 You're all here to see what why I even called they're putting a title like this on the screen There we go Now I have this bad habit of wandering around and pointing at things so remind me to talk into this Okay, my name is Matthew Marsh chief scientist and boss sir president back times all sorts of weird shit like that Basically, what I'm going to tell you about today is SNMP v3 and why I've been playing with SNMP itself since the late 80s Basically, we're going to go through what SNMP is If my PowerPoint on Linux works. Oh great. This will be fun. There we go Go over very quick overview in history at SNMP. What it is. Why do you care? Give you a couple of quick definitions and terminology. So when I start tossing them out, you won't get too lost The presentation that is on the CD is actually all full of Information references rfc pointers things like that In the interest of showing you actual code running and how we play with it I scrapped most of that left it on the CD this version of the presentation will also be available on the websites I'm probably the best a search.org at least And The source code is available I use medicine and be for most of my stuff anymore because I can Some of the highlights of v3 some the medicine P extensions that we're talking about Some of the source code and then why did I even pick trip trip? Why did I pick trip wire to pick on? Do you have an NMS don't you have an NMS? What do you want to do with this and then give you a demo of how this works in a lot of different details? The real summary of the whole thing is that SNMP is a message passing protocol That's pure and simple what it's designed for designed for data transfers between managed devices It's defined by a whole bunch of features. I'm sure you can read as well I can this slide is actually on the other on the one in the CD as well The things you really want to understand is that SNMP v1 has been bashed a while and come into a lot of attack Given when it was invented in the late 80s It's amazing that it lasted until the late 90s in any format whatsoever, and that's even still in use Contrary to popular belief SNMP v1 did allow for authentication authorization and privacy Those were never Installed into it and nothing was ever really done about that because after all you have a simple community It's kind of like town at that password. It's safe and secure. You're fine. Not a problem the basic modes for SNMP v1 and including all the way through v3 is read, write and track track is a way for a Managed agent to send a message back read and write or something that a manager does to an agent So there's really two forces at work here There's a manager piece, which is the piece that's doing the asking and me and the telling and then there's major Which is the piece that's doing that. Yeah, I got an answer here to go and let me deal with it It's first designed for UDP has a lot of protocol transports were back then v3 allows you to do TCP and The extensions that will be in to include just about any protocol you would like to run it over Including one of my personal favorites IPX SNMP v2 came in a bunch of different things But there's a massive battle over as to who's was best and who had the extensions that worked and so on and the ones that actually Figure Definitions Abstract syntax notation one which a lot of you probably run into a SN1. It's an ISO standard It's a real cute way of using dotted numbers to say a bunch of things The real thing you need to care about is that it actually specifies Location of a data point that you're interested in is In other words, I give you a number like one three six one four one ninety two forty one one one It actually specifies a data point that I have defined within the mid structure that belongs to me You can get your own mid structure. In fact, I strongly suggest that if you want to make sure you're at least on some list at Ilana, but you go sign up for your own private mid group Realistically speaking You don't need to know what a lot of these are mid to takes care of Nine tenths of everything you're going to want to do if you really want to manage a system If you want to do private extensions if you want to do some of the Cisco stuff They're talking about you want to do anything with a well-fleet or whatever they call those routers now or some of the other device Some money you have to go with their private mids if they've defined any Private mids allow you to do things like change processor clock speeds on certain switches and Yes, those functions are embedded in there In fact, you can do really weird things like go out to network servers and change file times If you know which mids to do that with there's a lot of that functionality built into these structures You just have to go read the data and find out The parts that are kind of interesting as a move is a management information base If you know what it is already, then I'm going to board tears out of you by stating That it's a way to manage the data structure of what you're looking for In other words, I tell you all the more than you read it You know what the data looks like or should look like now recently Extensions to the mids do allow you to do what's usually called a bulk or a lob and database circles Where you have just a bunch of stuff you don't know what it is and want to ram it down the pipe You can now specify that Historically, traditionally, and in the interest of portability, you want to limit your mids to integers, strings Things that are kind of normal We're going to stay within that and I'm actually going to show you at the end of this The mid-definition file that you can import into your own Tivoli or your Unicenter or any network management you want It'll actually let you get all the hashes and any file in the system that you want to specify you want the hash of At the point that you specify it You click go, it gives you the hash Oblization and authentication Obviously, most people confuse them a lot For our purposes, we're going to confuse them even further We're going to treat them with the same thing Basically, you're authorized if you authenticate Now, there are things in SNPV3 that will extend that and split the functions out for right now Just bear in mind that they actually have a way to crit using MD5 or SHAR or your favorite hash The actual authentication structure The tracks have changed between V1 and V3 I actually blasted with the CD that they have here And the network management best practices PDF on there explains a lot of this in really good detail Yes, it's Cisco centric, so there's a few things you got to take about that nice marketing dribble flick But most of it is good data It'll tell you a lot about how this stuff works Version 3, the important parts There's actual real authentication built into the structure now You can have passphrases They can include spaces They must be longer than eight characters Yada, yada, yada There's a buttload of moves to read There's a buttload of RFCs to read if you really want to know how this works There's also privacy Privacy equals encryption in this case Basically, you can say, okay, I want to make sure that even though I'm writing data I don't want you to read it if you're sniffing the wire I can use a key to encrypt it Right now, it's DES by default But in the future, you can use any encryption you want In fact, the spec itself currently states that all different types of privacy encryption Can be used by telling the system what to use and what key structure It's all in there, you just tell the system, hey, I want to use AES-128 I want to use whatever You name it, you can use it The old style traps Most traps in the original systems were thrown preg Basically, we were using UDP If we weren't reading and writing data We said, okay, agent, you can tell me that there's a big problem right now Wow Almost a stereo At least one different side Cool All right, now the other people don't have to feel sure it changed Okay, inform traps Old style traps, as I was starting to say, basically, we threw them and prayed If I was an agent and I needed to tell my manager that something's really badly wrong I threw this trap out over UDP and I prayed that it got there Most of the time, eh, didn't get there New style traps First of all, we can now do TCP So I can send out a trap and I can do it over TCP And I can basically say, okay, I'm going to open the connection before I do the trap Yes, there's overhead Realistically, if you can get away with UDP, do it You can actually specify per trap what you want to send Even better, there's a trap style now called inform Which means I'm going to send you this trap over TCP and I'm going to block I'm going to wait until I receive a response from you And I'm going to keep bugging you until you tell me you got it Granted, if there's a network failure, that's a well But in a lot of those cases, you can guarantee most of the time In the absence of a network failure, that the trap will get through And when you told them about a trap that says, you know, I just lost all of my connectivity To the rest of the world and the user's going to be screaming and I said, that's kind of important Security structures, all users, scope and ACL structures May have independent authentication and privilege structures In other words, I can use a bunch of different users for a bunch of different purposes General usage notes, if you're going to play with this stuff And by the way, Cisco's had it for quite a while now I think in 1999 they actually had an almost usable version And by 2001 it worked really well It does require that you use the American version of the software if you want to do the real encryption But you can, apparently on the export version, at least use the authentication structures And by the way, the side note to that is if you have a version of iOS Or a iOS that supports SNMPv3 It also supports SSH as well because it's the same encryption engine You always want to use one user Because this is based on a program for user For each action, a get user, a set user, a trap user You also want to use different authentication cost phases for all of those people Don't use the same one You know, public and private, those die a long time ago Well, it depends. If you're trying to get into something you hope it didn't die Okay, always use privacy, off-priv is the way you specify it One of the things that's interesting about this is you can't use privacy without using authentication And it sounds like LG, well, you know, I'd like to be able to use either or But then when you think about it, it kind of makes a little more sense Why are you going to bother encrypting it if you can't verify that you're the one asking the question? So usually when you use privacy, you use off-priv Now, privacy defaults to using the same passphrase that the authentication uses It doesn't have to be so In fact, in the spec it even says you really should not do that But it will default that way in case you don't want to use one passphrase All custom applications, if you're using the one custom applications As I was saying earlier, the actual structure for SNMPv3 allows you to use anything you want You can say, hey, I want to use this kind of encryption I want to use this kind of authentication You don't have to use MB5 or SHA or DES You just have to make sure the manager and the agent both understand that Recently, and I'll get into this when I get into SNMP a bit Wes Hardikers, the lead programmer of that project Sent out this really cryptic message to net coders That basically showed an AES128, I think it was An encryption structure working flawlessly under the net-escompete thing Which is kind of nice, because if you're using just DES Which is what everybody defaults to now, you know how many matters The extensions, the extensions I play with here Actually, I use the mHash libraries to do the hashing Why? Because I could cut and paste that code easy And then I could write my own Realistically, what it does also allow me to do Is use any other hashing function in the library Simply by changing the way I define the function that's calling it In fact, you could, and I haven't yet, but set up a nib that says Here's the function I want to use Now I will switch to it and use it Bear in mind, it's not just for authentication But for the hashing structure of the files themselves That we're going to look at And you can easily extend that to use mCrypt Any library you want, you can even You can put in a static function If you have your own super cool encryption algorithm That no one else uses, you know, on XOR 13 or something Hey, go for it, you can put it in there The nice part about that is that if you define both sides of it It makes it that much harder to figure out what's going on Realistically, you always want to set up your initial security For all of this in a secure environment You don't want to go for all of these things out there And then configuring them Well, you could, but you probably don't want to The reason I hope on SNMP as a message passing protocol Is that's actually what I'm going to use it as in the rest of this talk I'm going to use it in all of these demonstrations And all of the stuff following As a way to get a secure statement out to an agent And as a way to get the hash securely back to me And as you're seeing when I go into the source code a bit I can get anything I want You want the listing of the disk, you want the processor utilization What would you like? We can put it in there Net SNMP, this is what I actually use It's had V3 since 1998 It used to be the UC Davis, the UCD SNMP platform There was a CMU and UCD UCD kind of was continuously developed and continuously developed CMU kind of fell by the wayside Wes Harker actually came from UCD and continued it And recently they renamed the project Net SNMP You know, sadly to say I don't really know the licensing I think it's BSD I know it's not GPL I GPL my stuff and I know that's a different license than they use I think it's BSD because I'm fairly certain parts of it are in W2K It's originally based on those implementations It's actually got a lot further than that It includes all the tools you could possibly want You can have the agent, which is the part that actually runs and serves up data It has all the tools to query and get information The only thing it doesn't really have is a full NMS Which is basically a nice, cute query or something similar It says, oh let me click here and find out the data Although they supposedly have a couple of projects that are related to them That can do that The neat thing about Net SNMP One of the things that made me start really playing with the new 5x3 Which was released about a year ago It now divorced the transport In other words, the protocol from the actual data structures themselves In other words, if you've ever played with Nobel stuff way back when You realize they could do SNMP over IPX And when you think about it, it makes perfect sense Because SNMP does not say anything really truly in any of the RFCs about IP It just says, hey, here's the way I form a packet Here's what I do, here's how I talk to stuff The nicest thing about this is that you use all sorts of things Including IPX and Linux Being as my entire network is Linux Well, except for my network server which is still running And I don't want to turn it off because it has my data on it And it backs itself up, so I don't care The IPX is very nice Because now I can run a management structure Across my entire network, including my internet connected parts And you can't see it if you're coming in from the internet It just ain't there There's no one AAL5, which is kind of funky Somebody apparently did go to work over Decknet Why? I don't know, but hey If that's your thing, cool The interesting part is if you go and look in the medicine and be cool All the transports are working out now IPv6 TCP, IPv6 UDP Rigor TCP, Rigor UDP, IPX, AAL5, blah, blah, blah They even have one that's called SAMP there, that protocol Guess what that is? You want an H1 protocol? You want to use a protocol that they don't have? Go for it Do it I haven't bothered because I got bigger things to try But it's there, and if someone wants to write it for some of those More obscure protocols, that would be a really good contribution Okay, the real reason you're kind of sitting here And wondering why I'm doing some of this I'll go to the nib and stuff, and then I'll discuss why I'm picking on poor tripwire This is the nib This is actually pretty much, with the exception of some white space And some additional padding that you have to put in there The entire nib that we're going to use for all these definitions First, we define our enterprise Now, realistically, 9240, it belongs to Pactronic Systems But hey, I can make it belong to anything that I want If I define it in the nib As long as the agent loads it, what do I care? So for the purposes of this, and for the purposes of software on the CD I've defined it to Pactronic The PactDC is an OID that says This is an object identifier underneath that global reference And under that, I'm going to have set files This is where we're going to play games There's two things under set files The test file string, which is an actual string, size 0 to 1024 You can make it whatever you want, you can also change the types But this makes it easy and we'll load it into any nib compiler out there And it's a publicly setable string Basically, you set the string and then you call PactTestFileHash And what that does, it goes out, takes your string, says Give me an MV5 sum of this file on an agent system I'm going to demo it on one box The reality is, this is running manager and agent The agent part could be running on anything I want Anywhere in my enterprise that I can get to over the protocol that I'm using In other words, when I set this string on a remote machine I'm actually telling it, go look at this file Bomb that machine over there and give me that hash This source code, there's a source code in there It's provided as a patch against NetSMMP We'll take a quick look at the C file Because I want to show you the main functions It's tested on all versions up to 502 as a couple of days ago The 502 pre-1 source code for NetSMMP is I included on the CD I also included mHash0810, which is what I actually wrote the hash routine against To make a lot of use of it So everything's there if you want to play with it It will compile on all major uses Oh, and by the way, NetSMMP apparently will compile on Windows platforms Don't ask me, I don't want them, I have no clue If someone wants to tell me I'll be more than happy to put the information out there Don't do it myself If you do apply the patch against 502 There's two rejects because we changed the way the Some of the protections are done in the TCP and UDP files But you can ignore them And then there's a configure file putting there on purpose Because there's a whole bunch of options Which wouldn't be real familiar This configure file at least gets you up and running And lets you compile it so that you can run this code And see this code in operation You know, edit it, look at it, figure out how everything works If all else fails, you can email me Whatever address you find for me that works And then make install Or you can run it from there if you set the LV library path appropriately You can make it statically, it's not a big deal And there are people out there who have made strict binaries for this For the purpose of embedded systems that are really tiny And work really well Don't happen with me, but they all out there And then of course the most fun part is once it's installed Go ahead and play Why did I pick on Tripwire? Made you look The reality is it was very simple And it was one of those things I've had this hashing thing for about a year now Been kind of playing with it Someone was talking to me one day and I was telling them That's just the list of the hashes of the important files And one of my servers over at the ISP And they went, oh really? Are you running Tripwire over SSH? No, I never followed it that way No, I'm running it over SNMPV3 Basically, when you look at something like Tripwire Or any kind of integrity program like that You need to ensure the file integrity What does that really mean? It means that the file changed And if it changed, do you have an idea Of when, or how, or where, or why? Most common file integrity programs to do this They use a hash and a database It is the file name, it is the hash Network management systems on the other hand Are these incredibly expensive huge things Although OpenNMS is getting pretty good And Scotty is still a strong contender And they're free But basically big databases With correlation engines attached to them They do all sorts of neat things with graphical mode They have extensive automation papers They're working in large enterprises Where you see network management people With big displays of all of these routers And hubs and switches And servers and crop all over the place They can click on it and tell you exactly What's going on with pretty graphs That really impress management That's an NMS system Those things are designed to be Extensible, automated And to let you plug stuff into them And what are we trying to do here? We're going to want to tell one of those things Hey, go check that server over there Read the hash of the following files And store it And do that every five minutes Or ten minutes Or what time frame works for you And they can all be independent queries The point is that you can then have A literally tracking record Of the hash structure of those files It's as though you're continuously running Tripwire Or something similar on that system Remotely all the time And the most part about that is Most NMSs have these really neat automation capabilities That allow you to do alert structures And, oh hey Something changed You know, they're tech on duty Leper time Or you send out an email or do this Or even better, one of the tricks I use With my own personal systems is I say if that hash ever changes You check it every five minutes That hash ever changes You immediately do a drift Using a different mid of that file And give me the difference Because I have a mid that actually knows What the file should be As of the last hash read You can do a drift for me and send me the drift All over the SNMPD3 All secure it Over IPX if I want to The point is that with that kind of automation You can serve all of these structures And then you can import the nib You can make it extensible Serve your escalation, serve your alarms Basically you can integrate a Tripwire type capability Into the systems you already have Managing the networks you have Okay, so you don't have an NMS Because you don't have what 35 grand or so to toss around For kits, I mean I wouldn't buy an NMS with that Which is why I usually end up consulting For companies that have that kind of money And go behind wasting it that way You can do all sorts of things You can script it, you can use style And you can use a bunch of other applications out there My personal favorite, although I'll be the first to tell you I'm not a very good coder In fact, my favorite form of coding Is in Mango to Fit Using a debugger massively So, okay, you understand the way I go What most MSNMP gives you is it has A full library of API It also has binaries that come with it That'll do all sorts of ridiculous stuff Set, blah, blah, the whole line of words Here's a little simple shell script And this is actually one I have Installed here and I'll show you how this all works What we do is we first go ahead And we have a file The cat file list And in that file list we have a whole bunch of pads And I'll show you all of this running We then do an SNP set Of the line that we're talking about Like then, so it could be like say Etsy password So I'm going to set Etsy password into 13614192481110 Which is the pat file Locator Then I'm going to echo that Without a line feed to an output file And I'm going to go get The 1120A Location Which is actually the hash Of that file And then I'm going to loop through this file And end up with a list of file names And their hashes And it's going to take a really long time It takes almost like 10 seconds or so to run And this assumes Of course that you have the appropriate entries In your file dot list and we look at that Additional scripting One of the nice things they did recently In the 502 series Is they actually incorporated Perl Into the net SNP Agent itself Which is kind of wild Before they always had a Perl interface That you could query the libraries with Which is what you would do if you were writing a script for this What's nice is that now You can actually write Perl code In the configuration file Or in additional included files For the agent itself to execute Any data you like Have the agent executed C programs are obviously the fastest So if you want to do a head start With a lot of multiple hosts Write a C program that goes against the same library They both use the library calls And if you take a look at the source Which we're going to set then you'll see That extending the code is ridiculously simple Most of this is a fairly simple I'm going to call the library with the hash function Hand it a file name and say go hash this Okay and then hand it back to the result The code runs on the system On the manage system So this is the actual machine you're playing with It's basically a wonderful messaging What do you want to do Really So we'll go through this part In a second because what we really Want to do is Go play If I can figure out what I'm having A mouse Actually Oh thank you This is so much fun You can tell I use X a lot Can't you In fact Let's do this And see if it still displays It doesn't have lots of fun Is there anything up there at all That's readable Okay we'll do it for next then You know how it is with these highfalutin Systems Okay now let's see Open up one of these And I think this is the command Yep And you can tell I have Real informative names for my computers Okay Is that displaying Good Now If you take a look in here And ignore all of the through-bar And other things while I was playing with my PowerPoint Trying to get it to work You'll notice that there's a C file An 8 and the H file Which defines for you There's also a C file That does just a quick Get using the API Just to show you how things work And then two script files All of this stuff I really upload To where I put the final presentation So you can go play with it Let's take a look real quick first At this script file This is the same one I just had In that particular example on the slide If you want to see What exactly the file list looks like Basically I'm giving it full pass Now this file Resides on the manager It's not on the agent or the managed system This is on the manager It's going to tell the agent What to go look for So if someone were actually on the agent system They wouldn't know what files you're looking at Or asking for Because they can't see that In fact there is a worry to lock down the agent That the agent machine itself Cannot talk to The agent demon that's running In other words you can't find that information About the machine you're on This particular one What it's going to do is It's telling me Which file is on it For instance What the heck Where did I lose this time Is this still up there Okay good I lost this one I can't see what the heck I'm doing Let's try that Now we can go see That's good Oh good idea Thank you Okay that'll make it a heck of a lot easier Because then I can type it both hands Now we'll just take a look at the output file There's all our options Pretty simple, pretty easy Now if you take a look at the top one What we'll do is we'll just Quickly copy this one To that And then I put in this change me file on purpose Gee I wonder why What we'll do is we'll just Do something really really interesting to it We'll add a period To the end of it I'm really modifying this file Happily right now as you can tell And then we'll just go ahead And re-run that script Basically what it'll do is it'll go out And when I run this script Each one of these files is written into the mid And then the hash is read Now one thing you do have to bear in mind Is I've made it so easy That essentially if you took a look at the mid Right now what it is set to Right now is sbin fdesk Because that's the last thing that was written to it You can set it up to write to a config file Read from a config file Do whatever you would like If you take a look at output Now the hash has changed Real simple, real easy So how do we really do this Let's take a look at the C file Because that's the important one Each file just has the definitions For net s and p's purposes To make it easier to compile A whole bunch of includes All sorts of wonderful stuff We define where we're actually putting All of our variables And then we go ahead and we actually Initialize this, we basically tell it Hey look, I've got a mid, here's what I am Here's what I'm doing, go read it in If you're interested Now we get to the front part We get to the actual routine To generate the sum And it's fairly simple If you actually went and checked in the hash You'd find this example about C program And you'd be really surprised How closely it resembles this function But the reality is basically I'm taking this, I carry this file Which I've set into my nib now I'm reading it back and saying Okay, this is the file I'm interested in And then I'm going to turn on hashing it There's deep hook bug messages That are there, if you actually want to You can launch the agent with a D-packed f-connect And watch the looping function Build, literally to read the hash function It does slow it down a bit But if you're actually trying to figure out why it doesn't work It's a real good way to do it And essentially we take that We send it back And we send it into the actual structure That NetSNP uses to read and write All of these things So you have this unsigned care of R Packed f-connect, this is a standard NetSNP set get Variable Structure And essentially all it does Is it says, okay, I'm first Going to do my headers, make sure that the packet coming in Is tolerable This is all in the NetSNP docs And then I'm going to actually go down And do the value assignments So in the case where we get the Packed file name in, which is that 1110 First I have a write method that I've defined Which basically says, oh, I got a value Copy it And then I do a var on it Because I must return a length As part of the specification And return Pack file name, which is that hash function You saw earlier, I basically call that Do the hash and return the whole structure If We want to just get the hash We can call back hash directly And then of course If we have an error We spit out an error And there we go Here's the right The actual part that does the writing Takes the value, writes it in It's really complicated If it comes in and it's not The type you expect it Throw it out, if it's too big Throw it out Otherwise it's just right And all we do is we say, okay cool We copy it into Pack file name Stuff it into memory, we're done This is all in memory If you actually want to write it out You have to do more things with the myth We'll take a quick look at the Perl file just to show you Essentially you just use SNMP Which comes with NetSNMP, you compile it It's part of the package, install it It allows you to define a session If you notice I've defined this session To localhost, version 3 Now I do have the passwords And the privileged passwords In here, that is one of this Current few drawbacks To using v3 is that the manager Must know the passwords to everything Has to know the authentication Passphrases There is talk about trying to do Some kind of escrow structure Or certificate structure to extend these I'm sure it'll be done at some point in time Realistically if your manager Has been hacked, you're toast Because that thing usually has Set rights to some serious equipment Of course it's a very nice thing to attack too So you can figure out which one's the manager A lot of times Especially if they're running something like NetView or NetView Or Tivoli or Unicenter They're fairly easy to crack Unix boxes Because last time I looked For example, you're running NetView on AIX You had to have Telnet Available for certain things Last time I looked at Unicenter For one function They needed Arch opened up Not fun Hopefully they'll get wiser And they'll start locking those suckers down Because as I've just showed you with this If you are the manager You basically run that network And you can do anything you want to At any point in time Anyway Questions, commentary Problem with Since every five minutes or so This thing is going to return With a full Sheet worth of hashes The key rotate Can I just take a whole bunch of these messages Push them into a little stack And pop out your passwords there That actually is Something that is built The reason that specification For v3 originally built in the mechanisms For not only defining Alternate encryptions And authentication mechanisms They also built in methods of stating When one had changed an ability Using a VACM Construction to change that On agents So you can't actually change it every so often If you want to Realistically you would depend on other Methods to determine whether Someone was doing that kind of construct Against you. Yes it is open To gathering a whole bunch of them And beating on it like crazy Yes, and that is One of the reasons they put in the extensions Is that there's a lot of work on trying to do the Certificate structures Because right now today That's a very valid attack against it One of the things that they did put in From the get go is the concept of an engine ID. So I can actually use Additional functionality Based on unique engine IDs For each of my agents and managers That would give me some protection Against that kind of attack Because it will use the engine ID To slightly change the way It does the encryption each time As a salt basically To turn all that stuff on You have to have some good CPU horsepower About. So there are the drawbacks there Additionally The engine ID does prevent replay attacks As long as you do have The structure In full off-proof mode A lot of that is covered In some of the late draft RFCs That are now starting to be Specified for V3 Because those are similar problems No matter which message passing protocol That you're looking at Any other questions? I'll be wandering around So feel free to ask me Like I said most of the source codes Available and probably More extensive stuff as well As I start playing with a little more Check out the Neveson and B project Because they have a lot of interesting Information and source That you can play with yourself today Otherwise have a good one