[PATCH 3/3 v2] add support for checking and submitting HIP reports

Daniel Lenski dlenski at gmail.com
Tue Feb 27 03:30:22 PST 2018


David,
Please take a look at my email describing this patch from a couple months ago.

It's an annoying design difference between GP and AnyConnect/Juniper…
the "CSD" has to run during the connection phase rather than the
authentication phase due to the requirement that the client's IP
address be known.

This basically "just works" with the openconnect CLI, but I don't know
how to integrate it into NetworkManager, which expects that if there's
a CSD script it will run during authentication phase.

Thanks,
Dan

On Thu, Dec 21, 2017 at 9:10 AM, Daniel Lenski <dlenski at gmail.com> wrote:
> On Mon, Dec 18, 2017 at 8:47 AM, Daniel Lenski <dlenski at gmail.com> wrote:
>> Unlike CSD, the HIP security checker runs during the connection phase, not
>> during the authentication phase.
>
> This is a rather vexing difference between the GlobalProtect "security
> theater director" (HIP) and its AnyConnect/Juniper equivalents
> (CSD/TNCC)…
>
> The GlobalProtect HIP report cannot be submitted until the IP address
> allocated for the client is known. (It will be rejected if no IP
> address is specified.) But the IP address for the client isn't known
> until we issue the POST /ssl-vpn/getconfig.esp request, which is
> during the connection phase, *after* the authentication phase. If the
> client connects again with the same IP address, the server will allow
> the previous HIP report submission to stand, if it's recent enough.
> But if the client connects again with a new address, the server will
> want a new HIP report to be supported.
>
> This behavior is really quite frustrating:
>
> - The HIP report includes several other client identifiers which are
> supposed to persist and uniquely identify the client, so it's seems
> *entirely unnecessary* to make it depend on the client's IP address.
>
> - It means that the GlobalProtect protocol has to execute the external
> "CSD" wrapper script (--csd-wrapper) during the connection phase,
> rather than the authentication phase. This requires a change to GUI
> wrappers like the NM-openconnect GUI. It also might be seen as a
> security hazard, although it's somewhat mitigated by the fact that the
> GlobalProtect --csd-wrapper script doesn't need to run a Trojan
> binary; all it does is build an XML file in the spoofed HIP report
> format, including some values which the servers sends and then wants
> parroted back to it.
>
> - *If* it is possible to know the client's IP before connecting, it
> *would* be possible to run the HIP-report-submission during the
> authentication phase. This is (part of) the motivation for the
> --request-ip option which I just submitted another patch for.
>
> As I've written a few times before about GlobalProtect… "don't blame
> me, I didn't design this." :-P
>
> Thanks,
> Dan



More information about the openconnect-devel mailing list