OSI's final revenge

Sean Donelan sean at donelan.com
Sat Jun 15 06:15:47 UTC 2002



On Fri, 14 Jun 2002, Robert Mathews wrote:
> applications.  Sourcefire founder Martin Roesch and other experts say that
> the problem is being investigated by tech firms, private researchers, and
> government agencies.  The National Infrastructure Protection Board's
> Debbie Weierman notes that her agency has been collaborating with experts
> from the NSA, the Federal Computer Incident Response Center, CERT, private
> groups, and others since March to see how widespread the ASN.1 flaw is.
> Microsoft, Lucent, and Oracle are among the private-sector companies that
> have investigated or are investigating how their products may be affected

I'm certain the best people are working on this, but once again Steve
Bellovin scooped them all nearly a decade ago.

In the early 1990's myself and several other people were developing the
Z39.50 Information Retrieval protocol, including Bob Waldstein from Bell
Labs.  Like many other ISO/OSI protocols, Z39.50 used ASN.1 as the
protocol description language.  At first all of us tried using the
existing ASN.1 tools, commercial and public domain.  We found problems
with essentially all of the available ASN.1 compilers and libraries in the
1990's.  In 1992 we didn't think of calling it a security flaw, we just
called it bad code.

We needed to pass the Z39.50/ASN.1 protocol through Bellovin's fancy
firewalls (see his book) which created an interesting conflict. Firewalls
should be very simple devices, and ASN.1 can be complex. Despite
Bellovin's misgivings, we got Z39.50/ASN.1 through his firewalls.

Imagine if the US Government's GOSIP procurement policy had worked in
in the 1980's.  Instead of a few protocols like SNMP and Z39.50, every
network protocol followed the OSI model and used ASN.1 for the session
layer, presentation layer and application layer.




More information about the NANOG mailing list