Re: The state of TACACS+

2014-12-29 Thread Colton Conor
We are able to implement TACAS+. It is my understanding this a fairly old protocol, so are you saying there are numerous bugs that still need to be fixed? A question I have is TACAS+ is usually hosted on a server, and networking devices are configured to reach out to the server for

Re: The state of TACACS+

2014-12-29 Thread Scott Helms
Colton, Yes, that's the 'normal' way of setting it up. Basically you still have to configure a root user, but that user name and password is kept locked up and only accessed in case of catastrophic failure of the remote authentication system. An important note is to make sure that the fail safe

Re: The state of TACACS+

2014-12-29 Thread Colton Conor
Scott, Thanks for the response. How do you make sure the failsafe and/or root password that is stored in the device incase remote auth fails can't be accessed without having several employees engaged? Are there any mechanisms for doing so? My fear would be we would hire an outsourced tech. After

Re: The state of TACACS+

2014-12-29 Thread joseph . snyder
Change the root when any senior person leaves. It shouldn't be known to a large set of staff members. During the bubble burst rifs we were changing them on 40k+ devices every week. Make sure you verify the pass before disconnecting the login acct making the change. Also make sure you

Re: The state of TACACS+

2014-12-29 Thread Jared Mauch
On Mon, Dec 29, 2014 at 09:32:51AM -0600, Colton Conor wrote: Scott, Thanks for the response. How do you make sure the failsafe and/or root password that is stored in the device incase remote auth fails can't be accessed without having several employees engaged? Are there any mechanisms for

Re: The state of TACACS+

2014-12-29 Thread Scott Helms
Colton, The best thing is to create the password with a random generator so it's impossible for most people to memorize in a short amount of time. It should be ~14 characters long with mixed cases, numbers, and special characters. That password should be tested once and then put in an envelope

Re: The state of TACACS+

2014-12-29 Thread Robert Drake
On 12/29/2014 10:32 AM, Colton Conor wrote: My fear would be we would hire an outsourced tech. After a certain amount of time we would have to let this part timer go, and would disabled his or her username and password in TACAS. However, if that tech still knows the root password they could

Re: The state of TACACS+

2014-12-29 Thread Berry Mobley
At 11:06 AM 12/29/2014, you wrote: On 12/29/2014 10:32 AM, Colton Conor wrote: My fear would be we would hire an outsourced tech. After a certain amount of time we would have to let this part timer go, and would disabled his or her username and password in TACAS. However, if that tech still

Re: The state of TACACS+

2014-12-29 Thread Berry Mobley
At 11:06 AM 12/29/2014, you wrote: On 12/29/2014 10:32 AM, Colton Conor wrote: My fear would be we would hire an outsourced tech. After a certain amount of time we would have to let this part timer go, and would disabled his or her username and password in TACAS. However, if that tech still

Re: Charter ARP Leak

2014-12-29 Thread Valdis . Kletnieks
On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said: Here is a small excerpt I am seeing. 06:04:04.760869 In 00:21:a0:fb:53:d9 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 97.85.59.219 tell 97.85.58.1 06:04:04.761950 In 00:21:a0:fb:53:d9 ff:ff:ff:ff:ff:ff,

Re: The state of TACACS+

2014-12-29 Thread Robert Drake
On 12/28/2014 10:21 PM, Christopher Morrow wrote: and I wonder what percentage of 'users' a vendor has actually USE tac+ (or even radius). I bet it's shockingly low... true.. even in large-ish environments centralized authentication presents problems and can have a limited merit. Up to some

Re: Charter ARP Leak

2014-12-29 Thread Brad Hein
This is normal for a cable modem network. These are broadcast packets so they get delivered to everybody on that node. ARP uses layer-2 broadcast to ask for the owner of a given IP to respond with its MAC so that subsequent communication with that IP can be addressed directly. [sent from mobile

Re: The state of TACACS+

2014-12-29 Thread Michael Douglas
In the Cisco world the AAA config is typically set up to try tacacs first, and local accounts second. The local account is only usable if tacacs is unavailable. Knowledge of the local username/password does not equate to full time access with that credential. Also, you would usually filter the

Re: Charter ARP Leak

2014-12-29 Thread Rampley Jr, Jim F
On 12/29/14, 10:49 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said: Here is a small excerpt I am seeing. 06:04:04.760869 In 00:21:a0:fb:53:d9 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has

Re: Charter ARP Leak

2014-12-29 Thread Jay Ashworth
- Original Message - From: Rampley Jr, Jim F jim.ramp...@charter.com On 12/29/14, 10:49 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said: Here is a small excerpt I am seeing. 06:04:04.760869 In

Re: The state of TACACS+

2014-12-29 Thread Colton Conor
Glad to know you can make local access only work if TACAS+ isn't available. However, that still doesn't prevent the employee who know the local username and password to unplug the device from the network, and the use the local password to get in. Still better than our current setup of having one

Re: Charter ARP Leak

2014-12-29 Thread Brett Frankenberger
On Mon, Dec 29, 2014 at 12:27:04PM -0500, Jay Ashworth wrote: Valdis, you are correct. What your seeing is caused by multiple IP blocks being assigned to the same CMTS interface. Am I incorrect, though, in believing that ARP packets should only be visible within a broadcast domain,

Re: Charter ARP Leak

2014-12-29 Thread Jay Ashworth
- Original Message - From: Brett Frankenberger r...@rbfnet.com On Mon, Dec 29, 2014 at 12:27:04PM -0500, Jay Ashworth wrote: Valdis, you are correct. What your seeing is caused by multiple IP blocks being assigned to the same CMTS interface. Am I incorrect, though, in

Re: Charter ARP Leak

2014-12-29 Thread Jared Mauch
On Mon, Dec 29, 2014 at 11:12:34AM -0600, Rampley Jr, Jim F wrote: On 12/29/14, 10:49 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said: Here is a small excerpt I am seeing. 06:04:04.760869 In 00:21:a0:fb:53:d9

Re: Charter ARP Leak

2014-12-29 Thread David Coulson
On 12/29/14, 12:51 PM, Jay Ashworth wrote: Ok. But the interface to which the cablemodem is attached, in the general single-DHCP-IP case, is a /24, is it not? I'm on TWC. The IP address I get from them is on a /20. 104.230.32.0/20 dev eth7 proto kernel scope link src 104.230.32.x The

Re: Charter ARP Leak

2014-12-29 Thread Chris Boyd
On Dec 29, 2014, at 11:51 AM, Jay Ashworth j...@baylink.com wrote: Ok. But the interface to which the cablemodem is attached, in the general single-DHCP-IP case, is a /24, is it not? No, I've seen multiple IPv4 /21s assigned to a single customer interface on a CMTS. The newer CMTS are

RE: Charter ARP Leak

2014-12-29 Thread Phil Bedard
The CM is just a bridge for that traffic. It has a management IP assigned to it by the provider but that's a different network so to speak. Phil -Original Message- From: Jay Ashworth j...@baylink.com Sent: ‎12/‎29/‎2014 12:52 PM To: NANOG nanog@nanog.org Subject: Re: Charter ARP Leak

Re: The state of TACACS+

2014-12-29 Thread Michael Douglas
If someone has physical access to a Cisco router they can initiate a password recovery; tacacs vs local account doesn't matter at that point. On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor colton.co...@gmail.com wrote: Glad to know you can make local access only work if TACAS+ isn't available.

Re: Charter ARP Leak

2014-12-29 Thread Jay Ashworth
- Original Message - From: David Coulson da...@davidcoulson.net We all knows it's easier to add another secondary IP to the interface and add a new DHCP scope than to try to expand a subnet. From an intermediate routing standpoint, though, it would be easier to add an *adjacent*

RE: Charter ARP Leak

2014-12-29 Thread Corey Touchet
We'll I would for one be very interested if the 8 ARP packets a second count against the caps. Given len of 46 or 60 is not much, but that's about a gig of traffic almost assuming 8 of those a second happen(and my cold medicine addled mind is working). I'm sure it's not just that when it

Re: The state of TACACS+

2014-12-29 Thread Tim Raphael
Making the TACAC+ server unavailable is fairly easy - a small LAN-based DDoS would do it, or a firewall rule change somewhere in the middle. Either would cause the router to failover to it's local account. - this is based on the fact that said attacker has some sort of access previously and

Re: Charter ARP Leak

2014-12-29 Thread Larry Sheldon
On 12/29/2014 11:35, Brett Frankenberger wrote: On Mon, Dec 29, 2014 at 12:27:04PM -0500, Jay Ashworth wrote: Valdis, you are correct. What your seeing is caused by multiple IP blocks being assigned to the same CMTS interface. Am I incorrect, though, in believing that ARP packets should only

Re: Charter ARP Leak

2014-12-29 Thread Jason Hellenthal
Well sure they are subnets :-) of 0.0.0.0/4 range: 0.0.0.0 15.255.255.255 range b10: 0 268435455 range b16: 0x0 0xfff hosts: 268435456 prefixlen: 4 mask:240.0.0.0 Doubt anyone should ever describe them as such unless they own all that space though. May God rest

Re: Charter ARP Leak

2014-12-29 Thread Ricky Beam
On Mon, 29 Dec 2014 17:41:45 -0500, Corey Touchet corey.touc...@corp.totalserversolutions.com wrote: We'll I would for one be very interested if the 8 ARP packets a second count against the caps. Depends on where and what counters they probe. I would assume they look at unicast fields,

Re: Charter ARP Leak

2014-12-29 Thread Larry Sheldon
On 12/29/2014 22:32, Ricky Beam wrote: On Mon, 29 Dec 2014 17:41:45 -0500, Corey Touchet corey.touc...@corp.totalserversolutions.com wrote: We'll I would for one be very interested if the 8 ARP packets a second count against the caps. Depends on where and what counters they probe. I would

Re: Shapefiles, KMZs, etc.

2014-12-29 Thread Martin Hannigan
I like the idea of building on the Telecom Ramblings micro site: http://www.telecomramblings.com/metro-fiber-maps/ Don't forget Greg's Cablemaps, the awesome undersea archive and the gold standard of how to do this IMHO: http://www.cablemap.info/ Best, -M On Sat, Dec 27, 2014 at

RE: Charter ARP Leak

2014-12-29 Thread Phil Bedard
They generally use IPDR on the CMTS for accounting, and I don't believe it counts ARP. Phil -Original Message- From: Ricky Beam jfb...@gmail.com Sent: ‎12/‎29/‎2014 11:34 PM To: Corey Touchet corey.touc...@corp.totalserversolutions.com Cc: nanog@nanog.org nanog@nanog.org Subject: Re:

RE: The state of TACACS+

2014-12-29 Thread emille
I've long since deleted the OP's message, but figured I would share our experiences having been using TACACS+ with our Cisco hardware for a couple of years. Originally deployed for the need and want of controlling multiple users across several devices, and to safely control 3rd party read, or