PDA

View Full Version : Virgin remove SNMP access


Gary L
23-03-2009, 18:19
The decision has been taken to disable SNMP on our supplied cable modems.
There are no plans to re-enable this feature. We request that any further
posts regarding this topic be made through virginmedia.feedback or
virginmedia.discussion.broadband as this issue is not fault related and
involves Virgin Media policy. We in support cannot action any requests for
this feature being re-enabled and will respectfully decline any such
requests.

Turkey Machine
23-03-2009, 18:32
Because ex-Telewest didn't have it, ex-NTL can't either.

Gary L
23-03-2009, 18:35
Because ex-Telewest didn't have it, ex-NTL can't either.

Isn't that the other way around?

Toto
23-03-2009, 18:50
Isn't that the other way around?

Think so, yes.

Ignitionnet
23-03-2009, 19:54
Still working here though for how long we'll see.

greyposter
23-03-2009, 20:37
What's SNMP ?

Axegrinder
23-03-2009, 20:39
Simple Network Management Protocol.

Peter_
23-03-2009, 20:41
Simple Network Management Protocol.
I think he wants an explanation. http://www.dpstele.com/white-papers/snmp-tutorial/intro.php?rf=3

greyposter
23-03-2009, 20:55
Thank you,what will be used instead ?

Joxer
24-03-2009, 00:54
What? They can't do that!

moaningmags
24-03-2009, 00:55
What? They can't do that!

They have and they are :erm:

Joxer
24-03-2009, 01:00
Still working here, but as said, for how long?

---------- Post added at 00:00 ---------- Previous post was yesterday at 23:57 ----------

And anyway, don't tech support actually need it so are they just disabling it from the customer end? Why don't they just get the community string sorted?

Gary L
24-03-2009, 10:48
And anyway, don't tech support actually need it so are they just disabling it from the customer end?

They can still use it. they have just stopped us from using it so we can't dispute being incorrectly STMd with evidence.

Joxer
24-03-2009, 11:12
They can still use it. they have just stopped us from using it so we can't dispute being incorrectly STMd with evidence.

So what snmp query do you use to detect stm (or evidence thereof)?

Gary L
24-03-2009, 11:35
So what snmp query do you use to detect stm (or evidence thereof)?

I don't know I don't use it.

StevenJohnson
24-03-2009, 12:53
I don't understand all this Jargon, but what does it mean exactly?

Ignitionnet
24-03-2009, 13:18
I don't understand all this Jargon, but what does it mean exactly?

If you don't know it doesn't matter :)

Milambar
24-03-2009, 13:21
SNMP = Simple network managment protocol; a system of commands in some network equipment, most notably, cable modems and routers.

It was designed to allow you to query some basic information from it. Information like bandwidth use, and error reports.

However, I thought VM turned SNMP off in their modems over two years ago, because thats when my network monitoring scripts stopped working.

Ignitionnet
24-03-2009, 13:23
However, I thought VM turned SNMP off in their modems over two years ago, because thats when my network monitoring scripts stopped working.

ntl did a while ago, ex-TW has only started disappearing since configs were standardised.

It's not actually removed from the modems it's just locked down to Virgin's access only, without SNMP they couldn't check your modem's downstream stats remotely.

xocemp
24-03-2009, 13:24
Most often it is used for reporting information on the current state of the modem/router eg traffic statistics, TCP/IP statistics, etc.

Thought it can be used to get naughty info ;)

Ignitionnet
24-03-2009, 13:33
Most often it is used for reporting information on the current state of the modem/router eg traffic statistics, TCP/IP statistics, etc.

Thought it can be used to get naughty info ;)

Yep and denying 'law abiding' people access to it does exactly nothing, the SNMP service is still running on the modem - even when it's locked down on mine I'll still trivially be able to read MIBs on it.

Totally pointless.

rogerdraig
24-03-2009, 13:37
wouldnt that info be covered if i asked for all info on my account via the £10 charge thing that for the life of me i cant remember the name of ?

xocemp
24-03-2009, 13:41
As I'll still be able to read MIBs on mine, so maybe thats not so bad a thing. If you know and need to read MIBs you can and will, whereas script monkeys that would use SNMP for other reasons will have to start using a little grey matter.

Druchii
24-03-2009, 13:54
I could never get it working in the first place, ex-TW btw.
No worries if people use routers however, surely?

Ignitionnet
24-03-2009, 14:07
I could never get it working in the first place, ex-TW btw.
No worries if people use routers however, surely?

Odd modem then Druchii, TW have never blocked it.

Yes, worries, what VM see is not what your router sees on its' WAN port, plus there are many other counters which can be of interest.

Actually Druchii why don't ya give DOCSDIAG a pop on your own CM and see if you can access it via SNMP just because?

Druchii
24-03-2009, 14:08
Odd modem then Druchii, TW have never blocked it.

Yes, worries, what VM see is not what your router sees on its' WAN port, plus there are many other counters which can be of interest.

Actually Druchii why don't ya give DOCSDIAG a pop on your own CM and see if you can access it via SNMP just because?
Tried it, i have a SB5101e (Motorola), doesnt return anything even when directly connected etc... Bit odd to say the least.

Ignitionnet
24-03-2009, 14:13
Tried it, i have a SB5101e (Motorola), doesnt return anything even when directly connected etc... Bit odd to say the least.

Odd indeed have you tried an SNMP walk to see if it is unreachable or if it's just the wrong community string?

Druchii
24-03-2009, 14:15
Odd indeed have you tried an SNMP walk to see if it is unreachable or if it's just the wrong community string?
Not entirely sure on how to do that actually.

token
24-03-2009, 17:40
Simple Network Management Protocol.

"Simple Network Management Person" shurely?

;)

Ignitionnet
24-03-2009, 21:41
Modem rebooted and off goes my access:

Tue Mar 24 18:51:21 2009 Tue Mar 24 18:51:21 2009 Information (7) CableModem SNMP configure complete

---------- Post added at 20:41 ---------- Previous post was at 19:09 ----------


The 'performance' excuse was a good one, what they've actually done is:

1) Add the following to the modem config files to lock them down:

docsDevNmAccessIp.1 = 255.255.255.255
docsDevNmAccessIpMask.1 = 255.255.255.255
docsDevNmAccessCommunity.1 = <That would not be good for me to put here>
docsDevNmAccessControl.1 = 2
docsDevNmAccessInterfaces.1 = "@"
docsDevNmAccessStatus.1 = 4

docsDevNmAccessIp.2 = 255.255.255.255
docsDevNmAccessIpMask.2 = 255.255.255.255
docsDevNmAccessCommunity.2 = <Nope Sorry>
docsDevNmAccessControl.2 = 3
docsDevNmAccessInterfaces.2 = "@"
docsDevNmAccessStatus.2 = 4

This changes the SNMP community strings as per above and locks down the SNMP server so that it can only be reached from the 'cable' side of the modem.

2) The existing Access Control List on the uBR remains in place so that customers cannot access each other's modems.

So they've actually decreased the performance on modems by adding more to them to process.

Toto
24-03-2009, 22:18
Wonder if it relates to this older thread?

http://www.cableforum.co.uk/board/12/33645350-modem-shutdown-due-to-security-issue.html

Ignitionnet
25-03-2009, 10:34
No, it's just standardising ex-TW with ex-ntl. Sadly as a general rule they appear to be taking whichever standard will most irritate the customers when doing it ;)

adam.ford
25-03-2009, 12:44
Or whichever provides the best level of security maybe.. :o)

Ignitionnet
25-03-2009, 14:33
Or whichever provides the best level of security maybe.. :o)

Oki fair enough, but how does denying people access to their own modems locally remove a security risk?

Blocking other peeps I understand, done at CMTS as best practise, but own modem seems a bit weird especially as it doesn't stop people from creating perfect clones if they have local access to someone else's modem just means they have to d/c from network first.

We can discuss security though - if security is such an 'issue' why am I still getting a static 1.0 config file without even BPI, let alone 1.1 with BPI+? It seems on first impression that people running MRTG is a relatively small issue compared with running the network with no authentication apart from MAC address right up until last year?

Not that the BPI+ nor the service flow parameter verification actually works properly of course, people loading 50Mbit configs onto DOCSIS 1/2 modems using cloned non-Ambit 300 MACs gives that away, but it's the thought that counts!

Ignitionnet
26-03-2009, 23:01
Bah humbug.

I'll repeat - where does removing local SNMP access improve security, especially when local modem mangling is done, <removed> and then whatever VM send for SNMP parameters becomes rather irrelevant?

If you could give me some, indeed any evidence that this improves security on the network my eyes are open, else it goes down into the list of things some nameless dude did because he read about it or because someone said so :)

MovedGoalPosts
26-03-2009, 23:08
Cable Forum does not allow any hints of how modem cloning might be carried out. Yes people may be able to search for stuff, but they shouldn't get clues on what to search from content posted on here. Some posts have been edited.

murphym1971
07-04-2009, 12:11
Just out of interest, does anyone know whether or not the VM cable modems are MIB2 compliant?

AbyssUnderground
07-04-2009, 13:10
I just use SNMP on the WAN port of my router, thats accurate enough for me and STM agrees with it every time so far...

Stuart
07-04-2009, 15:09
Just out of interest, does anyone know whether or not the VM cable modems are MIB2 compliant?

Why do you need to know? Bearing in mind Rob's warning above..

Ignitionnet
07-04-2009, 16:02
Why do you need to know? Bearing in mind Rob's warning above..

Do you know what MIB 2 means? Management Information Base version 2 - MIBs are data that's loaded to make SNMP workable. They are nothing more than a list of OIDs which are to be polled as part of an SNMP query and also can contain information to make the OIDs more readable.

That question is completely innocuous. This thread is about a technical issue and the assumption appears to be that anything to do with SNMP relates to cloning modems.

For what it's worth no cloning uses SNMP, hence my comments to Mr Ford earlier that it's a pointless 'security' measure.

I would be happy to give some information on modem cloning and that rarely used protocol SNMP to help alleviate the paranoia, or Google is always good.

Stuart
07-04-2009, 16:05
Do you know what MIB 2 means? Management Information Base version 2 - data that's loaded to make the OIDs more readable.

That question is completely innocuous. This thread is about a technical issue and the assumption appears to be that anything to do with SNMP relates to cloning modems.

For what it's worth no cloning uses SNMP, hence my comments to Mr Ford earlier that it's a pointless 'security' measure.

Which is why I asked why he needed to know.

Ignitionnet
07-04-2009, 16:19
Just out of interest, does anyone know whether or not the VM cable modems are MIB2 compliant?

They are SNMP 2 compliant which should include MIB 2. Don't go taking this incredibly dangerous piece of knowledge and doing bad things with it now! :rolleyes:

---------- Post added at 15:16 ---------- Previous post was at 15:13 ----------

Which is why I asked why he needed to know.

Maybe he was just curious, or wanted to know what command line parameters to put onto SNMPWalk and if SNMP v2 was valid.

SNMP v2 is actually required as some of the MIBs are too large to be accomodated by SNMP v1, for the curious, examples:

SigQu equalization data = 0C011018FFFF0003000CFFFFFFF400040008FFFFFFFB000500 14FFFFFFE4000300280007FFBCFFE8009C005CFD80FE8B2CD3 0000FFFFFFFF00000000FFFF0000FFFF0000FF140082FFD6FF 7A0005002DFFFDFFC80009001AFFF7FFEB000300110000FFF4 0003000AFFFAFFF9000000050001FFFBFFFD00030003FFFDFF FD00020002FFFEFFFE0001FFFFFFFF00050001FFFDFFFF0001 0000FFFFFFFF000000000000FFFF

I hope that won't be the standard response to technical questions beyond the mods' knowledge, would be a nightmare having to justify asking cable related questions.

---------- Post added at 15:19 ---------- Previous post was at 15:16 ----------

I just use SNMP on the WAN port of my router, thats accurate enough for me and STM agrees with it every time so far...

My router sadly doesn't have an SNMP daemon. Wasn't an issue previously as I had a nice accurate monitor on the cable modem.

Fortunately for me I have that monitoring capability back as the above quote mentions, though I wouldn't recommend the method I restored the SNMP access for myself as a general rule.

Stuart
07-04-2009, 16:39
For what it's worth no cloning uses SNMP, hence my comments to Mr Ford earlier that it's a pointless 'security' measure.


I do have some experience with SNMP.. We use it for monitoring and reconfiguring network hardware at work. If you need to reconfigure a rack of switches, much easier to send the same SNMP command to all of them than configure each one individually.

I have to admit, I don't really understand the point of VM disabling client side SNMP. I am not really familiar with how the modems implement SNMP, but if they allowed users to alter something that caused a loss of broadband, then I can understand that VM would want to stop this, but could they not allow the users read access withouth giving them write access?

Unless they really don't want people to be able to monitor how much they are down/uploading accurately using VM's hardware.

AbyssUnderground
07-04-2009, 16:46
Unless they really don't want people to be able to monitor how much they are down/uploading accurately using VM's hardware.

It doesn't stop people using a compatible router to do it though as most can monitor traffic on just the WAN port, so it would report just the same data that the modem would really, except any data that doesn't pass through the router, which would only be any data virgin send to it (configs etc).

Zhadnost
07-04-2009, 19:23
They are SNMP 2 compliant which should include MIB 2. Don't go taking this incredibly dangerous piece of knowledge and doing bad things with it now! :rolleyes:


The SoC that the Ambit 256 is based on supports MIB out of the box, mind you it also sports a USB 1.1 network interface onboard, that doesn't mean it's neccesarily useable in the final product.

Ignitionnet
07-04-2009, 19:49
The SoC that the Ambit 256 is based on supports MIB out of the box, mind you it also sports a USB 1.1 network interface onboard, that doesn't mean it's neccesarily useable in the final product.

MIB what?

The modem itself claims to be compatible with the DOCSIS 2 OSS standards which is where my comment came from:

System OR description.1 = An agent which supports all MIBs required by the DOCSIS 2.0 OSS specification.

Zhadnost
07-04-2009, 19:56
MIB what?

The modem itself claims to be compatible with the DOCSIS 2 OSS standards which is where my comment came from:

Sadly the datasheet doesn't say, just says it supports MIB.

It looks reasonably impressive though. Can support 1024QAM DS modulation and 256QAM US modulation with S-CDMA.

Ignitionnet
07-04-2009, 20:16
Sadly the datasheet doesn't say, just says it supports MIB.

It looks reasonably impressive though. Can support 1024QAM DS modulation and 256QAM US modulation with S-CDMA.

OK. Just means that it has standard OIDs which is a required part of the standards.

1024QAM DS modulation isn't used anywhere and isn't likely to be any time soon it increases network performance requirements considerably for very little return back and no CMTS or transmission kit that I know of can do it - it only gives another 25% bandwidth and has unpleasant signal requirements to work properly - 37dB SNR including coding gain, etc. It's actually been on the silicon for years in modems.

Same kind of story with 256QAM S-CDMA too.

Good to be built in for future use and abuse though.

Ignitionnet
01-09-2009, 23:24
Resurrection

Virgin it appears aren't any more interested in talking about this stuff, obviously they are yet to come up with any security implications to justify removal beyond that it's because ex-ntl engineering said so:

http://community.virginmedia.com/t5/Up-to-50Mb-broadband/SNMP-DOCSDIAG-Access-To-Modems/td-p/2517

EDIT: Blimey I was in a bad mood when I posted some of the stuff in this thread - sorry!

token
01-09-2009, 23:54
Did anyone (and by anyone, I mean anyone) actually realise community.virginmedia.com existed before this thread mentioned it ;-) You might just find that nobody with any answers, or inclination to provide any, realised that an alternative venue for spleen ventage had been invented.

xocemp
02-09-2009, 00:29
Did anyone (and by anyone, I mean anyone) actually realise community.virginmedia.com existed before this thread mentioned it ;-) You might just find that nobody with any answers, or inclination to provide any, realised that an alternative venue for spleen ventage had been invented.

Yep ;)

http://www.cableforum.co.uk/board/10/33653937-virgin-launch-customer-forum.html :p:

token
02-09-2009, 00:33
Must have missed that astonishingly loud level of fanfarage when I took my hearing aid out. Oh wait...

Ignitionnet
02-09-2009, 09:44
Must have missed that astonishingly loud level of fanfarage when I took my hearing aid out. Oh wait...

A number of the posters on here have long memories and are very used to VM's line of BS so no point getting too excited.

Given the lack of response on this or most other remotely controversial matters from the VM staff who would be using the website, it matches the total silence from the 'feedback' newsgroup, along with the wonderful collection of pseudo-tech from wannabe-tech support people who don't know a node from a commode you aren't missing much.

Stuart
02-09-2009, 10:52
I think I have said this before, but I never really understood why they disabled SNMP. Security would not (as far as I can see) be any more of an issue with it switched on than it is with it switched off.

The only reason I can think of is that it would give customers (those who are technical enough to be able to use it) some evidence when they complain to staff about being STMed again despite going nowhere near their download limit.

Ignitionnet
02-09-2009, 10:55
I think I have said this before, but I never really understood why they disabled SNMP. Security would not (as far as I can see) be any more of an issue with it switched on than it is with it switched off.

The only reason I can think of is that it would give customers (those who are technical enough to be able to use it) some evidence when they complain to staff about being STMed again despite going nowhere near their download limit.

It was switched off well before that on ex-ntl and for no real reason beyond that a couple of people in operations decided it would be that way. Vague concerns about 'security' but no specific threats mentioned.

Ex-TW was done because ex-ntl said so and they were the ones whose configurations were being deployed to ex-TW during the platform merge.

I know this, they know this, yet tried treating us as morons and coming up with a roladex of excuses. These days seems like silence is the way forward.