands do I need to write on this device? Do I need to write everything that will be on the other devices? No. Its just five commands. You just write five commands and after that everything connected to your device will be up and running. K, what if I have new device? How many command do I need to write? None. You don’t have to write anything at all. What if I have an old device that has a running configuration from before? Then it just one command. And after that, once you connect your device to this one device which we call the registrar here, it will have a basic configuration. Yeah, I see this sounds a little bit optimistic, but let’s see it live.

So Wojtek if you can help me with that. We have here. We have here one new device for people who are aware of Cisco this is like what you get once you buy a totally new device. And you just remove the whole configuration. What we’ll be doing here, that we ask, I ask Wojtek here if he can connect it to the registrar and see how it will go. So we will just raise our hands, we won’t configure anything and we will just watch whether anything will happen or not. So as we see here, device started to be configured on its own. We see that some files or some configuration things are being transferred to it. We see like some inter- and some interfaces started to come up and we can see that there some sub interface and other configuration things. So for this. Yeah. Hello? So as we can see that we got like basic configuration we would see what basic configuration would do, we mean about here. So first of all, we can see that I’m getting some keys, I I see here like now I’m getting like three thousand seventy-two bit key. I’m being I’m being uh like having new interfaces that come up, but in order to see this live, we will just now try to type like show IPv6 interface brief. Autonomous networks run on IPv6. 

And as we can see here, we have like multiple interfaces which are up. We have like now our autonomic network interface, we have like uh the load back interface also will come up. So if you can run the command please again. Yeah. So we can see like the network interface, the configuration came up, we started to get some IP addresses, we started to get some information. So what happened here and what is the basic configuration we mean about where we speaking about once we connect this device and what we will get. That’s what we will see throughout the presentation. Or the first part of the presentation. So if you can take me back to the slides.

And so. Well, what are the implications of this? Now once you connect your device to another device you will get a basic configuration. You will get interfaces connected to you. You will get like tunnel interfaces which comes up for you. You will have an encrypted and secure between you and all the devices within your network. What you need to configure for that? None. Totally none. You just need to write five commands on one single device, which we call the registrar. And after that everything is configured for you.

To understand what happened in the background and what is the communication flow that happened, we can see that Cisco started or wanted to divide the connection into three phases. Something we call channel discovery, adjacency discovery and after that secure channel. While what does that mean? Well, Cisco decided that for the first time, devic- devices need to see each other on the level two lay- oh- level two uh yeah, level two layer. So what they start to do that the registrar start to send probes. Saying like, is there any autonomic device around? Can we get any configuration? Is there anything reachable? And once the device, once we reach the device, it starts the second phase. We call it here adjacency discovery.

What happens in adjacency discovery, its like after that we go from layer two to layer four communication and what happens here that the registrar, registrar starts by saying well, I support this domain name, I support this network. Would you like to be part of my network? How do we define whether the device can be part of the network or not? We check like the whitelist. What’s the whitelist that we have here? It’s just the serial number of the devices. Because we are speaking, about totally new devices that first I am like booted. So if you are rejected then we would just be neighbors on level two. If you are accepted, then perfect. We would issue for you a certificate. This certificate will be as the ID for you for any further communication. We can use this certificate after that just to act as like uh for any secure connection because we would have your private key or we would have your public key then. This is a UDP service that run on port four nine three six. To have a small diagram in order to understand what we are speaking about here. We can see it as the following. The registrar starts by saying, hey, this is the domain name that I support, this is the configuration that I can provide. This is the network name and the enrollee response saying well, this is my domain name. If the domain name is empty, it means that this new enrollee just would like to be part of your domain. What will you do after that that you will check your whitelist. Is this device allowed to join my domain? And this is the security mechanism that Cisco chose in order to protect any malicious devices from connecting to your domain. So you are accepted perfect. This is my domain certificate. This is my ID. Let’s issue for you one too. Please generate the key. Once the key is generated here, and send back to the register, we will start by issuing a certificate. We can understand the certificate as just an ID that you are part of this. Who will issue the certificate? It depends. Either the register itself or if you have a cert like a- a dedicated certificate authority within your domain it can do such a function. Finally, we have done the certificate, we send it back to you and that’s it. We are just speaking about somehow like five packets. Within this category and you’re done. After that, we will the secure channel. We will some type of interfaces so we can communicate together. What are the available technologies to secure the tunnel? Well, we already have the IPSec, but in Cisco’s perspective or autonomy perspective this is backwards comfortably, this is a backward technology. Cisco introduced something new which we call Dike and Dike is for the data internet gate exchange, it’s based on iv2. It has the same characteristics as IPSec, but it’s only the second phase, so its much much much less overhead. We are speaking about point five thousand and its always the one preferred over IPSec. 

The idea of autonomic networks that people are the problems so in order to avoid such a thing, everything is automated for you. You cannot change this, you cannot even change it order, you cannot even favor like IPSec over Dike. There is not even a command for you to configure Dike on Cisco routers.

So what’s the configuration of the registrar then? We said like we need like five commands and everything would be working after that. Ok, we said that, from adjacency discovery we need to have like a domain name. What’s my network name? And this is the first thing that you write by like domain ID and you write your domain name. You have like an option of command that define a whitelist if you don’t define a white list, everything connected to you will be accepted within your network. We can have like after once you get like the certificate or once you get the key, who will issue the certificate? And you, this by like, defining which set of serial you will use. If you have a dedicated one, you would just write it’s IP address, if its a local one, so you say like, say hey local, local means that the registrar will be one who issues the certificate for you. And finally, you just started the services by writing autonomic. This is all. No much hassle. Nothing to write. Nothing to do.

What’s for the other devices? If its a brand new one. None. If its just a router with a previous configuration that you had a configuration from before, just one command. Autonomic. Start the autonomic services. So we are speaking about basic configuration. What do we mean by that? Well what will happen that, you will get like three to four interfaces configured with ipv6 address for you. This ipv6 address is based on your domain name. You will get, like you ll start generating the key a VRF will be created on your machine and the triply will be allowed if you have a cis log a tfpt server with the newer network it will be ded- uh it will be like find automatically, you don’t need to configure anything here. You just say like you have a tftp, but it within something called dns, this is a protocol with an autonomic network and this server will be like found automatically, discovered automatically, you don’t need to write anything. Everything will be now like you’re like create this server if you a radius server, now you can only access your device in a secure manner. So this sounds good and if you need to have like further configuration, if you’d like to have with like an access risk or something else you can put this configuration on the tftp server and the machine will just grab it automatically. We are not speaking about technology from the future we are speaking about technology that has been into the market at least three to four years. And the question here after that. 

Are you really in control? Now you understand the technology. Now you have a rough idea how it works. But are you really in control? Do you really know what’s running inside your network? Well, I wanted to see how it looked like, the this packets of autonomic networks under Wireshark. And that’s what I have seen. And LLC packets for the people who are not aware of LLC, LLC is a layer two technology. Honestly, I didn’t expect to see something like that. At least I expected to see like UDB service. I expected to see Dike or IPSec, whatever it is. But I expected to see something more than just layer two. And here comes the technology. What’s really running within our network?

And to know something like this, we will reverse engineer it together. This is the first frame that we see once we start the wireshark. This is what it looks like. That question, how is how we store it. How we store it to reverse engineering this. And the first idea comes that well we all started by an ethernet frame, but which one of the ethernet frames that we can start with? We have like three types of ethernet frames and by checking those bytes, we understand that this is a not not an ether two net frame and by checking this we understand, this is is a snap frame. So at least we understand the first few bytes within this frame. This is like a snap frame modifier or a snap header. So in order to understand this, we start by the following.

This is this nation mac and the source Mac, we have the length and um here we can say the snap frame identifier, we can have the organizer unique identifier and finally like uh autonomic protocol ID identifier. The question comes after this, how we proceed. This uh proprietary protocol, Cisco said how the technology works, but it didn’t say how, what’s the content, what’s the significance of the packets. After reverse engineering for some time, then after tests for sometime, we believe that protocol is based on this header. Well, hmm. This is the header that Cisco used to or we can use to analyze the protocol it has some fixer queries and after that some TLVs. For the people whom are aware of TLV principle it’s the idea that to define a type against a variable type, a variable lens, the you put the value of it. We will see that throughout the presentation here.

So, the version of this if we are speaking of the channel discovery. The first thing that we start with is version one. And some reserved bytes and after that we start with the state. State means which part or which phase are we in with the protocol. Well this is Oh-one, this is vary basic beginnings so it’s Oh-one here. After that we have some factory full bytes and after that we can have uh the up codes. What’s uh the up codes? The up codes mean uh what’s the significance of what we are seeing? What does this frame, what’s the value or what’s the importance of this frame? And for the available up codes, here are they.

So one is if its the first announcement, after that for the reply and even if its like just keep alive. If you’d like to continue analyzing we can see that what comes next is the factory like uh some factory default. This is the header length I see here and after that that’s some reserve bytes and type and length and value. So you start by, identifying some specific types with the length and put whatever value it takes. For the availability of these for this, we can see that for the only channel discovery that’s what we have. What we are trying now to do is trying to understand the significance of what passes within our network. At least with make sure that we have control. In what we see.

After that comes the adjacency discovery. Well this is the framework adjacency discovery. Its quite big. We suspect there is a UTP here but why Wireshark cannot analyze this. This is because there is an additional header that Cisco decided to add. We call it layer two point five, which is the autonomic layer. We will see that. So same idea, we have just a snap frame in the beginning and after that, we have this. This is a customized channel discovery header. This is what stops Wireshark from analyzing and understanding the packets. What’s in the difference between this and the last stage? Um, can we do anything with the slides? Can we just…[inaudible]

So what’s the difference between this and what we used to have? Well we can see that the state here is oh five, not oh one like it used to be. It means that this is an adjacency-adjacency discovery frame. And there’s an ether type. Ether type that says what comes next is an ipv6. So at least we start now to understand why Wireshark cannot analyze this. What comes next as we said, ipv6 header and from the ipv6 header we understand what comes after it is UDP. And the question comes after this. How we can analyze that? Ok, it’s the same header, same frame, but different types, different values, different up codes. The version here is two, not one, like the one you would used to have and the state here is oh two. Because now we start the booting phase. The idea of getting certificates and stuff like that. For the adjacency discovery we have like three up codes. Or three states. One for the just booting up, whether you are like accepted or rejected within the access list or within the whitelist and finally if we would like to be a secure channel.

After that there are some reserve bytes. And the up codes. As we said, up codes, what is the significance? And importance of this byte that we see or of this packet that we see. Here are the available up codes, it’s a little bit bigger here. And come after that just the header lines, same idea. And some factory default reserve bytes. And type, length and value. Same idea.

So for the available types, they are quite big, it will have taken three or four slides just to put them here. But you get the idea. And now starts the fun part. We have a secure channel. What if we are interested to know what city you’re being sent inside of this secure channel? Well, this is what’s sent. This is an encrypted thing. How do we know that it’s Dike? Well, just from the port. It’s five thousand. But what is this packet? We don’t have any idea about. How we get information about bei- what’s being sent really inside. Well who can solve this problem is this device. How’s that? Well this is one of the first devices that support autonomic network. It starts supporting autonomic network since 2014. But how can it-how it can help? Ok, comes that question is, if we have an IPSec, it means maybe like wasn’t supported from the beginning. Maybe there are like IPSec is backwards compatibility.

Ok, how IPSec can even help? Because Cisco is a closed box device, you don’t have access to anything. But from the RFC you have IPSec null. IPSec null is the idea that you don’t need to configure any encryption, you just configure like integrity, uh, on the packets just to check its correct. So you don’t have any problems, now you can send each and everything in just plain text and you can see everything.

And well this is one packet, that can only be encrypted, can only be seen inside the tunnel. Its the RPL and this is the interrupting protocol of the autonomic network. And we can see here this is DSP and this is exactly like from the inside the tunnel. The question comes after that. Is it secure? We now have a little bit of idea whats the technology is. We understand whats being sent and significance of each and every byte. But is it secure? For this we would have a live chat with uh a guy from the support who is responsible for this, if we have any problems while we are trying just to check our devices. So the first idea that we had is, well, as we understand from autonomic network, everyone has their own domain. So if there are two domains, they never could connect with each other. This shouldn’t be under any circumstances. Ok, let’s try to put this into practice.

So Wojtek if you could just go to one of the code devices that we have. Yeah, this device code different domain. It just from a domain different than what we have. We can know something like that by writing short autonomic device. And we can see here that the domain name is code or the domain ID is code different. And what I will do here is that I will connect it to this registrar which is from a domain code ERNW. So please connect it to it. Well I expect that they will be just neighbors on their two level, but nothing more. No certificates, no configuration, no tunnel interface. Nothing. And that’s what, the documents say. Ok, let’s see, I see, uh ok. I see lot’s of configuration, I see that, the certificates are being valid, which shouldn’t be shouldn’t be at all as printed off of Cisco but could you just run like short number control please. To see whether they built radial tunnel?

Ok, I can see the the tunnel here has been built. Hmm. Well. This shouldn’t be. Shouldn’t be at all from Cisco’s perspective. So let’s go back to the support please.

Well, we connected two nodes from two different domains and they worked. They connected together. This shouldn’t be. Uh Cisco has been very responsive to us in some of the variabilities that we have reported here, you will see that Cisco responded quite quickly honestly. And there are sometimes that, not that fast, but we would see. So the first thing that the business unit said that they would check with the uh like we would check like with the business unit, the people that wrote the documents. If that can be allowed. And what they came back to us with, that well if they are connected from two different domains, but we have the same CA sign both certificates. Then they can communicate. But this is, again its the documents, a know, this is shouldn’t be because they are two different domains. How that can be? Ok, if this is a feature that we added in the future.

Ok, not a big deal. Uh I understand the problem, maybe it’s as very important. But you know what, even if it connects to mine I’ll just revoke it. It’s not a big deal for me. So if you can just please go to the registrar. And we will just try to revoke this certificate. Uh the command for revoking certificate is um crypto PKI a n uh PKI server a-n-r-a dash c-s and we write revoke. So and after that we just type the serial number of the dev- or the serial number of the certificate. Well it shouldn’t be a big deal, it won’t cause us any problem, we just won’t revoke it here, but once we test it it didn’t work. So we return back to the support saying, oh. Yeah. We return back to the support saying well, we tried to revoke the certificate, but it didn’t work. They said, did you try it like on local or an external. We said, well we tried it on both. If it’s local, they said, well we didn’t implement it here. Said, no problem. We tried it on external too. They said, ok, then this is a CVU then. So yeah, we understand from Cisco perspective that certificates revocation does not implement it. An other way that there’s no way-no way for you to throw any malicious or compromised node from your network. Once any of your nodes has been compromised, it’s game over. It will always be there, except if you have the courage to destroy the whole network issuing new certificates for everyone, then build the network. No white list can stop anything for that because if you have a certificate, you are not checked by the white list. You just pass. You are a VIP. 

Yeah, so yeah. Maybe it’s a problem, but you know what, I have full control over my network. No one can touch my network, no one can touch my devices. Everything is safe somehow. So I’ll just go to the registrar again and write something like show autonomic control plain details. And as we can see the communication has been up here I I think like three four minutes. So the idea that nothing can affect my communication and nothing can, you know, attack me. And it’s not a big problem that, the nodes just you know some nodes are will be compromised. I see Wojtek is typing something here. He’s resetting my channel. Huh. It’s not that simple now. Um, what you are doing uh, if you can show the people what you are doing please. Here I’ll just take it a little bit. Uh. So what you read just my communication. Everything went down. Eh, eh, this shouldn’t be at all. Like an attacker cannot do something like that. And even he’s writing like check your Wireshark. Let me say what’s there Wireshark. ok. yeah. So. Just check it. Mm hmm. Ok. Just ok. The idea here that even if you check Wireshark, it looks like there’s a problem here with the   packet sniffer. That even the RPL packets which should be sent totally encrypted format, they are just sent in plain text. So somehow if you manage to reset the configuration, reset the channel, not only you break the communication itself, everything which is encrypted is flushed in plain text. You can see the whole configuration, the whole everything running inside. The RPL, your routing information. Everything. So please can take me back to slides.

So once we said that to Cisco, we got a new CVE here. Yeah, Ha.

[laughter]

So what’s the implications of this? Anyone can reset your connection? Anyone can attack you? And once they reset the connection, they even know what’s confidential things you are sending within your channel. Uh this is litt- little bit scary because anyone can make a deny of service on me. But at least my devices are up. My devices are strong enough that they are working fine. Correct? Ok, I see Wojtek here is showing me a video. And what he is pinging is I see is trying to reset it. Yeah, man I understand my communication is not that strong, I understand that you can reset it, but you are doing thing, are you implying that my device will go down? Huh. It’s not that simple. Not by I mean, not by resetting the communication or resetting the channel multiple times. Then all will crash. That will go down. I don’t think so honestly. Yeah. I don’t know. Yeah, you see. You are still pinging. Everything is up. Everything is working. Come on you cannot challenge me in front of them. My uh- my presentation yeah. Ha. Yeah, I’m just waiting. Just for your sake, you know. Mm Hmm. Yeah. Still second reiteration, you see. You are pinging everything is up. Everything is fine. There is nothing to worry about here. A- A I know. Ok. Eh-. This node crashed. Eh ha ha ha. This shouldn’t be. Shouldn’t be at all. Now you- not just reset my communication, not just you take the like channel down, you even take the device itself down. Take me back to the support.

[laughter]

Um. Just is someone keep resetting the communication then all eventually crashes and for that we have a new CVE.

[laughter]

[applause]

Yeah. What’s implications of this? Anyone can crash your devices. This attack takes um somehow about fifteen minutes. That’s why we just have a video here. Ok, this a little bit scary, so, you crashed my devices, but you know what? My registrar. The controlling point of the network. The strongest point of the  network. Show them how long it has been up. Show them. Like show version include up. Yes. It has been up for forty-two minutes. Nothing can attack it, nothing can do anything to it. Yeah. Crash. Crashing my register. No. It’s not like de-

[laughter]

Even my registrar crashed. [laughter]

Uh, like that, I don’t have anything in the network remaining. Like the device itself can be crashed, the registrar itself can be crashed. So there is no network at all. Uh just take me to the support.

[laughter]

And for that we have a new CVE here.

[laughter]
[applause]

Lots of implications of this. The controlling point, the main point within the network can be easily crashed if you send like null or space byte within the network. As a ERNW name. Ok. Then I have no other option, sorry. I’ll just disable autonomic network. And I’ll just run my ipv6 normally happy without any problems. So please Wojtek. Yeah. Yeah, this is different domain, this is the old device that I had, just go like into configuration one and just write no autonomic and that’s how we disable it. And if we would just give it a simple ipv6 address while writing interface get zero or zero zero. And we will give it like two thousand and one slash two. Here. So star sixty-four. And even I will also go to my new device so if you can go to the new device also Wojtek please. Just go to the new device.

So it looks like Wojtek cannot connect to the first device. I don’t know. It looks like it crashed on its own when it sees like other device crashed. It just happens. So at least now you know what I’m safe. Literally safe. Please write to us. Safe. And yes with yeah, exclamation mark. Nothing can touch my devices. Nothing can do for me any harm or any problem.

[laughter]

Hmm. We didn’t configure anything. It’s just an ipv6 address. We disabled everything even. Yeah. Take me back to the presentation. This is what’s I love to call the death case.

[laughter]

Regardless you have an IP or you autonomous servers or not, you are vulnerable. Just the ID that your sub, you’re operating system supports autonomic network makes you vulnerable. Just knowing your ipv6 address will crash your network. Even if you don’t run the technology. Even if you disable everything. What’s the implications of this? Just one packet can crash everything you have. How to stop it? Just put an access over each and every interface you have to block post four nine three six and four eighths. If you have for any reason running autonomic network on your network uh in your system, just upgrade your system.

To conclude today’s presentation. We have spoken about the autonomic network. We have analyzed its three phases. And after that, we had um, spoken about the reverse engineering of each and everything and after that we introduced five new vulnerabilities. One of them can crash just the devices by knowing their ipv6 address. You don’t need to know anything more. Finally, if you would like to get your hand dirty start working autonomic network. While you’re at it is the first uh application to use our analysis into this. And um you can just also if you don’t have Cisco D, you can download the image which is called CSR one thousand V. And start working on that. I wouldn’t have done it without the help and assistance of [00:36] who helped me so much with the protocol analysis. And finally, if you would like to have more information about network or autonomic network, I have written like three blog posts on insinuator dot net. Well, in the end, thank you Wojtek for attacking everything that I have and thank you for attention and that’s all.

[applause]