Noncompliant Equipment - GIAC
Noncompliant Equipment - GIAC
Noncompliant Equipment - GIAC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Address Resolution Protocol (ARP)<br />
Hardware type: Ethernet (0x0001)<br />
Protocol type: IP (0x0800)<br />
Hardware size: 6<br />
Protocol size: 4<br />
Opcode: Request<br />
Sender hardware address: 00-03-4f-00-15-20<br />
Sender IP address: 0.0.0.0<br />
Target hardware address: 00-ff-ff-ff-ff-ff<br />
Target IP address: 0.0.0.0<br />
There seems to be a bug in the ARP implementation that causes it to address the Target hardware<br />
address as 00-ff-ff-ff-ff-ff, instead of 00-00-00-00-00-00, which is what it should be if the target<br />
hardware address is not known to the device. 00-ff-ff-ff-ff-ff seems to be the fiber channel arp<br />
destination broadcast address referenced in RFC 4338.<br />
There is no way to predict what, if anything, this bug will do; however, it is cause for concern, and we<br />
need to remember that the device is not equipped with a serial line to recover it if the IP<br />
implementation fails. In fact, according to the manufacturer, this device is not even equipped with a<br />
hard reset feature by which the default firmware can be recovered. It is accessible only through its<br />
connection to the alarm panel.<br />
Although the device is primarily intended to be configured through the hard-wired connection to the<br />
alarm panel, it cannot be supported by the skill set of the alarm installer and is not designed with the<br />
requirements of the IT group in mind.<br />
Another feature of the device is the capability to use the persistence of a TCP/IP connection as a means<br />
of signal circuit supervision. The Central Station alarm receiver can detect an offline condition and<br />
raise an alarm as protection against line-cut. The known failure of this device is a manifestation of the<br />
buggy ARP implementation, which periodically scrambled the MAC address in the reply packet,<br />
causing the device to stop communicating. Of course, the offline conditions were blamed on the<br />
network.<br />
The device does not support ICMP, and overall, this device is a problem waiting to happen.<br />
The manufacturer appears to have learned from the mistakes of the first device, and examination of a<br />
later model of a similar product is more encouraging, although a review of documentation discloses<br />
nothing about the IP stack, either in the A&E specification or in the 48-page manual. At least, this<br />
device has the MAC address documented on the device.