Supporting insecure protocols in RMCP+

Vernon Mauery vernon.mauery at linux.intel.com
Tue Apr 24 04:47:29 AEST 2018 

> Patch Set 4:
>
>> Given that RMCP+ is already insecure, unless it is a requirement to 
>> support 1, 2, 15, and 16, you may just want to support 3 and 17.
>
> 1,2,3 are marked as mandatory in the specification. It should be a 
> community decision to revoke support for 1,2. If the community is ok, 
> it will need additional code changes.

tl;dr IPMI is old; let's drop the most insecure parts

Opening this up to a wider audience. I would like some community 
consensus on how we should deal with parts of specifications that don't 
make sense anymore.

Tables in section 13.28:
(authentication algorithm support)
00h: RAKP-none        Mandatory (recommend dropping support)
01h: RAKP-HMAC-SHA1   Mandatory (good, but not best; keep for now)
02h: RAKP-HMAC-MD5    Optional (not implemented; do not implement)
03h: RAKP-HMAC-SHA256 Optional (implemented; best available)

(integrity algorithm support)
00h: none             Mandatory (recommend dropping support)
01h: HMAC-SHA1-96     Mandatory (good, but not best; keep for now)
02h: HMAC-MD5-128     Optional (not implemented; do not implement)
03h: MD5-128          Optional (not implemented; do not implement)
04h: HMAC-SHA256-128  Optional (implemented; best available)

(confidentiality algorithm support)
00h: none             Mandatory (recommend dropping support)
01h: AES-CBC-128      Mandatory (implemented; best available)
02h: xRC4-128         Optional (not implemented; do not implement)
03h: xRC4-40          Optional (not implemented; do not implement)

The IPMI spec was written in a time when computing resources were 
minimal and before some of the real security awareness started. And as 
such, it contains some legacy stuff that should really be dropped or at 
the very least deprecated.

The IPMI spec only says that we must implement certain authentication, 
integrity, and confidentiality algorithms, it does not explicitly say 
what cipher suites must be implemented. But, if we implement every 
cipher suite that is available with the required algorithms, we would 
implement cipher suites 0, 1, 2, and 3. And if we added in sha256 
integrity and authentication, we add in 15, 16, and 17.

Just for comparison, DCMI 1.5 requires only 3, with 17 as recommended 
and 8 as optional. This is a step up from IPMI's security 
recommendations, but still not best. I would say that 3 and 17 should be 
required, with the recommendation that 3 be deprecated (or disabled at 
runtime) in favor of 17 only.

I think we can all agree that cipher suite 0 is poison. It is a gaping 
open door with bright lights saying, "Hack me!" I would argue that 
cipher suites 1 and 2 are not much better. We have the computing 
resources to perform better security, so we should do it. As web 
browsers move along, they deprecate and then disable old versions of 
SSL/TLS. We should do the same. Just because at one point in history it 
was fine to authenticate with plaintext passwords, does not mean we 
should continue to do so. If you know better, do better.

Even if end users come to us and say that they MUST have cipher suite 1 
or 2, I would argue that we should tell them to update their 
infrastructure rather than re-implement old insecure protocols.


--Vernon

More information about the openbmc mailing list