RE: SunScreen v3.1 to v3.0b communications

From: Sean Boran (sean@boran.com)
Date: 10/04/01


From: "Sean Boran" <sean@boran.com>
To: "'Valerie Anne Bubb'" <Valerie.Bubb@sun.com>, <focus-sun@securityfocus.com>
Subject: RE: SunScreen v3.1 to v3.0b communications
Date: Thu, 4 Oct 2001 11:40:51 +0200
Message-ID: <005d01c14cb8$a7a1b250$0a1111b0@swissptt.ch>

Hi Valerie,

> Hi Sean -
>
> Yes, you have hit a common problem (which is the result of
> US crypto laws relaxing between releases of SunScreen).

Aha..

...
> >Ss_install doesn't allow me to specify key sizes, has anyone
> found a way
> >of making these beasts talk to each other?
>
> I have set this up before (also with an old admin station to talk
> to a new screen), but you do need to manually generate and set up
> new keys that all have the same size.
>
....

> >Creating new sunscreen keys:
> >
> >a) Sunscreen:
> >List current keys:
> >skiplocal -l
> >Delete current keys:
> >skiplocal -r -s 0
>
> It is not necessary to delete the old ones.

OK. I wanted to be sure there was no conflict in keys selected..

>
> >Create new one:
> >skiplocal -k -m 512
> >Print out command for other side:
> >skiplocal -x
> >Add local and remote certs to Sunscreen engine:
> >ssadm edit Mypolicy
> >edit> list certificate
> >edit> add certificate "admin-group" GROUP "remote"
> >edit> add certificate  "remote" SINGLE NSID 8 MKID
> >"0x4fd3a1eec3a168e1lotsofcrap"
> >edit> add certificate  "MyScreen.admin" SINGLE NSID 8 MKID
> >"0x9c6e6b0822b590otsofcrap"
> >edit> save
> >ssadm activate Mypolicy
> >skipd_restart
>
> Have you set up an accessRemote rule? (one would have been set
> up by default with ss_install if you said you wanted remote
> administration, and you would only need to update the key now).
> If so, what does it look like?

add service "remote administration" GROUP ss_admin ping ssh

No actual rule is needed AFAIK?
When I do an ssadrm -r ss3 login admin from the Admins statn , a snoop
on the ss sees only the following every 30 secs or so until the login
times out.

     admin -> ss3 TCP D=3853 S=34325 Syn Seq=1097095997 Len=0
Win=928
2 Options=<mss 1326>

Then:
ssadm: Can't run command: java.net.NoRouteToHostException: Connection
timed out

/var/log/skipd.log on the ss has no new entries.
On the admin station I see several entries like:
Thu Oct 4 11:37:59 2001 NOCERT: kernel query nsid=8
mkid=90b299b8b12c34f2xxxxx
Thu Oct 4 11:37:59 2001 sending CDP request for nsid=8
mkid=90b299b8b12c34f2xxxxxto 192.168.245.204
Thu Oct 4 11:39:19 2001 cdp failed for nsid=8
mkid=90b299b8b12c34f2xxxxxto

>
> >
> >b) Admin station:
> >Delete ACL entry to screen:
> >skiphost -i le0 -d MyScreenIP
> >Add new entry according to "skiplocal -x" above.
> >Save skip settings and restart skip:
> >skipif -i all -s
> >skipd_restart
>
> Looks fine.
>
> Valerie
>
>