SMB2 Signing and WAN Accelerator problems ...
Christopher R. Hertel
crh at samba.org
Wed Jul 31 09:00:41 MDT 2013
Some of the WAN accelerator companies have, in the past, required that
customers disable signing on both ends. I don't know if that works with
SMB2, but the correct solution is for the WAN accelerators to become
replica-only DCs and do "real" proxying.
On 07/31/2013 08:49 AM, Richard Sharpe wrote:
> Hi folks,
> I have evidence that at least one code revision in one of the WAN
> Accelerator products out there (I don't know which one) modifies SMB2
> Headers, and thus breaks SMB2 signing. The evidence takes the form of
> captures on both sides of the WAN and the packets have been modified
> on the server side of the WAN compared with the client side.
> They did not understand, it seems, that Command IDs can appear out of
> order in SMB2 PDUs on a TCP connection and they reorder them. This
> changes the SMB2 signature and breaks SMB2 signing.
> This might have been caused by the fact that the Wireshark SMB2
> dissector mislabels this field as the Command Sequence Number which
> has certain connotations.
> A patch to fix this has been applied to the Wireshark repository and
> should turn up with the next release.
> (I have also checked the SMB2 Signing code and it looks pretty solid.)
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical