Noncompliant Equipment - GIAC
16.11.2013 Views
Share Embed Flag

Noncompliant Equipment - GIAC

Noncompliant Equipment - GIAC

Noncompliant Equipment - GIAC

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
giac.org

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Address Resolution Protocol (ARP)<br />

Hardware type: Ethernet (0x0001)<br />

Protocol type: IP (0x0800)<br />

Hardware size: 6<br />

Protocol size: 4<br />

Opcode: Request<br />

Sender hardware address: 00-03-4f-00-15-20<br />

Sender IP address: 0.0.0.0<br />

Target hardware address: 00-ff-ff-ff-ff-ff<br />

Target IP address: 0.0.0.0<br />

There seems to be a bug in the ARP implementation that causes it to address the Target hardware<br />

address as 00-ff-ff-ff-ff-ff, instead of 00-00-00-00-00-00, which is what it should be if the target<br />

hardware address is not known to the device. 00-ff-ff-ff-ff-ff seems to be the fiber channel arp<br />

destination broadcast address referenced in RFC 4338.<br />

There is no way to predict what, if anything, this bug will do; however, it is cause for concern, and we<br />

need to remember that the device is not equipped with a serial line to recover it if the IP<br />

implementation fails. In fact, according to the manufacturer, this device is not even equipped with a<br />

hard reset feature by which the default firmware can be recovered. It is accessible only through its<br />

connection to the alarm panel.<br />

Although the device is primarily intended to be configured through the hard-wired connection to the<br />

alarm panel, it cannot be supported by the skill set of the alarm installer and is not designed with the<br />

requirements of the IT group in mind.<br />

Another feature of the device is the capability to use the persistence of a TCP/IP connection as a means<br />

of signal circuit supervision. The Central Station alarm receiver can detect an offline condition and<br />

raise an alarm as protection against line-cut. The known failure of this device is a manifestation of the<br />

buggy ARP implementation, which periodically scrambled the MAC address in the reply packet,<br />

causing the device to stop communicating. Of course, the offline conditions were blamed on the<br />

network.<br />

The device does not support ICMP, and overall, this device is a problem waiting to happen.<br />

The manufacturer appears to have learned from the mistakes of the first device, and examination of a<br />

later model of a similar product is more encouraging, although a review of documentation discloses<br />

nothing about the IP stack, either in the A&E specification or in the 48-page manual. At least, this<br />

device has the MAC address documented on the device.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!