[PATCH 3/3 v2] add support for checking and submitting HIP reports

Daniel Lenski dlenski at gmail.com
Wed Dec 20 23:10:50 PST 2017

On Mon, Dec 18, 2017 at 8:47 AM, Daniel Lenski <dlenski at gmail.com> wrote:
> Unlike CSD, the HIP security checker runs during the connection phase, not
> during the authentication phase.

This is a rather vexing difference between the GlobalProtect "security
theater director" (HIP) and its AnyConnect/Juniper equivalents

The GlobalProtect HIP report cannot be submitted until the IP address
allocated for the client is known. (It will be rejected if no IP
address is specified.) But the IP address for the client isn't known
until we issue the POST /ssl-vpn/getconfig.esp request, which is
during the connection phase, *after* the authentication phase. If the
client connects again with the same IP address, the server will allow
the previous HIP report submission to stand, if it's recent enough.
But if the client connects again with a new address, the server will
want a new HIP report to be supported.

This behavior is really quite frustrating:

- The HIP report includes several other client identifiers which are
supposed to persist and uniquely identify the client, so it's seems
*entirely unnecessary* to make it depend on the client's IP address.

- It means that the GlobalProtect protocol has to execute the external
"CSD" wrapper script (--csd-wrapper) during the connection phase,
rather than the authentication phase. This requires a change to GUI
wrappers like the NM-openconnect GUI. It also might be seen as a
security hazard, although it's somewhat mitigated by the fact that the
GlobalProtect --csd-wrapper script doesn't need to run a Trojan
binary; all it does is build an XML file in the spoofed HIP report
format, including some values which the servers sends and then wants
parroted back to it.

- *If* it is possible to know the client's IP before connecting, it
*would* be possible to run the HIP-report-submission during the
authentication phase. This is (part of) the motivation for the
--request-ip option which I just submitted another patch for.

As I've written a few times before about GlobalProtect… "don't blame
me, I didn't design this." :-P


More information about the openconnect-devel mailing list