SRDB ID   Synopsis   Date
47741   Sun Fire[TM] 12K/15K: Incomplete removal of dynamic reconfiguration (DR) capability may lead to network hangs   21 Oct 2002

Status Issued

Description

There are potential problems when removing the 'sun-dr' entries in /etc/inet/inetd.conf. These removals are usually the results of hardening (securing) a system or when using a "general" /etc/inet/inetd.conf file. The goal of such modifications is to remove or disable unused/unwanted services from inetd.

Special care needs to be taken when removing the 'sun-dr' entries from /etc/inet/inetd.conf.

The sun-dr entries:

  sun-dr stream tcp wait root /usr/lib/dcs dcs 
  sun-dr stream tcp6 wait root /usr/lib/dcs dcs                  

make inetd listen to port 665 for any remote dynamic reconfiguration request. inetd starts the dcs daemon on demand.

The dcs(1M) daemon handles remote requests from the system controller to allow dynamic reconfiguration on a domain.These sun-dr entries are added when installing the package SUNWdcsr. SUNWdcsr is part of the "Entire Distribution" installation on Sun Fire 15k.

From the dcs(1M) manpage:

[...]
  server using the TCP transport. The entries for the DCS in the /etc/inet/inetd.conf
  file are as follows:
    sun-dr stream tcp wait root /usr/lib/dcs dcs
    sun-dr stream tcp6 wait root /usr/lib/dcs dcs
  These entries enable remote DR operations. Removing them does not negatively impact
  the server; however, all DR operations initiated from a remote host would fail.
[...
                  

However, removing these entires has some consequences. The man page of dcs(1M) does not include a pointer to the related package SUNWsckmr which includes the Sun Fire 15K key management daemon sckmd(1M). The SUNWsckmr package is also part of the "Entire Distribution" installation and provides IPsec support for the cvcd(1M) and dcs(1M) services.

From the sckmd(1M) manpage:

[...]
     Package SUNWsckmr configures  default  system-wide  policies
     for  cvcd(1M) and dcs(1M) by adding the following entries in
     /etc/inet/ipsecinit.conf:
       { dport sun-dr ulp tcp } permit { auth_alg md5 }
       { sport sun-dr ulp tcp } apply { auth_alg md5 sa unique }
       { dport cvc_hostd ulp tcp } permit { auth_alg md5 }
       { sport cvc_hostd ulp tcp } apply { auth_alg md5 sa unique }
[...
                  

Removal of the dcs(1M) command from inetd.conf also requires removal of the corresponding entries in the IPsec configuration. Otherwise the port 665 might be used by other services where the IPsec configuration will get enforced (thus traffic gets blocked).

If the IPsec configuration is not updated after removal of the dcs service, then arbitrary network problems/hang might be the result.

SOLUTION SUMMARY:

To disable dynamic reconfiguration the following steps are neccesary:

  1. Uncomment/remove 'sun-dr' entries in /etc/inet/inetd.conf:
      sun-dr stream tcp  wait root /usr/lib/dcs dcs
      sun-dr stream tcp6 wait root /usr/lib/dcs dcs                              
  2. Signal inetd to reread the configuration file:
      # kill -HUP <pid-inetd>                              
  3. Uncomment/remove the 'sun-dr' entries in /etc/inet/ipsecinit.conf:
      { dport sun-dr ulp tcp } permit { auth_algs md5 }
      { sport sun-dr ulp tcp } apply { auth_algs md5 sa unique }                              
  4. Remove active IPsec configuration from running system:
      # ipsecconf |grep sun-dr
      to get the index numbers
    
      # ipsecconf -d <index>
      to delete the policy regarding sun-dr          

Removal of the packages SUNWsckmr and SUNWdcsr is another option.

INTERNAL SUMMARY:

Incomplete removal of the sun-dr services might lead to arbritrary hangs in other network services (e.g., NFS hangs or NIS hangs). Using snoop for network analysis will only reveal that there is no outgoing traffic from the affected ports seen and that incoming traffic to these ports will not get delivered to the correcponding service.

See bug 4288028 for details on such hangs.

The dynamic reconfiguration documentation has been changed in document 816-7723-10 to address this issue (see footnote on page 6).

SUBMITTER: Joerg Kuper BUG REPORT ID: 4288028 APPLIES TO: Operating Systems/Solaris, Network - OS, Network - OS/Network Config, Hardware/Sun Fire /15000, Hardware/Sun Fire /12000 ATTACHMENTS:


Copyright (c) 1997-2003 Sun Microsystems, Inc.