January 2007 - Test - lists.nanog.org

RE: [cacti-announce] Cacti 0.8.6j Released (fwd)
by michael.dillon＠bt.com 25 Jan '07

25 Jan '07

> > But to start with, just solving the data storage problem is a good > > place to start. > How about something like: > http://www.hdfgroup.org/whatishdf5.html That certainly has a lot of support in the scientific community in similar applications such as astronomy and high-energy physics. However, if people don't understand the quirks of dealing with large amounts of time-series data they will probably look at HDF and consider it to be a poor out-of-date cousin of the relational database. In fact, it is simply a different approach to data storage which solves different problems than relational databases do. A good network management application would still use relational databases for some data and only use HDF for the big time-series (SNMP poll data). But HDF is still a general purpose format and it might be possible to do better with a specialized time-series database that has concepts such as deltas, missing values, or even wavelets. --Michael Dillon

1 0

Re: Cable Tying with Waxed Twine
by Martin Hannigan 25 Jan '07

25 Jan '07

>Upon leaving a router at telx and asking one of their techs to plug >in the equipment for me, I came back to find all my cat5 cables neatly >tied with some sort of waxed twine, using an interesting looping knot >pattern that repeated every six inches or so using a single piece of >string. For some reason, I found this trick really cool. It's called 'wax lacing' and it was originally a CO standard. It was adapted to collocation, FWIW, first by MCI, IIRC, then Level(3). Level(3) mastered the art of building converged central office and colo (T Colo + Colo) by taking Bellcore standards and CO experience and creating hybrid standards of design and installation. Internap used this standard as well. The beauty of using this technique is service delivery and aesthetics. You don't just do and un-do wax lacing. It's meant to be permanent so in order to use it extensively, you need to have a superior cross connect system and plant engineering in place and a detailed service delivery methodology. This doesn't work in most places because they don't have or do enough detail planning. The knot you are seeing is likely "chicago knot". It should be easily undone by tugging on one of the two short ends. Wax is also used in conjunction with "fish paper", green wax paper that is used as a coating between metal and cable so that wear is offset from vibrations et. al. There are multiple reasons to use wax over zip ties. Some are safety related, some are service delivery related, and some are wear related. It is definately not cheap. It also a highly technical undertaking to do correctly.. You have to make all your decisions on cabling up front i.e. split at center, left to right, split at rack, mid to upper, mid to lower, etc. http://www.dairiki.org/hammond/cable-lacing-howto/ and digg it: http://www.digg.com/mods/The_lost_art_of_cable-lacing... (I'm well under 50. See digg article :) ) -M<

3 2

Cisco Security Advisory: Crafted IP Option Vulnerability
by Cisco Systems Product Security Incident Response Team 25 Jan '07

25 Jan '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Crafted IP Option Vulnerability Advisory ID: cisco-sa-20070124-crafted-ip-option http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… Revision 1.0 For Public Release 2007 January 24 1600 UTC (GMT) +-------------------------------------------------------------------- Contents ======== Summary Affected Products Details Vulnerability Scoring Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - --------------------------------------------------------------------- Summary ======= Cisco routers and switches running Cisco IOS� or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue. Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This vulnerability was discovered during internal testing. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… Affected Products ================= Vulnerable Products +------------------ This issue affects all Cisco devices running Cisco IOS or Cisco IOS XR software and configured to process Internet Protocol version 4 (IPv4) packets. Devices which run only Internet Protocol version 6 (IPv6) are not affected. This vulnerability is present in all unfixed versions of Cisco IOS software, including versions 9.x, 10.x, 11.x and 12.x. This vulnerability is present in all unfixed versions of Cisco IOS XR software, including versions 2.0.X, 3.0.X, and 3.2.X. All versions of Cisco IOS or Cisco IOS XR prior to the versions listed in the Fixed Software table below may be susceptible to this vulnerability. To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Cisco IOS XR software will identify itself as "Cisco IOS XR Software" followed by "Version" and the version number. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running Cisco IOS release 12.2(14)S16 with an installed image name of C7200-IS-M: Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16, RELEASE SOFTWARE (fc1) The release train label is "12.2". The next example shows a product running IOS release 12.3(7)T12 with an image name of C7200-IK9S-M: Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS Banners is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper… Cisco IOS XR Software is a member of the Cisco IOS software family that uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs only on Cisco Carrier Routing System 1 (CRS-1) and Cisco XR 12000 series routers. Additional information about Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5845/index.html The following example shows partial output from the show version command which identifies a Cisco product running Cisco IOS XR release 3.3.0: RP/0/RP0/CPU0:router#show version Cisco IOS XR Software, Version 3.3.0 Copyright (c) 2006 by cisco Systems, Inc. ROM: System Bootstrap, Version 1.32(20050525:193559) [CRS-1 ROMMON] Products Confirmed Not Vulnerable +-------------------------------- Cisco devices that do not run Cisco IOS or Cisco IOS XR software are not affected. CatOS software is not affected by this issue. No other Cisco products are currently known to be affected by this vulnerability. Details ======= This vulnerability may be exploited when an affected device processes a packet that meets all three of the following conditions: +---------------------------------------+ | 1. The packet contains a specific | | crafted IP option. | |---------------------------------------| | AND | |---------------------------------------| | 2. The packet is one of the following | | protocols: | |---------------------------------------| | * ICMP - Echo (Type 8) - 'ping' | |---------------------------------------| | * ICMP - Timestamp (Type 13) | |---------------------------------------| | * ICMP - Information Request (Type | | 15) | |---------------------------------------| | * ICMP - Address Mask Request (Type | | 17) | |---------------------------------------| | * PIMv2 - IP protocol 103 | |---------------------------------------| | * PGM - IP protocol 113 | |---------------------------------------| | * URD - TCP Port 465 | |---------------------------------------| | AND | |---------------------------------------| | 3. The packet is sent to a physical | | or virtual IPv4 address configured on | | the affected device. | +---------------------------------------+ No other ICMP message types are affected by this issue. No other IP protocols are affected by this issue. No other TCP services are affected by this issue. The packet can be sent from a local network or from a remote network. The source IP address of the packet can be spoofed or non-spoofed. Packets which transit the device (packets not sent to one of the device's IP addresses) do not trigger the vulnerability and the device is not affected. This vulnerability is documented in these Bug IDs: * Cisco Bug ID CSCec71950 for Cisco IOS * Cisco Bug ID CSCeh52410 for Cisco IOS XR Cisco IOS +-------- A crafted packet addressed directly to a vulnerable device running Cisco IOS software may result in the device reloading or may allow execution of arbitrary code. Cisco IOS XR +----------- A crafted packet addressed directly to a vulnerable device running Cisco IOS XR software may result in the ipv4_io process restarting or may allow execution of arbitrary code. CRS-1 Nodes that run the ipv4_io process include Route Processors (RP), Distributed Route Processors (DRP), Modular Services Cards (MSC), and XR 12000 Line Cards. While the ipv4_io process is restarting, all ICMP traffic destined for the device itself and exception punts will be dropped. Examples of exception punts include packets having IP header information that requires further processing such as IP options, Time-to-Live equal to 0 or 1, and layer-2 keepalives. CLNS traffic to the Node or Line Card is not affected. If the ipv4_io process is restarted several times consecutively, the CRS-1 Node or XR 12000 Line Card may reload, causing a Denial of Service (DoS) condition for the transit traffic switched on that Node or Line card. Devices Configured for ICMP Message Types +---------------------------------------- ICMP Type 8 +---------- By default, devices running all Cisco IOS and Cisco IOS XR versions will process ICMP echo-request (Type 8) packets. This behavior cannot be modified. ICMP Type 13 +----------- By default, devices running all Cisco IOS versions will process ICMP timestamp (Type 13) packets. This behavior cannot be modified. By default, devices running all Cisco IOS XR versions will NOT process ICMP timestamp (Type 13) packets. This behavior cannot be modified. ICMP Type 15 +----------- With the introduction of CSCdz50424, by default routers will NOT process ICMP information request (Type 15) packets. Releases of Cisco IOS that contain CSCdz50424 include 12.3, 12.3T, 12.4, 12.4T, later 12.0S and later 12.2S. See CSCdz50424 for complete release information. A router running a Cisco IOS release containing CSCdz50424 that has been modified to process ICMP information request packets will have the interface configuration statement "ip information-reply", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include information-reply ip information-reply or router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip information-reply By default, devices running all other Cisco IOS versions will process ICMP information request (Type 15) packets. This behavior cannot be modified. Since this is the default behavior, "ip information-reply" will not be visible in the device's configuration. By default, devices running all Cisco IOS XR versions will NOT process ICMP information request (Type 15) packets. This behavior cannot be modified. ICMP Type 17 +----------- Beginning in Cisco IOS version 10.0, by default devices will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement "ip mask-reply", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include mask-reply ip mask-reply or router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip mask-reply By default, devices running all Cisco IOS XR versions will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement "ipv4 mask-reply", which can be seen by issuing the command show running-config as shown in the following examples: RP/0/RP0/CPU0:router#show running-config | include mask-reply Building configuration... ipv4 mask-reply or RP/0/RP0/CPU0:router#show running-config interface POS0/1/3/0 ipv4 address 192.0.2.1 255.255.255.252 ipv4 mask-reply Devices Configured for Protocol Independent Multicast Version 2 (PIMv2) +-------------------------------------------------------------- Cisco IOS +-------- A router running Cisco IOS that is configured to process PIMv2 packets will have an interface configuration statement that begins with "ip pim", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include ip pim ip pim sparse-mode or router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode The command "show ip pim interface" can also be used to determine if a router is configured to process PIMv2 packets, as shown in the following example: router#show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 192.0.2.1 FastEthernet0/0 v1/S 0 30 1 0.0.0.0 192.168.1.1 FastEthernet1/0 v2/SD 0 30 1 0.0.0.0 Interfaces running PIMv2 will show "v2/" under the Ver/Mode column. Interfaces without PIM configured will not be shown in the command output. PIMv2 is the default PIM version. Routers configured to process only PIMv1 messages are not vulnerable to the PIMv2 exploit. Routers that do not have PIM configured are not vulnerable to the PIMv2 exploit. PIM is not enabled by default. Additional information about PIM is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configurati… Cisco IOS XR +----------- The command show pim interface can be used to determine if a router running Cisco IOS XR is configured to process PIMv2 packets, as shown in the following example: RP/0/0/CPU0:router#show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 Loopback0 on 1 30 1 this system 192.168.2.1 MgmtEth0/0/CPU0/0 off 0 30 1 not elected 192.168.3.1 Loopback1 on 1 30 1 this system 192.168.4.1 Loopback3 on 1 30 1 this system 192.168.5.1 POS0/4/0/0 on 1 30 1 this system 192.0.2.1 POS0/4/0/1 on 1 30 1 this system Interfaces running PIMv2 will show on under the PIM column. Interfaces without PIM configured will show "off" under the PIM column. Cisco IOS XR does not support PIMv1. PIM is not enabled by default on Cisco IOS XR. Additional information about PIM on Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5845/products_configuration_guide_cha… Devices Configured for Pragmatic General Multicast (PGM) +------------------------------------------------------- A router that is configured to process PGM packets will have the interface configuration statement "ip pgm router", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include ip pgm ip pgm router or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode ip pgm router or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pgm router Routers that do not have PGM configured are not vulnerable to the PGM exploit. PGM is not enabled by default. Additional information about PGM is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configurati… Cisco IOS XR does not support PGM and is not affected by PGM packets that exploit this vulnerability. Devices Configured for URL Rendezvous Directory (URD) +---------------------------------------------------- A router that is configured to process URD packets will have the interface configuration statement "ip urd" or "ip urd proxy", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include ip urd ip urd or router#show running-config | include ip urd ip urd proxy or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-mode ip urd or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode ip urd proxy or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip urd Routers that do not have URD configured are not vulnerable to the URD exploit. URD is not enabled by default. Additional information about URD is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configurati… Cisco IOS XR does not support URD and is not affected by URD packets that exploit this vulnerability. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCec71950 - Crafted IP Option may cause DoS or code execution CVSS Base Score: 10 - - Access Vector: Remote - - Access Complexity: Low - - Authentication: Not Required - - Confidentiality Impact: Complete - - Integrity Impact: Complete - - Availability Impact: Complete - - Impact Bias: Normal CVSS Temporal Score: 8.3 - - Exploitability: Functional - - Remediation Level: Official Fix - - Report Confidence: Confirmed CSCeh52410 - Crafted IP Option may cause ipv4-io DoS or code execution CVSS Base Score: 10 - - Access Vector: Remote - - Access Complexity: Low - - Authentication: Not Required - - Confidentiality Impact: Complete - - Integrity Impact: Complete - - Availability Impact: Complete - - Impact Bias: Normal CVSS Temporal Score: 8.3 - - Exploitability: Functional - - Remediation Level: Official Fix - - Report Confidence: Confirmed Impact ====== Cisco IOS +-------- Successful exploitation of the vulnerability on Cisco IOS may result in a reload of the device or execution of arbitrary code. Repeated exploitation could result in a sustained DoS attack. Cisco IOS XR +----------- Successful exploitation of the vulnerability on Cisco IOS XR may result in the ipv4_io process restarting or execution of arbitrary code. Repeated exploitation could result in a CRS-1 Node or XR 12000 Line Card reload and sustained DoS attack. Software Version and Fixes ========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper… Note: There are three IOS security advisories and one field notice being published on January 24, 2007. Each advisory lists only the releases which fix the issue described in the advisory. A combined software table is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of January 24, 2007. Links for the advisories and field notice are listed here. * http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… * http://www.cisco.com/warp/customer/770/fn62613.shtml Requests for software rebuilds to include the change for Daylight Savings Time (DST) that will be implemented in March 2007 should be directed through the Technical Assistance Center (TAC), and this advisory should be used as reference. +---------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+--------------------------| | Affected | | | | 12.0-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.0 | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0DA | Vulnerable; migrate to | | | 12.2(10)DA5 or later | |------------+--------------------------| | 12.0DB | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.0DC | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.0S | 12.0(27)S3 | 12.0(28)S | |------------+--------------------------| | 12.0SC | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.0SL | Vulnerable; migrate to | | | 12.0(28)S or later | |------------+--------------------------| | 12.0SP | Vulnerable; migrate to | | | 12.0(28)S or later | |------------+--------------------------| | 12.0ST | Vulnerable; migrate to | | | 12.0(28)S or later | |------------+--------------------------| | 12.0SX | 12.0(25) | 12.0(30)SX | | | SX11 | | |------------+------------+-------------| | 12.0SY | | 12.0(27)SY | |------------+------------+-------------| | 12.0SZ | | 12.0(30)SZ | |------------+--------------------------| | 12.0T | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | | 12.0(28)W5 | | | 12.0W | (32c); | | | | available | | | | 31-Jan-07 | | |------------+------------+-------------| | 12.0WC | 12.0(5) | | | | WC15 | | |------------+--------------------------| | 12.0WT | Vulnerable; contact TAC | |------------+--------------------------| | 12.0XA | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XB | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XC | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XD | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XE | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.0XF | Not vulnerable | |------------+--------------------------| | 12.0XG | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XH | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XI | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XJ | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XK | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XL | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XM | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XN | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XQ | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XR | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XS | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.0XV | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XW | Vulnerable; migrate to | | | 12.0(5)WC15 or later | |------------+--------------------------| | Affected | | | | 12.1-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.1 | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1AA | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | | Vulnerable; for | | | c3750-ME, migrate to | | 12.1AX | 12.2(25)EY or later. For | | | c2970 and 3750, migrate | | | to 12.2(25)SE or later. | |------------+--------------------------| | 12.1AY | Vulnerable; migrate to | | | 12.1(22)EA8 | |------------+--------------------------| | 12.1AZ | Vulnerable; migrate to | | | 12.1(22)EA8 | |------------+--------------------------| | 12.1CX | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1DA | Vulnerable; migrate to | | | 12.2(10)DA5 or later | |------------+--------------------------| | 12.1DB | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.1DC | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.1E | | 12.1(23)E | |------------+------------+-------------| | 12.1EA | 12.1(22) | | | | EA8 | | |------------+------------+-------------| | 12.1EB | | 12.1(23)EB | |------------+--------------------------| | 12.1EC | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | | 12.1(19) | | | | EO6, | | | | available | | | 12.1EO | 31-Jan-07 | | | |------------+-------------| | | 12.1(20) | | | | EO3 | | |------------+--------------------------| | 12.1EU | Vulnerable; migrate to | | | 12.2(25)EWA or later | |------------+--------------------------| | 12.1EV | Vulnerable; migrate to | | | 12.2(26)SV1 or later | |------------+--------------------------| | 12.1EW | Vulnerable; migrate to | | | 12.2(18)EW3 or later | |------------+--------------------------| | 12.1EX | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1EY | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1EZ | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1T | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XA | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XB | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XC | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XD | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XE | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1XF | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XG | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XH | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XI | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XJ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XL | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XM | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XP | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XQ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XR | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XS | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XT | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XU | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XV | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XW | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XX | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XY | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XZ | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1YA | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YB | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YC | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YD | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YE | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YF | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YH | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YI | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YJ | Vulnerable; migrate to | | | 12.1(22)EA8 | |------------+--------------------------| | Affected | | | | 12.2-Based | Rebuild | Maintenance | | Release | | | |------------+------------+-------------| | 12.2 | 12.2(34a) | 12.2(37) | |------------+--------------------------| | 12.2B | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.BC | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2BW | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2BY | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2BZ | Vulnerable; migrate to | | | 12.3(7)XI8 or later | |------------+--------------------------| | 12.2CX | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2CY | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2CZ | Vulnerable; contact TAC | |------------+--------------------------| | | 12.2(10) | | | | DA5 | | |12.2DA |------------+-------------| | | 12.2(12) | | | | DA10 | | |------------+--------------------------| | 12.2DD | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2DX | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2EU | Vulnerable; migrate to | | | 12.2(25)EWA5 or later | |------------+--------------------------| | | 12.2(18) | | | | EW3 | | |12.2EW |------------+-------------| | | 12.2(20) | 12.2(25)EW | | | EW4 | | |------------+------------+-------------| | 12.2EWA | 12.2(20) | 12.2(25)EWA | | | EWA4 | | |------------+------------+-------------| | 12.2EX | | 12.2(25)EX | |------------+--------------------------| | 12.2EY | All 12.2EY releases are | | | fixed | |------------+--------------------------| | 12.2EZ | All 12.2EZ releases are | | | fixed | |------------+--------------------------| | 12.2FX | All 12.2FX releases are | | | fixed | |------------+--------------------------| | 12.2FY | All 12.2FY releases are | | | fixed | |------------+--------------------------| | 12.2FZ | All 12.2FZ releases are | | | fixed | |------------+--------------------------| | 12.2IXA | All 12.2IXA releases are | | | fixed | |------------+--------------------------| | 12.2IXB | All 12.2IXB releases are | | | fixed | |------------+--------------------------| | 12.2IXC | All 12.2IXC releases are | | | fixed | |------------+--------------------------| | 12.2JA | Vulnerable; migrate to | | | 12.3(8)JA or later | |------------+--------------------------| | 12.2JK | Vulnerable; migrate to | | | 12.4(4)T or later | |------------+--------------------------| | 12.2MB | Vulnerable; migrate to | | | 12.2(25)SW1 or later | |------------+--------------------------| | 12.2MC | 12.2(15)MC2h | |------------+--------------------------| | 12.2S | | 12.2(25)S | |------------+------------+-------------| | 12.2SB | | 12.2(28)SB | |------------+--------------------------| | 12.2SBC | All 12.2SBC releases are | | | fixed | |------------+--------------------------| | 12.2SE | | 12.2(25)SE | |------------+--------------------------| | 12.2SEA | All 12.2SEA releases are | | | fixed | |------------+--------------------------| | 12.2SEB | All 12.2SEB releases are | | | fixed | |------------+--------------------------| | 12.2SEC | All 12.2SEC releases are | | | fixed | |------------+--------------------------| | 12.2SED | All 12.2SED releases are | | | fixed | |------------+--------------------------| | 12.2SEE | All 12.2SEE releases are | | | fixed | |------------+--------------------------| | 12.2SEF | All 12.2SEF releases are | | | fixed | |------------+--------------------------| | 12.2SEG | All 12.2SEG releases are | | | fixed | |------------+--------------------------| | 12.2SG | All 12.2SG releases are | | | fixed | |------------+--------------------------| | 12.2SGA | All 12.2SGA releases are | | | fixed | |------------+--------------------------| | 12.2SO | 12.2(18) | | | | SO7 | | |------------+--------------------------| | 12.2SRA | All 12.2SRA releases are | | | fixed | |------------+--------------------------| | 12.2SRB | All 12.2SRB releases are | | | fixed | |------------+--------------------------| | 12.2SU | Vulnerable; migrate to | | | 12.3(14)T or later | |------------+--------------------------| | 12.2SV | | 12.2(23)SV | |------------+------------+-------------| | 12.2SW | 12.2(25) | | | | SW1 | | |------------+--------------------------| | 12.2SX | Vulnerable; migrate to | | | 12.2(17d)SXB11a or later | |------------+--------------------------| | 12.2SXA | Vulnerable; migrate to | | | 12.2(17d)SXB11a or later | |------------+--------------------------| | 12.2SXB | 12.2(17d) | | | | SXB11a | | |------------+------------+-------------| | 12.2SXD | 12.2(18) | | | | SXD7a | | |------------+--------------------------| | 12.2SXE | All 12.2SXE releases are | | | fixed | |------------+--------------------------| | 12.2SXF | All 12.2SXF releases are | | | fixed | |------------+--------------------------| | 12.2SY | Vulnerable; migrate to | | | 12.2(17d)SXB11a or later | |------------+--------------------------| | 12.2SZ | Vulnerable; migrate to | | | 12.2(25)S or later | |------------+--------------------------| | 12.2T | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2TPC | Vulnerable; contact TAC | |------------+--------------------------| | 12.2XA | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XB | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XC | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2XD | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XE | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XF | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2XG | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XH | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XI | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XJ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XK | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XL | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XM | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XN | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XQ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XR | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XS | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XT | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XU | Vulnerable; migrate to | | | 12.3(12) or later | |------------+--------------------------| | 12.2XV | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XW | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YA | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YB | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YC | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YD | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YE | Vulnerable; migrate to | | | 12.2(25)S or later | |------------+--------------------------| | 12.2YF | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YG | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YH | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YJ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YK | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YL | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YM | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YN | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YO | Not vulnerable | |------------+--------------------------| | 12.2YP | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YQ | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YR | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YS | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YT | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YU | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YV | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YW | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YX | Vulnerable; migrate to | | | 12.3(14)T or later | |------------+--------------------------| | 12.2YY | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YZ | Vulnerable; migrate to | | | 12.2(25)S or later | |------------+--------------------------| | 12.2ZA | Vulnerable; migrate to | | | 12.2(17d)SXBa or later | |------------+--------------------------| | 12.2ZB | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2ZC | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2ZD | Vulnerable; contact TAC | |------------+--------------------------| | 12.2ZE | Vulnerable; migrate to | | | 12.3(8) or laer | |------------+--------------------------| | 12.2ZF | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | | Vulnerable; for SOHO9x, | | 12.2ZG | migrate to 12.3(8)YG2 or | | | later. For c83x, migrate | | | to 12.3(2)XA3 or later | |------------+--------------------------| | 12.2ZH | Vulnerable; contact TAC | |------------+--------------------------| | 12.2ZJ | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2ZL | Vulnerable; contact TAC | |------------+--------------------------| | 12.2ZN | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2ZP | Vulnerable; migrate to | | | 12.3(8)XY or later | |------------+--------------------------| | Affected | | | | 12.3-Based | Rebuild | Maintenance | | Release | | | |------------+------------+-------------| | 12.3 | | 12.3(8) | |------------+--------------------------| | 12.3B | Vulnerable; migrate to | | | 12.3(8)T7 or later | |------------+--------------------------| | 12.3BC | | 12.3(9a)BC | |------------+--------------------------| | 12.3BW | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.3JA | | 12.3(8)JA | |------------+--------------------------| | 12.3JEA | All 12.3JEA releases are | | | fixed | |------------+--------------------------| | 12.3JEB | All 12.3JEA releases are | | | fixed | |------------+--------------------------| | 12.3JK | 12.3(2)JK2 | 12.3(8)JK | |------------+------------+-------------| | 12.3JX | 12.3(7)JX6 | 12.3(11)JX | |------------+------------+-------------| | 12.3T | 12.3(4)T13 | 12.3(8)T | |------------+------------+-------------| | 12.3TPC | 12.3(4) | | | | TPC11b | | |------------+------------+-------------| | 12.3XA | 12.3(2)XA6 | | |------------+--------------------------| | 12.3XB | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.3XC | Vulnerable; contact TAC | |------------+--------------------------| | 12.3XD | Vulnerable; migrate to | | | 12.3(8)T7 or later | |------------+--------------------------| | 12.3XE | Vulnerable; contact TAC | |------------+--------------------------| | 12.3XF | Vulnerable; migrate to | | | 12.3(11)T or later | |------------+--------------------------| | 12.3XG | Vulnerable; contact TAC | |------------+--------------------------| | 12.3XH | Vulnerable; migrate to | | | 12.3(11)T or later | |------------+--------------------------| | 12.3XI | 12.3(7)XI8 | | |------------+--------------------------| | 12.3XJ | Vulnerable; migrate to | | | 12.3(8)XW or later | |------------+--------------------------| | 12.3XK | Vulnerable; migrate to | | | 12.3(14)T or later | |------------+--------------------------| | 12.3XQ | Vulnerable; migrate to | | | 12.4(1) or later | |------------+--------------------------| | 12.3XR | All 12.3XR releases are | | | fixed | |------------+--------------------------| | 12.3XS | All 12.3XS releases are | | | fixed | |------------+--------------------------| | 12.3XU | All 12.3XU releases are | | | fixed | |------------+--------------------------| | 12.3XW | All 12.3XW releases are | | | fixed | |------------+--------------------------| | 12.3XX | All 12.3XX releases are | | | fixed | |------------+--------------------------| | 12.3XY | All 12.3XR releases are | | | fixed | |------------+--------------------------| | 12.3YA | All 12.3YA releases are | | | fixed | |------------+--------------------------| | 12.3YD | All 12.3YD releases are | | | fixed | |------------+--------------------------| | 12.3YF | All 12.3YF releases are | | | fixed | |------------+--------------------------| | 12.3YG | All 12.3YG releases are | | | fixed | |------------+--------------------------| | 12.3YH | All 12.3YH releases are | | | fixed | |------------+--------------------------| | 12.3YI | All 12.3YI releases are | | | fixed | |------------+--------------------------| | 12.3YJ | All 12.3YJ releases are | | | fixed | |------------+--------------------------| | 12.3YK | All 12.3YK releases are | | | fixed | |------------+--------------------------| | 12.3YM | All 12.3YM releases are | | | fixed | |------------+--------------------------| | 12.3YQ | All 12.3YQ releases are | | | fixed | |------------+--------------------------| | 12.3YS | All 12.3YS releases are | | | fixed | |------------+--------------------------| | 12.3YT | All 12.3YT releases are | | | fixed | |------------+--------------------------| | 12.3YU | All 12.3YU releases are | | | fixed | |------------+--------------------------| | 12.3YX | All 12.3YX releases are | | | fixed | |------------+--------------------------| | 12.3YZ | All 12.3YZ releases are | | | fixed | |------------+--------------------------| | Affected | | | | 12.4-Based | Rebuild | Maintenance | | Release | | | |---------------------------------------| | All 12.4 releases are fixed | +---------------------------------------+ +---------------------------------------+ | Cisco IOS XR Version | SMU ID | |-----------------------------+---------| | 3.2.2 for CRS-1 | AA01482 | |-----------------------------+---------| | 3.2.3 for CRS-1 | AA01483 | |-----------------------------+---------| | 3.2.4 for CRS-1 | AA01484 | |-----------------------------+---------| | 3.2.6 for CRS-1 | AA01727 | |-----------------------------+---------| | 3.3.x for CRS-1 and XR12000 | Fixed | |-----------------------------+---------| | 3.4.x for CRS-1 and XR12000 | Fixed | +---------------------------------------+ Workarounds =========== Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070124-crafted-ip-option.s… IP Options Selective Drop +------------------------ The IP Options Selective Drop feature allows Cisco routers to mitigate the effects of IP options by dropping packets containing them or by not processing (ignoring) IP options in a packet. The most effective workaround is using the "drop" option of this global configuration command: "ip options drop". This command will drop all IP packets containing IP options that are both destined to the router itself or transiting through the router before they are processed, preventing exploitation locally and downstream. The IP Options Selective Drop feature is available beginning in Cisco IOS software version 12.0(23)S for 12000, 12.0(32)S for 10720, and 12.3(4)T, 12.2(25)S, and 12.2(27)SBC for other hardware platforms. Please note that deploying this command will drop legitimate packets containing IP options as well. Protocols this may impact include RSVP (used by Microsoft NetMeeting), MPLS TE, MPLS OAM, DVMRP, IGMPv3, IGMPv2, and legitimate PGM. Note: The "ignore" option of the global command "ip options ignore", available only on the Cisco 12000 router beginning in 12.0(23)S, is NOT a workaround for this issue. Additional information about IP Options Selective Drop feature is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_gui… Transit Access Control Lists (ACLs) +---------------------------------- Configure an interface ACL that blocks traffic of these types: * Echo (Ping) ICMP type 8 * Timestamp ICMP type 13 * Information Request ICMP type 15 * Address Mask Request ICMP Type 17 * Protocol Independent Multicast (PIM) IP protocol 103 * Pragmatic General Multicast (PGM) IP protocol 113 * URL Rendezvous Directory (URD) TCP port 465 The Internet Control Message Protocol is an integral part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite that is used to report error conditions and provide diagnostic information. Filtering ICMP messages may impact this error condition and diagnostic reporting including "ping" and Windows traceroute which uses ICMP ping. If the device is configured to process PIM, PGM, or URD, blocking those packets will prevent legitimate operation of the protocols. Since the source IP address of these packets can be easily spoofed, the affected traffic should be blocked on all of the device's IPv4 interfaces. The following ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters: access-list 150 deny icmp any any echo access-list 150 deny icmp any any information-request access-list 150 deny icmp any any timestamp-request access-list 150 deny icmp any any mask-request access-list 150 deny tcp any any eq 465 access-list 150 deny 103 any any access-list 150 deny 113 any any access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in These ACL statements should be deployed at the network edge as part of a transit access list which will protect the router where the ACL is configured as well as other devices behind it. Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge", available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0… The following Cisco IOS XR ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters: ipv4 access-list ios-xr-transit-acl 10 deny icmp any any echo 20 deny icmp any any information-request 30 deny icmp any any timestamp-request 40 deny icmp any any mask-request 50 deny tcp any any eq 465 60 deny 103 any any 70 deny 113 any any 80 permit ip any any interface POS 0/2/0/ ipv4 access-group ios-xr-transit-acl ingress Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapt… Infrastructure ACLs +------------------ Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access list which will protect all devices with IP addresses in the infrastructure IP address range. Cisco IOS +-------- access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES echo access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES information-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 access-list 150 deny 103 any INFRASTRUCTURE_ADDRESSES access-list 150 deny 113 any INFRASTRUCTURE_ADDRESSES access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in Cisco IOS XR +----------- ipv4 access-list ios-xr-infrastructure-acl 10 deny icmp any INFRASTRUCTURE_ADDRESSES echo 20 deny icmp any INFRASTRUCTURE_ADDRESSES information-request 30 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request 40 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request 50 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 60 deny 103 any INFRASTRUCTURE_ADDRESSES 70 deny 113 any INFRASTRUCTURE_ADDRESSES 80 permit ip any any interface POS 0/2/0/2 ipv4 access-group ios-xr-infrastructure-acl ingress The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0… Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapt… Receive ACLs +----------- For distributed platforms, receive ACLs may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the 7500, and 12.0(31)S for the 10720. The receive ACL protects the device from harmful traffic before the traffic can impact the route processor. A receive ACL is designed to protect only the device on which it is configured. On the 12000, transit traffic is never affected by a receive ACL. Because of this, the destination IP address "any" used in the example ACL entries below only refer to the router's own physical or virtual IP addresses. On the 7500 and 10720, transit traffic with IP options set will be subject to the receive ACL and permitted or denied accordingly. Receive ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "GSR: Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny all unwanted packets and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0… The following receive path ACL is designed specifically to block this attack traffic: access-list 101 deny icmp any any echo access-list 101 deny icmp any any information-request access-list 101 deny icmp any any timestamp-request access-list 101 deny icmp any any mask-request access-list 101 deny tcp any any eq 465 access-list 101 deny 103 any any access-list 101 deny 113 any any access-list 101 permit ip any any ! ip receive access-list 101 Control Plane Policing +--------------------- The Control Plane Policing (CoPP) feature may be used to mitigate this vulnerability. In the following example, any packets that can exploit the vulnerability are denied while all other IP traffic is permitted. Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. This applies to all platforms except the 12000 where only attack packets destined for the router itself will be dropped. access-list 100 permit icmp any any echo access-list 100 permit icmp any any information-request access-list 100 permit icmp any any timestamp-request access-list 100 permit icmp any any mask-request access-list 100 permit tcp any any eq 465 access-list 100 permit 103 any any access-list 100 permit 113 any any access-list 100 deny ip any any ! class-map match-all drop-options-class match access-group 100 ! ! policy-map drop-options-policy class drop-options-class drop ! control-plane service-policy input drop-options-policy Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different: policy-map drop-options-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. In the following example, only packets with IP options that can exploit the vulnerability and that are destined for the router or that transit through the router are denied while all other IP traffic is permitted. ip access-list extended drop-affected-options permit icmp any any echo option any-options permit icmp any any information-request option any-options permit icmp any any timestamp-request option any-options permit icmp any any mask-request option any-options permit pim any any option any-options permit 113 any any option any-options permit tcp any any eq 465 option any-options deny ip any any ! class-map match-all drop-options-class match access-group name drop-affected-options ! ! policy-map drop-opt-policy class drop-options-class drop ! control-plane service-policy input drop-opt-policy Please note that in the 12.2S Cisco IOS train, the policy-map syntax is different: policy-map drop-opt-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. ACL support for filtering IP options requires named ACLs. ACL support for filtering IP options is not available in 12.0S or 12.2SX. Please note that PGM packets typically use the "Router Alert" Option, and dropping PGM packets with IP options will affect legitimate PGM packets. In the above CoPP examples, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804f… and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_gui… Additional information for filtering IP Options with access lists can be found at http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_gui… Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2007-Jan-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFFt5cO8NUAbBmDaxQRAs6NAJsEXc4RCzhHI1n+Dxjmizm6mzIzmACbBr3H /ox3OGmd1I41UMn3iOM8qHc= =RlTo -----END PGP SIGNATURE-----

3 3

Re: [c-nsp] Cisco Security Advisory: Crafted IP Option Vulnerability
by Andre Gironda 25 Jan '07

25 Jan '07

I would say that this would work: http://addxorrol.blogspot.com/2007/01/one-of-most-amusing-new-features-of.h… It requires expensive software, BinNavi and IDA Pro Advanced, but anyone equipped with those tools could do it. I heard that parts of PaiMei work under BSD/Linux, and certainly GPF and Autodafé could be used for fault injection during step-mode debugging. PaiMei also uses IDA. The other tools are open-source including PaiMei itself. Using PyDBG in PaiMei could speed up the debugging faster than gdb by way of scripting, which could allow things like process stalking. If that's the case, I could invision anyone with a symbol table could get PoC remote code execution (ala Mike Lynn and Hacking Exposed: Cisco Networks) within 3 hours and have a reliable exploit within 10 hours. Worm at 11. But PaiMei doesn't do that (yet), and nobody has the rest of the resources to accomplish this task. Right? But, you don't really even need a symbol table if you have lots of time to debug and design the exploit. This is more advanced and would require somebody like Halvar Flake, FX, or Pedram Amini. All three of which I credit for this vulnerability information feasibility fact-finding. So it's too late. Don't bother upgrading now; you're already owned. Unless they are blocking it at the ISP borders in the same way they blocked out the Cisco IPv4 Crafted DoS vulnerability in 2003. ISP's probably got the patch (or at least Cisco's ISP's did) a week ago. Had rolling reboots lately? Don't know why? Lots of "miscellaneous" ISP maintenace. I wonder... Hey Cisco - listen up. Hire some vulnerability assessors before the future probable Month-of-Cisco-Bugs becomes Year-of-Cisco-Bugs aka loss of 10B US dollars in revenue. Or whatever John Chambers makes, whichever is lower. -dre On 1/24/07, Kevin Graham <mahargk(a)gmail.com> wrote: > On Wed, 24 Jan 2007, Cisco Systems Product Security Incident Response > Team wrote: > > > Cisco Security Advisory: Crafted IP Option Vulnerability > > If I recall correctly, this is the first (PSIRT acknowledged) > stack/heap vulnerability since Michael Lynn's much-publicized BlackHat > presentation. While there was plenty of brief speculation at the time > of what Chinese/Russian/American-xenophobic-target hax0rs had already > implemented, not much bubbled up to the operational world... > > Does anyone more active in the security community have pointers as to > how generic (and common) are tools targeting IOS exist? > > On 1/24/07, Paul Stewart <paul(a)paulstewart.org> wrote: > > > I have read over this and am "fearful" of what I read.. my first thought > is > > to drop everything, get emergency maintenance window releases and spend a > > couple of nights upgrading like crazy... > > "20070124-crafted-tcp" seems obvious enough (though it would've been > good for PSIRT to indicate how "small" the leakage per packet is to > gauge CoPP values), but "20070124-crafted-ip-option" likely should > tingle your spine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp(a)puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ >

1 0

Re: Cable-Tying with Waxed Twine
by Richard Naylor 25 Jan '07

25 Jan '07

Confession time - I'm over 50 At 09:41 p.m. 24/01/2007 -0700, you wrote: >As for plastic ties (TyRap is the brand name for the Thomas & Betts version) >they may be easy to use, but they do have several functional drawbacks, >including: > >1) difficulty in maintaining consistent tension from tie to tie, and as > a correlary it is comparatively easy to overtighten one, risking > compression-related damage to the underlying cabling, or as mentioned > above, > increasing crosstalk when using twisted-pair cables You can buy a cable-tie gun from Panduit, along with ties on a bandolier. They are used in appliance manufacture for making up wiring looms, instead of lacing them. The tension is programmable .You may also remember that in cars, the wiring harness was in a cloth jacket...... >2) can harden and/or become brittle over time, eventually failing under stress H'mm - you buy various grades of cable-tie. I have a lot of personal experience with a black Ty-Rap. Its black with a stainless-steel tag. The black makes it UV-stable and I get nervous if we don't have a few thousand in stock. I carry a few hundred in my van... White ties aren't UV stable and so are indoor rated only. Of course I live in a country where the weather report gives a UV rating each day, due to the Ozone depletion making a hole right above us - due to CFCs in aerosol can's. Thanks guys....and girls. Get Joe Abley to tell you about CityLink over a few beers. But basically, its a 20Km metro fiber network suspended off the trolley bus wires. I built the fist 200 odd buildings, before we got "staff". The fiber is attached to a synthetic rope (kevlar) which is the catenary wire, by a TyRap ty25 (from memory), every 300 mm. The way we work was my van pulled the trailer with the fiber drum, Ryan and Glenn were in the cherry-picker, moving from pole to pole. I was on the ground cable tying like mad. Ryan then pulled the cable up, tensioned it, made it fast,and we moved on. Been doing it since 1996. These days we use self supporting fiber, so run much faster, no cable ties until we overlay.... >3) typical background vibration causes them to tend to chafe the sheaths >of the > wiring that the ties are in direct contact with, over a period of years. buy the ones with stainless tags - they last for years. The cheap plastic ones are toys >Lacing is a lot slower than using platic ties, and doing it is rough on your >fingers. If you're lucky you know a data tech who can show you how to do it >properly, it's really not something that you can just describe in writing. > >Depending upon the specific need, contact points may also have pieces of fish >paper laced to them before the wiring is laid out and laced into place. >Not unusual to see this when DC power cables are being secured. H'mmm - the DC cables I'm used to are the size of your arm - per polarity.....we don't lace them, just bury them. But sorry - I'm old and been around. I worked in a power utility for 14 years. BTW Broadband over Power - we call ripple control. It turns on the street lights, load control etc. Been doing it for years and its not hard to go both ways. Zellweger in Uster Switzerland used to make the cool stuff. I have photos somewhere..... We also inject DC into the AC network, but thats another beer or two. First you have to work out why the utilities use AC...... Rich

1 0

NANOG 39: Partial agenda posted
by Steve Feldman 24 Jan '07

24 Jan '07

The agenda for the plenary sessions at NANOG 39 has been posted at http://nanog.org/mtg-0702/topics.html Times for the tutorial and BOF sessions, which will be held Monday and Tuesday afternoons, will be updated soon. See you in Toronto! (U.S. residents: don't forget your passports...) Steve Feldman PC Chair

1 0

New APNIC IPv4 address ranges
by Leslie Nobile 24 Jan '07

24 Jan '07

Forwarding on for APNIC... -------- Original Message -------- Subject: [Apnic-announce] New APNIC IPv4 address ranges Date: Thu, 18 Jan 2007 16:00:03 +1000 From: helpdesk(a)apnic.net Reply-To: apnic-talk(a)apnic.net To: apnic-announce(a)apnic.net Dear colleagues APNIC received the following IPv4 address blocks from IANA in Jan 2007 and will be making allocations from these ranges in the near future: 116/8 APNIC 117/8 APNIC 118/8 APNIC 119/8 APNIC 120/8 APNIC APNIC has made this announcement to enable the Internet community to update network configurations, such as routing filters, where required. Routability testing of new prefixes will commence on Friday January 19 2007. The daily report will be published at the usual URL: http://www.ris.ripe.net/debogon/debogon.html For more information on the resources administered by APNIC, please see: http://www.apnic.net/db/ranges.html For information on the minimum allocation sizes within address ranges administered by APNIC, please see: http://www.apnic.net/db/min-alloc.html Kind regards Guangliang ________________________________________________________________ Guangliang Pan email: helpdesk(a)apnic.net Resources Services Manager sip: helpdesk(a)voip.apnic.net APNIC phone: +61 7 3858 3188 http://www.apnic.net/ fax: +61 7 3858 3199 ________________________________________________________________

1 0

Re: Colocation in the US.
by Tony Varriale 24 Jan '07

24 Jan '07

The current high watt cooling technologies are definately more expensive (much more). Also, a facility would still need traditional forced to maintain the building climate. tv ----- Original Message ----- From: "Todd Glassey" <tglassey(a)earthlink.net> To: "Tony Varriale" <tvarriale(a)comcast.net>; <nanog(a)merit.edu> Sent: Wednesday, January 24, 2007 2:09 PM Subject: Re: Colocation in the US. > If the cooling is cheaper than the cost of the A/C or provides a backup, > its a no brainer. > > Todd Glassey > > > -----Original Message----- >>From: Tony Varriale <tvarriale(a)comcast.net> >>Sent: Jan 24, 2007 11:20 AM >>To: nanog(a)merit.edu >>Subject: Re: Colocation in the US. >> >> >>I think the better questions are: when will customers be willing to pay >>for >>it? and how much? :) >> >>tv >>----- Original Message ----- >>From: "Mike Lyon" <mike.lyon(a)gmail.com> >>To: "Paul Vixie" <vixie(a)vix.com> >>Cc: <nanog(a)merit.edu> >>Sent: Wednesday, January 24, 2007 11:54 AM >>Subject: Re: Colocation in the US. >> >> >>> >>> Paul brings up a good point. How long before we call a colo provider >>> to provision a rack, power, bandwidth and a to/from connection in each >>> rack to their water cooler on the roof? >>> >>> -Mike >>> >>> On 24 Jan 2007 17:37:27 +0000, Paul Vixie <vixie(a)vix.com> wrote: >>>> >>>> drais(a)atlasta.net (david raistrick) writes: >>>> >>>> > > I had a data center tour on Sunday where they said that the way >>>> > > they >>>> > > provide space is by power requirements. You state your power >>>> > > requirements, they give you enough rack/cabinet space to *properly* >>>> > > house gear that consumers that >>>> > >>>> > "properly" is open for debate here. ... It's possible to have a >>>> > facility built to properly power and cool 10kW+ per rack. Just that >>>> > most >>>> > colo facilties aren't built to that level. >>>> >>>> i'm spec'ing datacenter space at the moment, so this is topical. at >>>> 10kW/R >>>> you'd either cool ~333W/SF at ~30sf/R, or you'd dramatically increase >>>> sf/R >>>> by requiring a lot of aisleway around every set of racks (~200sf per 4R >>>> cage) to get it down to 200W/SF, or you'd compromise on W/R. i suspect >>>> that the folks offering 10kW/R are making it up elsewhere, like 50sf/R >>>> averaged over their facility. (this makes for a nice-sounding W/R >>>> number.) >>>> i know how to cool 200W/SF but i do not know how to cool 333W/SF unless >>>> everything in the rack is liquid cooled or unless the forced air is >>>> bottom->top and the cabinet is completely enclosed and the doors are >>>> never >>>> opened while the power is on. >>>> >>>> you can pay over here, or you can pay over there, but TANSTAAFL. for >>>> my >>>> own purposes, this means averaging ~6kW/R with some hotter and some >>>> colder, and cooling at ~200W/SF (which is ~30SF/R). the thing that's >>>> burning me right now is that for every watt i deliver, i've got to burn >>>> a >>>> watt in the mechanical to cool it all. i still want the rackmount >>>> server/router/switch industry to move to liquid which is about 70% more >>>> efficient (in the mechanical) than air as a cooling medium. >>>> >>>> > > It's a good way of looking at the problem, since the flipside of >>>> > > power >>>> > > consumption is the cooling problem. Too many servers packed in a >>>> > > small >>>> > > space (rack or cabinet) becomes a big cooling problem. >>>> > >>>> > Problem yes, but one that is capable of being engineered around >>>> > (who'd >>>> > have ever though we could get 1000Mb/s through cat5, after all!) >>>> >>>> i think we're going to see a more Feinman-like circuit design where >>>> we're >>>> not dumping electrons every time we change states, and before that >>>> we'll >>>> see a standardized gozinta/gozoutta liquid cooling hookup for rackmount >>>> equipment, and before that we're already seeing Intel and AMD in a >>>> watts-per-computron race. all of that would happen before we'd >>>> air-cool >>>> more than 200W/SF in the average datacenter, unless Eneco's chip works >>>> out >>>> in which case all bets are off in a whole lotta ways. >>>> -- >>>> Paul Vixie >>>> >> >

1 0

IAB Workshop on Routing and Addressing [Was: Re: Google wants to be yo ur Internet]
by Fergie 24 Jan '07

24 Jan '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Jason LeBlanc <jml(a)packetpimp.org> wrote: >...Some days it kills me that v6 >is still not really viable, I keep asking providers where they're >at with it. Their most common complaint is that the operating >systems don't support it yet. They mention primarily Windows since >that is what is most implemented, not in the colo world but what the >users have. I suggested they offer a service that somehow translates >(heh, shifting the pain to them) v4 to v6 for their customers to move >it along. > If you *really* want to know where things with IPv6, then you need to read this: Report from the IAB Workshop on Routing and Addressing http://www.ietf.org/internet-drafts/draft-iab-raws-report-00.txt - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFt5xMq1pz9mNUZTMRApvtAKCSIwmfi4ISc8jFg7yHgt2rlrK+7gCgyHiY /ukrrvZTVFL52zm7eu2ZuZs= =OtBi -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/

1 0

Super Bowl Sunday February 4th
by Ron Muir 24 Jan '07

24 Jan '07

Is there anything organized for the Super Bowl on Sunday Night? The last time Super Bowl fell on a NANOG (NANOG 15) Sunday several of the sponsors got together and had a Super Bowl party at the hotel. Does anyone know of anything this time? Ron Muir

2 1