Maniphest T199832

Unexpected network packets in codfw mgmt
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	ayounsi
	Jul 17 2018, 7:42 PM

Description

Limited to NDA as security related.

After pushing the new firewall policies to the mgmt routers, this blocked flow started to show up in the logs by bursts:

Jul 17 13:04:55 mr1-codfw RT_FLOW: RT_FLOW_SESSION_DENY: session denied 128.0.0.16/1534->191.255.255.255/1534 None 17(0) default-deny(global) mgmt production UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny

It doesn't seem to impact anything but shouldn't happen, it also only happen in codfw. And seems to be yet another rabbit hole. Opening this task to document my findings.

I ran a packet capture on mr1-codfw capturing that specific source IP for ~17min and captured 1392 packets.

Source IP 128.0.0.16
Source port 1534/udp
Destination IP: 191.255.255.255 (PTR: 191-255-255-255.dsl.telesp.net.br, but most likely a test IP)
Destination port 1534/udp

Here is the breakdown of source MAC addresses:

count "mac" - matching IP - PTR
    138 "00:a0:a5:79:9c:14" - 10.193.0.12 - re0.cr2-codfw.mgmt.codfw.wmnet
    138 "00:a0:a5:79:a3:42" - 10.193.0.13 - re1.cr2-codfw.mgmt.codfw.wmnet
    138 "00:a0:a5:7d:04:d2" - 10.193.0.10 - re0.cr1-codfw.mgmt.codfw.wmnet
    140 "10:0e:7e:b3:16:01" - 10.193.0.16 - asw-a-codfw.mgmt.codfw.wmnet
    140 "10:0e:7e:b3:50:c1" - 10.193.0.17 - asw-b-codfw.mgmt.codfw.wmnet
    140 "10:0e:7e:b4:6c:81" - 10.193.0.19 - asw-d-codfw.mgmt.codfw.wmnet
    140 "10:0e:7e:b5:9e:c1" - 10.193.0.18 - asw-c-codfw.mgmt.codfw.wmnet
    140 "7c:e2:ca:12:26:c2" - 10.193.0.57 - fasw-c-codfw:vme.0
    140 "b0:c6:9a:db:05:82" - 10.193.0.3 - msw1-codfw.mgmt.codfw.wmnet
    138 "ec:38:73:e8:98:48" - unknown - on msw-c5-codfw - vendor: Juniper Networks

Destination MAC is the next hop for the production network, at the exception of a few broadcast MACs.

Payload is either one of those two:

TCF2ID=TCP:128.0.0.101:1534
Name=TCF Agent
OSName=Linux 3.10.100-ovp-rt110-WR6.0.0.31_preempt-rt
UserName=rootAgent
ID=e60f1a9e-331e-496d-b6fa-0c6cde965329
TransportName=TCP
ServiceManagerID=e60f1a9e-331e-496d-b6fa-0c6cde965329-0
Port=1534
Host=128.0.0.101

TCF2ID=TCP:128.0.0.16:1534
Name=TCF Agent
OSName=Linux 3.10.100-ovp-rt110-WR6.0.0.31_preempt-rt
UserName=rootAgent
ID=e60f1a9e-331e-496d-b6fa-0c6cde965329
TransportName=TCP
ServiceManagerID=e60f1a9e-331e-496d-b6fa-0c6cde965329-0
Port=1534
Host=128.0.0.16

Running a packet capture on some of the mgmt interface of the devices listed above return nothing.

So my guesses are either
1/ A device is sending those packets while spoofing the source MAC
2/ The Juniper devices have a process running at a lower level than the packet capture (preferred guess)

TCF might be related to https://www.eclipse.org/tcf/

Next step is to open a ticket with JTAC.

Event Timeline

ayounsi triaged this task as Lowest priority.Jul 17 2018, 7:42 PM

ayounsi created this task.

ayounsi created this object with visibility "WMF-NDA (Project)".

Restricted Application added a project: SRE. · View Herald TranscriptJul 17 2018, 7:42 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

ayounsi renamed this task from Miss-behaving device in codfw mgmt to Unexpected network packets in codfw mgmt.Jul 17 2018, 7:46 PM

ayounsi updated the task description. (Show Details)Jul 17 2018, 8:01 PM

From support:

I have confirmed that these addresses 128.0.0.16 , 191.255.255.255 are used in the system for internal purposes only.
This type of traffic can be safely ignored, they are not routable and used only for internal control.
There is no need or way to change this.

...

ayounsi changed the visibility from "WMF-NDA (Project)" to "Public (No Login Required)".Jul 23 2018, 11:09 PM

Unexpected network packets in codfw mgmtClosed, ResolvedPublicActions

Description

Event Timeline

Unexpected network packets in codfw mgmt
Closed, ResolvedPublic
Actions