From: Joseph Ezerski (jezerski@broadcom.com)
Date: Fri Feb 28 2003 - 16:13:35 GMT-3
In the spirit of offering a different perspective, I might disagree with the
thinking that PAP is insecure when thought of in terms of strict dial-up
networking. My reasons? Consider that PAP encrpyts the user password in
the server's database while CHAP only encrypts the sending of that info
across the wire. Now, sticking with a pure dial-up scenario, let me ask you
this question. What would you consider would be easier to hack? A single
phone line using analog signals, or a server with a clear text database
connected to a public network? I propose the latter. Tapping a phone line
and intercepting and decoding the analog signals without detroying the
connection seems a rather complex affair. Also, if the line is successfully
tapped, a single password is compromised. If the server itself is hacked,
ALL passwords can be had in clear text.
Just some alternative thinking... I think sometimes we take what the books
say as gospel. Remember when everyone used ISL for trunks over 802.1q
because the Cisco books always hyped ISL? Hey! I was guilty of that too!
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
p729@cox.net
Sent: Thursday, February 27, 2003 11:17 PM
To: Michael Snyder; 'OhioHondo'
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true (funny)
LOL. Sounds like an ESL problem. The security hole is using PAP.
Regards,
Mas Kato
https://ecardfile.com/id/mkato
============================================================
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
Date: 2003/02/27 Thu PM 08:04:19 EST
To: "'OhioHondo'" <ohiohondo@columbus.rr.com>
CC: <ccielab@groupstudy.com>
Subject: RE: RE: Amazing but true (funny)
Ok, yes I was using ppp pap sent-username last year in my configs. I didn't
remember doing so.
Here's what I just did, tried chap with transposed passwords. Worked
Changed to to pap. Left password alone. No go.
Then untransposed passwords. No go.
(very surprised, the router doesn't use it's host name, otherwise this would
work. PPP pap sent-username must be required for pap. I just learned
something.
Then used ppp pap sent-username, set it to host name of router. It worked.
So, I stand corrected. I wasn't telling the whole story, in fact I was
doing things correctly I didn't know I was doing.
Furthermore, I just got the funniest warning message I have ever saw from
Cisco!
R2(config-if)#ppp pap sent-username R2 password pass2
PPP: Warning: You have chosen a username/password combination that
is valid for CHAP. This is a potential security hole.
R2(config-if)#
My coworkers think I'm nuts, because I'm sitting here at my desk laughing
ever time I read it.
-----Original Message-----
From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
Sent: Thursday, February 27, 2003 6:28 PM
To: Michael Snyder; 'OhioHondo'
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true
Mike
I also tried to lab out PAP. I have not been able to get PAP to work on my
IOS unless I use the PAP "sent username" command. I know from reading some
old documentation (11.x) that PAP also uses the hostname, I'm not sure where
it finds a password to send. I tried your config and it did not work!!!
All I can think of is that PAP needs to use the "ppp pap sent-username"
command under the interface on my IOS. I was using a serial link if that
makes a difference.
FYI ----
-----Original Message-----
From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
Sent: Thursday, February 27, 2003 7:10 PM
To: 'OhioHondo'
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true
I assumed that both usernames was not being used at the same time.
I never dived into it enough to figure out which ones were not needed.
You have to admit that it's a quick way to do it.
Two users, two passwords, keep them straight for pap.
Two users, two passwords, transverse them for chap.
Thanks for labbing it out. :) One more mystery solved.
-----Original Message-----
From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
Sent: Thursday, February 27, 2003 5:57 PM
To: Michael Snyder; p729@cox.net
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true
I labbed this up and I came out with the following:
When a router sends the initial challenge of the 3 way hanshake out it uses
its' own hostname and the password of the remote router which is found in
the username config statement. So from your config, router A sends out 'A
with a hash based on a password of 2'.
The return response does the same thing. The name sent is B and it creates
the hash from the password of the remote routers username entry in router
B's config. So this is 'B with a hash based on a password of 2'.
They are using the same "secret" password.
Username A on router A and Username B on router B are not used in the
process. They are not needed.
The PAP authentication is one-way, something like a simple logon into the
router with the remote device providing a username and password. There must
be extra, unneeded statements in the PAP configuration also.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Michael Snyder
Sent: Thursday, February 27, 2003 1:39 PM
To: p729@cox.net
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true
>In order to derive the same hash, the passwords MUST be the SAME for a
>given username. Don't be fooled by claims of being able to use
different >
>passwords on each end with CHAP
Are you sure were talking about the same thing? My posted template works,
feel free to try both my chap and pap templates.
How do you reconcile your statement with my working config?
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass2
Username B password 0 pass1
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
p729@cox.net
Sent: Thursday, February 27, 2003 10:44 AM
To: Michael Snyder; 'ccie2be'
Cc: ccielab@groupstudy.com
Subject: Re: RE: Amazing but true
Michael,
With PAP, the password is sent across the wire in plain-text,
effectively: "here is my username and password, authenticate me." The
authenticator simply does a lookup. What's important is the PAP
sent-username and password and the username and password on the
authenticator match. The username and password on the authenticatee (side
requesting to be authenticated is superflurous.
With CHAP, the password itself is never actually sent over the wire, only a
hashed version of it. All the authenticator knows is "who am I
authenticating?" Somehow, the authenticator must derive the same hash that
the authenticatee sent so the results of a comparison will be a match. In
order to derive the same hash, the passwords MUST be the SAME for a given
username. Don't be fooled by claims of being able to use different passwords
on each end with CHAP. In reality, different USERNAMES and passwords are
being used--it's the only way it can work.
Regards,
Mas Kato
https://ecardfile.com/mkato
============================================================
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
Date: 2003/02/26 Wed PM 08:24:45 EST
To: "'ccie2be'" <ccie2be@nyc.rr.com>
CC: <ccielab@groupstudy.com>
Subject: RE: Amazing but true
I've come to conclusion that the number of responses you get from groupstudy
plotted out looks like a bell curve.
The closer you are getting to passing the lab, the number of responses
decreases.
Here's a good example, I asked this last year and never got a reponse.
Why with PAP does the user passwords stay the same on both isdn routers.
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass1
Username B password 0 pass2
And with CHAP, you transpose the passwords on one of the routers?
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass2
Username B password 0 pass1
I understand the CHAP and PAP processes, I have watched the debugs many
times.
Still why would cisco program the isdn functionality that you have to change
the user password arrangement depending on chap vs pap?
-----Ori
ginal Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, February 26, 2003 1:50 PM
To: Group Study
Subject: Amazing but true
Hi everyone,
Over the past few weeks, several times I've posted a question regarding the
two types of care-of-addresses used with Mobile IP. My question concerned
what detemines which type of address is used and whether the type used is
something that's configured on the router or determined by some other means
- perhaps the software installed on the mobile client.
What surprises me though is that there hasn't been one single response! I
don't understand how that could be. I've searched thru both the Group Study
archieves and Cisco's documentation and found nothing addressing this
question. I also know that mobile IP is fair game for the lab, so I'm
amazed that this question continues to go unanswered.
And, though I can't understand why that is I've come up with 2 theories:
a) nobody knows
b) nobody cares
I can't imagine that nobody on groupstudy knows this - this is probably the
most knowledgable group of networking professional in the world - so let's
nix that idea.
Could it be that nobody cares? That's also hard to imagine. Everyday,
questions seemingly far more esoteric are posted and responded to. Besides,
there must be at least a few people who might need to implement Mobile IP in
the near future and they would certainly need to know about this. And, even
if nobody at the moment needed to know about this for work, most people on
group study seemed to be very intellectually curious So, let's nix this
theory as well.
Well, I hope this sparks some discussion, and maybe, in the process,
generates the answer to the original question.
What do you think?
Jim ============================================================
============================================================
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:39 GMT-3