This show in all about Beast Attack on SSL, Cisco Nexus network designs and limitations of the FEX switching, and a bitch slap between MrsY and Greg on DNS Load Balancers.
This is the second half of the show recorded on the 25th Sep, 2011. You can find the first show.
Beast Attack on SSL.
Felt so depressed after reading about the new SSL vuln, that I didn’t even want to go to work the next day. I can’t figure out what we’re doing anymore. Why aren’t we deploying TLS 1.1 and 1.2?! Everyone knew this was coming. “…Short for Browser Exploit Against SSL/TLS, BEAST performs what’s known as a chosen plaintext-recovery attack against AES encryption in earlier versions of SSL and its successor TLS, or transport layer security. The technique exploits an encryption mode known as cipher block chaining, in which data from a previously encrypted block of data is used to encode the next block.”
Saw some figures from Ivan Ristic’s site regarding the prevalence of older (vulnerable) versions of SSL and TLS: http://blog.ivanristic.com/2011/09/ssl-survey-protocol-support.html
And from the God of Crypto (i.e. Blowfish), Bruce Schneier:
The attack, according to Duong, is capable of intercepting sessions with PayPal and other services that still use TLS 1.0which would be most secure sites, since follow-on versions of TLS aren’t yet supported in most browsers or Web server implementations.”
Adaptive chosen-plaintext attack, where the cryptanalyst makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions. http://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html
“The chosen plaintext-recovery at the heart of BEAST attacks algorithms that use a mode known as CBC, or cipher block chaining, in which information from a previously encrypted block of data is used (as an IV) to encode the next block. CBC is present in both AES and DES, but not in RC4.” http://www.theregister.co.uk/2011/09/23/google_ssl_not_vulnerable_to_beast/
And finally, best analysis of how BEAST works by the Tor developers. https://blog.torproject.org/blog/tor-and-beast-ssl-attack
Cisco Nexus Switch Designs
I met with Cisco this week to design a small Nexus core/agg/access. We could talk through why they guided me the way they did. AKA, why is the 7K lagging behind the 5K in features? Shouldn’t the 5K be the leader? Or is it all about the non-blocking? How come FEXen can’t dual-home to a pair of 7Ks? And does it matter? Etc.
Using DNS Load Balancers or BIND to manage DNS domains
MrsY and Greg go head to head on whether BIND is better than using DNS Load Balancer appliances for managing DNS domains. Talked about F5 GTM, NetScaler Global DNS, Cisco GSLB or using a managed DNS service.