Thanks for the detailed and comprehensive explanation, Jarrod.
Lots of thanks here ;)
> On Jun 14, 2018, at 10:23 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote:
>
> So the firmware team decided to stop allowing cipher suite 2 (Also forbids
> IPMI 1.5). It's the same line of thought that causes them to disable http
> and only allow https (and further, https has disabled a lot of ciphers) and
> same reason telnet server is disabled and only ssh allowed (also with some
> older ssh ciphers removed). If you don't have those formerly (for you
> current) optional rpms, then xCAT used IPMI 2.0, cipher suite 2 to speak to
> BMCs (or IPMI 1.5 if 2.0 wasn't supported). If those rpms are there, then it
> was able to do cipher suite 3. For some systems, a firmware update will
> remove support for older ciphers, some systems never shipped with a version
> that allowed cipher suite 2.
>
> Random rambling on the state of the security of this stuff for the curious:
> Fun fact, IPMI cipher suite 3 and better is not vulnerable to quantum
> computing based attacks, even in theory at the moment. Ditto for SNMPv3 at
> 'authPriv' level of protection..
>
> Cipher Suite2 provided full protection for your username/password and
> provided full integrity assurance, but on the wire you would be able to see
> the payload ("what is server power state? It is on") as it was authenticated
> and integrity assured, but no privacy cipher. Cipher suite 3 added AES to
> provide encryption as well as integrity and authentication via HMAC-SHA1 (now
> not only protected against tampering and impersonation, but eavesdropper
> doesn't know what the conversation is, though they could make educated
> guesses based on traffic analysis, like with all protocols).
>
> For any curious, one thing with IPMI is that the password is really a shared
> secret, and the BMC goes first with 'proof'. Therefore anyone with ability
> to send and receive udp ports to an IPMI device can send a message and will
> receive a random set of data and an HMAC using the password as as the key.
> This is roughly equivalent to getting a copy of /etc/shadow of your password
> and as such someone can ask for the equivalent of /etc/shadow for a user they
> know the name of. This is not necessarily fatal as if you select a strong
> password (e.g. 20 random characters), your password even in /etc/shadow form
> will never fall to an attacker. SNMPv3 has a similar situation, but the
> client goes first, so attacker would have to either capture traffic or spoof
> the ip of an SNMP endpoint. Of course on the other hand using TLS with cert
> verification disabled is also vulnerable to the latter sort of attack and in
> fact is actually weaker, as at least in SNMP and IPMI the password is never
> actually sent on the wire, only a derivation of it, versus TLS schemes that
> assume it's ok to ship the password.
>
>
> For those curious about security, HMAC-SHA1 may raise eyebrows and in fact
> there are newer cipher suites with SHA256/SHA384. However when used in an
> HMAC, SHA1 is still considered ok, as collision/preimage isn't the risk in
> HMAC, so SHA1 has no known weaknesses relevant to HMAC.
>
>
>
> -----Original Message-----
> From: Rogie Pamintuan <rbpamint...@gmail.com>
> Sent: Thursday, June 14, 2018 10:06 AM
> To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
> Subject: Re: [xcat-user] [External] No cipher suite match with proposed
> security algorithms
>
> Great. A BIG thanks Jarrod.
>
> I will have to test those 2 rpms since the cluster is in Production.
>
> before we wrap up this issue. I want to know where exactly the changes
> happened. Is it in BMC level? or BMC for Lenovo machines? or directly with
> xCAT? when we hit the cipher issue.
>
> Thanks Again.
>
>
>
>> On Jun 14, 2018, at 8:47 AM, Rogie Pamintuan <rbpamint...@gmail.com> wrote:
>>
>> Morning Jarrod,
>>
>> Just to confirm > Installing the two rpms you’ve referenced will resolve the
>> issue on xcat2.8.2? I dont expect any side effect, right? Let me know if
>> there is a simplier solution. Thanks!
>>
>>> On Jun 13, 2018, at 10:01 AM, Rogie Pamintuan <rbpamint...@gmail.com> wrote:
>>>
>>> Morning Jarrod. Thanks for looking at this issue.
>>>
>>> I look at my environment, I don’t have the two rpms installed.
>>>
>>> ]# lsxcatd -v
>>> Version 2.8.2 (built Fri Oct 25 04:29:40 EDT 2013) # rpm -qa | grep
>>> -i perl-Crypt
>>> perl-Crypt-SSLeay-0.57-16.el6.x86_64
>>>
>>> Thank you.
>>>
>>>
>>>> On Jun 13, 2018, at 8:50 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote:
>>>>
>>>> Can you check if you have the two rpms installed I referenced? If
>>>> they are installed (CBC and Rijndael) then 2.8.2 should be able to
>>>> communicate using the stricter security cipher.
>>>> -----Original Message-----
>>>> From: Rogie Pamintuan <rbpamint...@gmail.com>
>>>> Reply-To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
>>>> To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
>>>> Subject: Re: [xcat-user] [External] No cipher suite match with
>>>> proposed security algorithms
>>>> Date: Tue, 12 Jun 2018 17:43:23 -0400
>>>>
>>>> Hi Jarrod,
>>>> I have xCAT v2.8.2 (comes with PHPC) which works on my existing
>>>> idataflex nodes. When u say we disabled weaker ciphers in the XCC
>>>> (BMC/IMM), how easy it is to enable? Any workaround? Thanks.
>>>>
>>>> On Jun 12, 2018, at 4:23 PM, Jarrod Johnson <jjohns...@lenovo.com>
>>>> wrote:
>>>>
>>>>> What version of xCAT? Do you have perl-Crypt-Rijndael and perl-
>>>>> Crypt-CBC installed?
>>>>> We disabled the weaker ciphers in the XCC (BMC/IMM), which means
>>>>> you now *must* have AES support to speak to the BMC, whereas at one
>>>>> point it was optional.
>>>>>
>>>>> From: Rogie Pamintuan <rbpamint...@gmail.com>
>>>>> Sent: Tuesday, June 12, 2018 4:09 PM
>>>>> To: xcat-user@lists.sourceforge.net
>>>>> Subject: [External] [xcat-user] No cipher suite match with proposed
>>>>> security algorithms
>>>>>
>>>>> Hi There,
>>>>>
>>>>> I’m having issue adding new nodes running on Lenovo 7x02 SR630 HW.
>>>>> No problem with existing nodes running on idataflex HW.
>>>>>
>>>>> Here goes the error:
>>>>>
>>>>> # rinv compute000
>>>>> compute000: Error: No cipher suite match with proposed security
>>>>> algorithms
>>>>> compute000: Error: No cipher suite match with proposed security
>>>>> algorithms
>>>>> compute000: Error: No cipher suite match with proposed security
>>>>> algorithms
>>>>> compute000: Error: No cipher suite match with proposed security
>>>>> algorithms
>>>>> compute000: Error: No cipher suite match with proposed security
>>>>> algorithms
>>>>>
>>>>> Other r* commands (i.e rpower, rvitals etc) showing the same issue.
>>>>>
>>>>> I have updated the HW firmware level for my Lenovo machines but
>>>>> still having the same issue.
>>>>>
>>>>> I saw similar issue here before but I can’t see the answer or update.
>>>>> Link as follow:
>>>>>
>>>>> https://sourceforge.net/p/xcat/mailman/message/32241804/
>>>>>
>>>>> Any help will be greatly appreciated. Thank you!
>>>>> -------------------------------------------------------------------
>>>>> -----------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> xCAT-user mailing list
>>>>> xCAT-user@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>>>
>>>> --------------------------------------------------------------------
>>>> -
>>>> ---------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> xCAT-user mailing list
>>>> xCAT-user@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>>> --------------------------------------------------------------------
>>>> ---------- Check out the vibrant tech community on one of the
>>>> world's most engaging tech sites, Slashdot.org!
>>>> http://sdm.link/slashdot
>>>> _______________________________________________
>>>> xCAT-user mailing list
>>>> xCAT-user@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most engaging tech
> sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
