Some simple questions after the Bundeswehr Leak ….

I am following the present discussion about the leak of a communication between some generals of the German Air Defense from abroad. It really feels extremely embarrassing that the Russians could overhear a communication of high-ranked German army officers. And I do not know how to answer questions of retired Norwegian IT-specialists (of my age) here in the north of Europe … With German troops participating right now in huge Nato maneuvers in northern Norway. And believe me I have often criticized my Norwegian friends for a lack of IT-security awareness, in particular regarding the use of Microsoft and Zoom. And now this disaster in my home country …

From my point of view establishing a formal Untersuchungsausschuss (investigation committee) of the German parliament is only one of the necessary steps required to clarify what has happened. But it is an important one, together with internal and technical investigations within the Bundeswehr.

In this post I want to ask some simple questions which, in my opinion, should be answered. Any IT-guy having worked with or for public governmental institutions in Europe could ask them. None of the links I give below is classified.

Why WebEx at all?

The first point in all the TV and newspaper discussions is that there seems to be no doubt that the communication is authentic and that WebEx was used. Now, anyone with a basic idea about information security would ask the following question:

Why for heavens sake did the German officers use Webex at all? A product of Cisco, i.e. of a commercial US company? With published security problems during the Corona years? Why does the German military not have its own security protocols and measures in place?

Well, we and the US are allies, but … Yeah, but, … and Trump on the horizon.

It is a German company, “Secunet”, who has developed mobile systems (SINA workstations) compliant with for NATO certifications on different levels of security. See e.g.:
https://www.secunet.com/ loesungen/ sina-workstation-s
https://www.ia.nato.int/ niapc/ Product/ SINA-Workstation-S_730
https://www.bundeswehr-journal.de/2020/mehr-als-6000-geraete-sina-workstation-s-fuer-die-bundeswehr/
https://www.secunet.com/ueber-uns/presse/artikel/sicheres-mobiles-arbeiten-bwi-beschafft-sina-workstations-s-fuer-die-bundeswehr
https://www.secunet.com/ueber-uns/presse/artikel/secunet-beliefert-die-bundeswehr-mit-sina-sicherheitstechnologie-fuer-schnelle-eingreiftruppe-der-nato

These systems were bought by the Bundeswehr in relatively large quantities.

So, my first two open question are:

  • Why was WebEx used at all? Did the generals not have SINA-workstations available? If they had not, why not?
  • Under what conditions is the usage of WebEx regarded secure by the the responsible IT-specialists of the Bundeswehr?

Actually, the answer to the second question may not be independent of the answer to the first one … as WebEx may be hosted on servers of the Bundeswehr.

Addendum, 05.03.2024: Another point which comes up during TV discussions is that some “experts” say there is reason to believe that the WebEx-session was set up without any end-to-end-encryption. This is really implausible. What is more plausible is that the session was set up with standard encryption and Cisco’s standard management of encryption keys. And maybe – due to mistakes – with allowance for some participants to use a telephone. Making the session insecure again …

A success message of the BWI of 2021 regarding the rollout of Cisco’s WebEx in the Bundeswehr

What did we read in 2021 as a success message regarding the digitalization of the German defense and public institutions?

” … Zusammen und in Echtzeit an Dokumenten arbeiten, E-Mails austauschen, gemeinsame Termine planen, Webkonferenzen mit und ohne Video abhalten, chatten und telefonieren – wenn alle Services komplett ausgerollt sind, ermöglicht Groupware Bw dies auf einer einheitlichen technischen Plattform und über alle zivilen und militärischen Bereiche hinweg. Die BWI startete am 1. Oktober den Rollout mit den Produkten Cisco Jabber und Webex. In einem zweiten Schritt werden im kommenden Jahr auch die Services E-Mail und Enterprise Content Management mit Microsoft Outlook und SharePoint ausgerollt.”

See: https://www.bwi.de/ magazin /artikel/ groupware-bw-bei-der-bundeswehr-perfekt-vernetzt-von-chat-bis-videokonferenz

Even without translation the combination of tools praised here would make a security aware person more than nervous. And one can only hope that the introduction of these systems only concerns the civil sector of the Bundeswehr. If not, well, … just ask the CCC what they would think of it.

Continue reading

More fun with veth and Linux network namespaces – IV – L2-segments, same IP-subnet, ARP and routes

In the course of my present series on veths, network namespaces and virtual VLANs

More fun with veth and Linux network namespace – III – L2-segments of the same IP-subnet and routes in coupling network namespaces

More fun with veth and Linux network namespace – II – two L2-segments attached to a common network namespace

More fun with veth and Linux network namespace – I – open questions

we have started to study a somewhat academic network configuration:

We have attached two L2-segments to a common network namespace, with all IPs of both segments belonging to one and the same IP-subnet class.

The IP-setup makes the scenario a bit peculiar. It is not a situation an admin would normally create. Instead the IPs of each segment would be members of one of two distinct and different IP-subnets.

However, our scenario already taught us some important lessons to keep in mind when we approach our eventual objective:

Sooner or later we want to answer the question how to configure virtual VLAN configurations, in which veth-subdevices for tagged VLAN lines terminate in a common and routing namespace.

By our academic scenario we found out that we need to set up much more specific routes than the standard ones which are automatically created in the wake of “ip addr add” commands. Despite the fact that forwarding was disabled in the coupling network namespace! Only with clear and fitting routes we got a reasonable behavior of our artificial network with respect to ICMP- and ARP-requests in the last post (III).

Well, this is, in a way, a platitude. Whenever you have a special network you must adapt the routes to your network layout. This, of course, includes the resolution of ambiguities which our scenario introduced. The automatically defined routes were insufficient and caused an asymmetry in the ICMP-replies in the otherwise very symmetric configuration (see the drawing below).

Nevertheless, the last post and also older posts on veths and virtual VLANs triggered an intense discussion of two of my readers with me concerning ARP. In this post I, therefore, want to look at the impact of routes on ARP-requests and ARP-replies between the namespaces in more detail.

The key question is whether and to what extend the creation and emission of ARP-packets via a particular network interface may become route-dependent in namespaces (or on hosts) with multiple network interfaces.

While we saw a clear and route dependent asymmetry in the reaction of the network to ICMP-requests, we did not fully analyze how this asymmetry showed up on the ARP-level.

In my opinion we have already seen that ARP-requests triggered within ICMP-requests showed some asymmetry regarding the NIC used and the segment addressed – depending on the defined routes. But the experimental data of the last post did not show the flow of ARP-replies in detail. And we only regarded ARP-requests triggered by ICMP-requests. I.e. we watched ARP-requests created by the Linux-kernel to support the execution of ICMP-requests, but not pure and standalone ARP-requests.

Therefore, it is still unclear

  • whether routes have an impact on pure standalone ARP-requests, i.e. ARP-requests not caused by ICMP-requests (or by other requests of higher layer protocols),
  • whether routes do have an impact on ARP-replies.

The experiments below will deliver detailed information to clarify these points.

When I speak of ARP-tables below, I am referring to the ARP-caches of the various network namespaces in our scenario.

Continue reading

More fun with veth and Linux network namespaces – III – L2-segments of the same IP-subnet and routes in coupling network namespaces

Linux network namespaces allow for experiments in virtual networks without setting up (virtual) hosts. This includes the study of packet propagation through virtual devices as bridges/switches and between network namespaces. With or without packet filters or firewall rules in place. In the last precedent post of this series

More fun with veth and Linux network namespace – II – two L2-segments attached to a common network namespace

I have posed a scenario with two L2-segments connected to a common network namespace. Such a scenario appears to be nothing special; we all are used to situations that require routing and forwarding because LAN-segments belong to different IP-subnets.

However, in my scenario all IPs are members of one and the same IP-subnet. An other interesting point is that the assignment of IPs to (virtual) NICs and bridges by the command “ip addr add” causes an automatic setup of elementary routes. We will see that such routes are insufficient to resolve the ambiguities of packet transport from the segment-coupling namespace to the attached segments.

To keep the conditions as plain and simple as possible in our scenario we do not mix in VLANs or packet filters or firewalls.

In the previous post we have already come to some conclusions about the posed scenario and its elements. However, these conclusions were based on theoretical considerations. In this post and an additional one we will verify or falsify these conclusions by performing concrete experiments on a Linux host.

The host I used for the experiments below was a laptop with an Opensuse Leap 15.5 OS, based on packets of SuSE’s enterprise server SLES. The namespaces are set up as unnamed network namespaces. This requires some special commands.

The detailed analysis of the scenario will help us to better understand more complex configurations including virtual VLANs in forthcoming posts.

If you notice varying MACs in some images below: You may ignore this safely. It is due to repeating the setup in the course of the experiments.

The scenario

The scenario is visualized by the following drawing:

How to setup the network namespaces and required devices?

I have discussed all commands required to configure such scenarios with unnamed Linux network namespaces in the first post of another older post series. See

Fun with veth-devices, Linux bridges and VLANs in unnamed Linux network namespaces – I

If you are new to experiments with unnamed Linux network namespaces please read this post first. Of particular importance are the commands

  • unshare …
  • nsenter …
  • ip link …
  • ip address …

I will not discuss details of the chain of commands required for setting up the elements of our scenario. At the end of this post you will find three PDFs with contents you can copy to bash shell scripts. All commands in their given form are meant to be executed by the user root in a safe test environment. I am very confident that readers interested in this post will understand the structure of the commands without further explanation.

Due to the fact that the scripts set and export intermediate variables as environment variables for sub-shells you should run the scripts via the “source“-command if you want these variables to be available in your original shell (probably in a terminal window), too.

The first script (create_netns) will then execute the following commands (you may need to scroll to see all):

Continue reading