Thanks for your help, anyone. I'm basically looking for confirmation that
I'm doing this right ... Or some direction please. ;-)



I want to ensure my lanplus traffic is encrypted, and not stupidly. I have
Dell servers. I configured the IPMI interface IP address, username,
password... I generated a random string of hex to replace the default
encryption key, and I saved that for later use. I set my shell variable
IPMICIPHER to the key.



Now, my confusion is ... In the -k and -C switches.



If I do this: ipmitool -I lanplus -H $IPMIHOST -U root -E channel info

Then it fails. "Unable to establish IPMI v2 / RMCP+ session"

This seems to make sense to me; if I specified a custom encryption key on
the server, I would expect I need to provide it to the client.



If I do this: ipmitool -I lanplus -H $IPMIHOST -U root -E -k $IPMICIPHER
channel info

Then it fails. "Unable to establish IPMI v2 / RMCP+ session"



If I do this: ipmitool -I lanplus -H $IPMIHOST -U root -E -C $IPMICIPHER
channel info

Then it succeeds. I am surprised by this, because according to my
understanding of the manpages, I thought valid arguments of -C would be
relatively short, 00h to FFh, and just specifies the *type* of encryption
etc. Not specifying the key itself. FWIW, the first two characters of
IPMICIPHER are ED, which I think fall into the category of "reserved" in
table 22-19 of the spec.



If I mess up my IPMICIPHER a little bit ... Just change a few characters at
the end ...

Then it still works.



If I mess up my IPMICIPHER a lot ... Such as
0123456789012345678901234567890123456789

Then it doesn't work.



So, I'm confused. Thank you, anyone, for your assistance.

So two things:
-For any IPMI device that implements IPMI 2.0:
ipmitool lan print <channel number>

Look for:
Cipher Suite Priv Max : XaaaaXXXXXXXXXX

If the first character is not X, then anyone can get in without having
accurate auth data. If IPMITOOL is somehow fanagling it to be cipher suite
zero when passed weird arguments by mistake, that can explain it. You
can use lan set cipher_privs on the BMC to manually fix it so the first one
is disabled. IBM explicitly caps cipher suite zero to 'user' privilege by
default as most everyone doesn't understand the exposure, though xCAT goes
a step further and disables it outright when setting up an IPMI device for
lack of any sane use for it IMHO.

If you fix that and you can still produce the problem, then you have a
fairly grave security issue in your service processors.


The other thing is even when/if it seems to be working as expected, I would
do a tcpdump/wireshark capture of your session and examine the packets from
the service processor to make sure they all have integrity algorithms
applied. I have had captures sent to me from some Dell system where the
BMC does not apply the same integrit protection on replies even if it
requires the requests be encrypted. These captures didn't get beyond the
RAKP exchange so I don't know if it will start doing privacy and integrity
post session-establishment (this was with an IPMI client that is more
paranoid than ipmitool on security issues and thus it refused to continue
the conversation when the service processor didn't provide integrity
protection on packets). At the very least there is a window of opportunity
for man in the middle attacks with such service processors.



From: "Edward Ned Harvey" <***@nedharvey.com>
To: <ipmitool-***@lists.sourceforge.net>
Date: 10/11/2010 09:09 PM
Subject: Re: [Ipmitool-devel] lanplus encryption
Yeah, this blows my mind. Even if I mess up my password... So I have both
the wrong password and the wrong cipher key ... then it still works.

Clearly I must be doing something wrong.

Thanks....