NTS Published as Standard

2020-10-21Authentication, NTPAEAD, Authentication, Guest Post, NTP, NTS, TLSMartin Langer

This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.

The Internet Engineering Task Force (IETF) published the Network Time Security protocol (NTS) as RFC 8915 on October 1, 2020. This new standard offers security mechanisms for the widely used Network Time Protocol v4 (NTPv4), which has been operated mostly unsecured until now. After almost eight years of development, global collaboration, and many interoperability tests of leading NTP software developers, NTS represents a mature security protocol. In this post, I’ll give you a short overview of the development progress of NTS and provide a list of public implementations and NTS secured time servers…

Continue reading NTS Published as Standard →

iperf3 on a FortiGate

2020-09-23Bandwidth/Delay, Fortinet, Internet Access, MonitoringBandwidth, FortiGate, Fortinet, iperf, SpeedJohannes Weber

This is a really nice feature: you can run iperf3 directly on a FortiGate to speed-test your network connections. It’s basically an iperf3 client. Using some public iperf servers you can test your Internet bandwidth; using some internal servers you can test your own routed/switched networks, VPNs, etc. However, the maximum throughput for the test is CPU dependent. So please be careful when interpreting the results. Here we go:

Continue reading iperf3 on a FortiGate →

NTP Filtering (Delay & Blockage) in the Internet

2020-09-07NTPCongestion, DDoS, Guest Post, Internet, ISP, NTP, NTP Filtering, NTP Pool Project, TIMESteven Sommars

NTP (Network Time Protocol) messages are sometimes rate-limited or blocked entirely by Internet operators. This little-known “NTP filtering” was put into place several years ago in response to DDoS (Distributed Denial of Service) attacks. NTP filtering may drop NTP messages based on rate or message size. Let’s dig into it: Continue reading NTP Filtering (Delay & Blockage) in the Internet →

A Little Printing Please – Packet Capture

2020-08-19iPhone/iPad, NetworkAirPrint, IPP, LPD, LPR, pcap, Printer, WiresharkJohannes Weber

Uh, I wasn’t aware of so many different printing protocols. Do you? While I was trying to solve a little printing problem I took a packet capture of three different printing variants over TCP/IP: Raw via TCP port 9100, LPD/LPR via TCP port 515, and Apple’s AirPrint which uses the Internet Printing Protocol IPP. As always, you can download this pcap and have a look at it by yourself.

Continue reading A Little Printing Please – Packet Capture →

Palo Alto GRE Tunnel

2020-07-21Network, Palo Alto NetworksCisco Router, GRE, Palo Alto Networks, Static RouteJohannes Weber

Since PAN-OS version 9.0 you can configure GRE tunnels on a Palo Alto Networks firewall. Greetings from the clouds. As always, this is done solely through the GUI while you can use some CLI commands to test the tunnel. This time Palo put a little stumbling block in there as you have to allow a GRE connection with a certain zone/IP reference. I will show how to set up such a GRE tunnel between a Palo and a Cisco router. Here we go:

Continue reading Palo Alto GRE Tunnel →

Certificate Transparency & Alternative Name Disclosure

2020-06-30CertificateCertificate, Certificate Transparency, Disclosure, IPv6, Let's Encrypt, SAN, Subject Alternative Name, WHOISJohannes Weber

Maybe you’ve heard of Certificate Transparency and its log. Citing Wikipedia: “Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates.” Basically, it gives you information about any public certificate that is issued. Besides its advantages, I thought of one possible problem as it leaks all FQDNs to the public when using TLS certificates, for example from Let’s Encrypt.

A similar problem might arise when using a single X.509 certificate with a couple of DNS names (subject alternative name SAN) from which one should be kept “private”. It will be publicly known as well.

Hence I made a self-experiment in which I generated two certificates with random names, monitoring the authoritative DNS servers as well as the IPv6 addresses of those names in order to check who is resolving/connecting to otherwise unknown hostnames. Here we go:

Continue reading Certificate Transparency & Alternative Name Disclosure →

Slowing down my Blogging Rate

2020-05-22Off-TopicBirthday, Blog, FinancingJohannes Weber

A few days ago, my blog turned seven (7). Wow! And this post right here is number 329. This is roughly one post per week over the last seven years. Not bad. ;D I can’t believe I was able to publish that much at this rate for so long. However, I have decided to slow down my publishing rate for some reason. Following are some insights:

Continue reading Slowing down my Blogging Rate →

UK IPv6 Council Spring 2020: Incorrect Working IPv6 Clients & Networks

2020-04-29Conference Talks, IPv6, NTPfail, ICMPv6, IPv6, NTP, NTP Pool Project, StatisticsJohannes Weber

I did a short presentation at the spring 2020 roundtable of the UK IPv6 Council. The talk was about a case study I did with my NTP server listed in the NTP Pool project: For 66 days I captured all NTP requests for IPv6 and legacy IP while analyzing the returning ICMPv6/ICMPv4 error messages. (A much longer period than my initial capture for 24 hours.) Following are my presentation slides along with the results.

Continue reading UK IPv6 Council Spring 2020: Incorrect Working IPv6 Clients & Networks →

SharkFest’19 EUROPE: IPv6 Crash Course

2020-04-14Conference Talks, IPv6DAD, IPv6, IPv6 Duplicate Address Detection, IPv6 Neighbor Discovery, Router Advertisement, SharkFest, WiresharkJohannes Weber

I gave a session about IPv6 at SharkFest’19 EUROPE, the annual Wireshark developer and user community conference, named “IPv6 Crash Course: Understanding IPv6 as seen on the wire“. The talk is about the IPv6 basics, which are: IPv6 addresses & address assignment, link-layer address resolution, and ICMPv6. Tips for using Wireshark coloring rules and display filters round things up.

As I have not yet published the slides, here they are. Unfortunately, we were not able to record the session due to technical problems. Neither the video nor the audio. ;( Hence, here are only mere slides.

Continue reading SharkFest’19 EUROPE: IPv6 Crash Course →

Types of VPN

2020-04-02At a Glance, IPsec/VPN, TLSPolicy-Based VPN, Remote Access VPN, Route-Based VPN, Site-to-Site VPN, SSL-VPN, TLS, VPN Portal, Web VPNJohannes Weber

Another small post out of my “At a Glance” series: The different types of virtual private networks (VPNs). Looking at Site-to-Site and Remote Access VPNs.

Continue reading Types of VPN →

More Capture Details

2020-03-11NetworkDDNS, DHCPv6-PD, DNS, DNS Suffix Search List, DNSSL, Dynamic DNS, Follow TCP Stream, GRE, IPv6, NetFlow, nsupdate, RDNSS, Router Advertisement, Telnet, WiresharkJohannes Weber

In the previous post, I released my Ultimate PCAP which includes every single pcap I had so far on my blog. But that’s not all: I have some packets in there that were not yet published up to now. That is, here are some more details about those (probably well-known) protocols. These are:

Continue reading More Capture Details →

The Ultimate PCAP

2020-02-25NetworkIPv6, Legacy IP, Network Protocol, pcap, WiresharkJohannes Weber

For the last couple of years, I captured many different network and upper-layer protocols and published the pcaps along with some information and Wireshark screenshot on this blog. However, it sometimes takes me some time to find the correct pcap when I am searching for a concrete protocol example. There are way too many pcaps out there.

This is supposed to change now:

I’m publishing a single pcap meant to be a single point of source for Wireshark samples. It is summarizing *all* previous ones from my blog and even adding some more protocols and details. I will constantly add more packets to this pcap if I have some. Currently, it has > 50 different protocols and hundreds of variants, such as IPv6 and legacy IP traffic, different DNS query types, ICMP error codes, and so on.

Continue reading The Ultimate PCAP →

Who is WHOIS?

2020-02-13NetworkFollow TCP Stream, pcap, TCP, Traceroute, WHOIS, WiresharkJohannes Weber

I am using the WHOIS client a lot these days since I am migrating some RIPE objects such as ASes, inetnum/inet6num, etc. Meanwhile, I recognized that I have never captured this TCP port 43 protocol, nor looked at it with Wireshark. That’s what this post is all about, incl. a downloadable pcap for your own analysis.

Continue reading Who is WHOIS? →

VoIP Captures

2020-01-28Networkpcap, RTP, SDP, SIP, VoIP, WiresharkJohannes Weber

VoIP calls, using the network protocols SIP/SDP and RTP, are the de-facto standard when it comes to voice calls. Wireshark offers some special features to analyze those calls and RTP streams – even with a nice “Play Streams” option, which discretely decodes your calls. Ouch. Again and again, frightening which privacy-related protocols are completely unencrypted on the Internet!

Here are some hints for Wireshark as well as a downloadable pcap with three calls in there. ;) Have fun!

Continue reading VoIP Captures →

DNS Capture – The Records Edition

2020-01-13DNS/DNSSECdig, DNS, DNSSEC, host, pcap, Resource Record, Test, WiresharkJohannes Weber

Some time ago I published a post called DNS Test Names & Resource Records which lists many different FQDNs with lots of different RRs. You can use those public available DNS names to test your DNS servers or the like. However, I was missing a packet capture showing all these resource records as they appear on the wire. So now, here it is. If you are searching for some packets to test your tools for whatever reason, feel free to download this pcap.

Continue reading DNS Capture – The Records Edition →

Weberblog.net

IT-Security, Networks, IPv6, DNSSEC, NTP, Monitoring, DIY