- Test - lists.nanog.org

Re: eWeek: Cisco Comes Clean on Extent of IOS Flaw
by Fergie (Paul Ferguson) 29 Jul '05

29 Jul '05

As an aside, I like John Murrell's headline in "Good Morning, Silicon Valley" best of all -- "Cisco patches security researcher vulnerability" http://blogs.siliconvalley.com/gmsv/2005/07/cisco_patches_s.html ;-) - ferg -- Saku Ytti <saku+nanog(a)ytti.fi> wrote: I guess someone has to yell wolf every now and then to interest people in maintaining their systems. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(a)netzero.net or fergdawg(a)sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/

2 1

RE: Cisco IOS Exploit Cover Up
by Guru (Gurumurthy) Yeleswarapu 29 Jul '05

29 Jul '05

I just happened to see this : Last month, a company called Internet Security Systems (ISS) issued an alert to warn users that Cisco's VoIP offering had a security flaw that would allow just that. According to the company, this implementation flaw in Cisco's Call Manager, which handles call signaling and routing, could allow a buffer overflow that would grant an intruder access to the system to listen in on all calls routed through it. This is one scenario described by ISS and other vendors focused on selling technology to plug the security holes in VoIP, a method for sending voice traffic over IP that many say was not designed with security in mind. ISS and its competitors, which come to this new field largely from the VoIP management and IP security markets, forecast big risks for companies that don't take VoIP security seriously, and undoubtedly look forward to formidable revenue streams generated by those that do. Guru -----Original Message----- From: owner-nanog(a)merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Janet Sullivan Sent: Friday, July 29, 2005 12:44 PM To: swm(a)emanon.com; nanog(a)merit.edu Subject: Re: Cisco IOS Exploit Cover Up Scott Morris wrote: > And quite honestly, we can probably be pretty safe in assuming they > will not be running IPv6 (current exploit) or SNMP (older exploits) or > BGP (other > exploits) or SSH (even other exploits) on that box. :) (the 1601 or > the > 2500's) If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. The way I see it, all that's needed is two major exploits, one known by Cisco, one not. Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade. The upgraded code version will be the one targeted by the second, unknown, exploit. A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will. As for what the worm could do - well, it could report home to the worm creators that "Hey, you 0wn X number of routers", or it could do something fun like erasing configs and locking out console ports. ;-) Honestly, I've been expecting something like that to happen for years now. <shrug>

1 0

RE: Boing Boing: Michael Lynn's controversial Cisco security presentat ion
by Fergie (Paul Ferguson) 29 Jul '05

29 Jul '05

Now the FBI is investigating Lynn for criminal wrongdoing? Kim Zetter writes in Wired News this morning that: [snip] The FBI is investigating a computer security researcher for criminal conduct after he revealed that critical systems supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of the routers. [and] The FBI declined to discuss the case. [snip] http://www.wired.com/news/politics/0,1283,68356,00.html - ferg > > Over on Boing Boing: > > [snip] > > Here's a PDF that purports to be Michael Lynn's presentation > on Cisco's critical vulnerabilities ("The Holy Grail: Cisco > IOS Shellcode And Exploitation Techniques"), delivered at > last week's Black Hat conference. Lynn's employer, ISS, > wouldn't let him deliver the talk (they'd been leant on by > Cisco), so Lynn quit his job, walked onstage and delivered it > anyway. (See yesterday's post and Scheneier's take for more). > 1.9MB PDF Link > > [snip] > > http://www.boingboing.net/2005/07/29/michael_lynns_contro.html >

4 3

eWeek: Cisco Comes Clean on Extent of IOS Flaw
by Fergie (Paul Ferguson) 29 Jul '05

29 Jul '05

http://www.eweek.com/article2/0,1759,1841669,00.asp - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(a)netzero.net or fergdawg(a)sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/

4 3

Weekly Routing Table Report
by Routing Table Analysis 29 Jul '05

29 Jul '05

This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats(a)lists.apnic.net If you have any comments please contact Philip Smith <pfs(a)cisco.com>. Routing Table Report 04:00 +10GMT Sat 30 Jul, 2005 Analysis Summary ---------------- BGP routing table entries examined: 167568 Prefixes after maximum aggregation: 96522 Unique aggregates announced to Internet: 81002 Total ASes present in the Internet Routing Table: 20174 Origin-only ASes present in the Internet Routing Table: 17598 Origin ASes announcing only one prefix: 8279 Transit ASes present in the Internet Routing Table: 2576 Transit-only ASes present in the Internet Routing Table: 71 Average AS path length visible in the Internet Routing Table: 4.5 Max AS path length visible: 26 Prefixes from unregistered ASNs in the Routing Table: 9 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 15 Number of addresses announced to Internet: 1399249941 Equivalent to 83 /8s, 102 /16s and 220 /24s Percentage of available address space announced: 37.8 Percentage of allocated address space announced: 56.8 Percentage of available address space allocated: 66.4 Total number of prefixes smaller than registry allocations: 79457 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 34690 Total APNIC prefixes after maximum aggregation: 15868 Prefixes being announced from the APNIC address blocks: 32540 Unique aggregates announced from the APNIC address blocks: 16299 APNIC Region origin ASes present in the Internet Routing Table: 2317 APNIC Region origin ASes announcing only one prefix: 679 APNIC Region transit ASes present in the Internet Routing Table: 346 Average APNIC Region AS path length visible: 4.5 Max APNIC Region AS path length visible: 18 Number of APNIC addresses announced to Internet: 192265344 Equivalent to 11 /8s, 117 /16s and 188 /24s Percentage of available APNIC address space announced: 71.3 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 124/7, 126/8, 202/7, 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 89792 Total ARIN prefixes after maximum aggregation: 54675 Prefixes being announced from the ARIN address blocks: 70232 Unique aggregates announced from the ARIN address blocks: 25888 ARIN Region origin ASes present in the Internet Routing Table: 10109 ARIN Region origin ASes announcing only one prefix: 3720 ARIN Region transit ASes present in the Internet Routing Table: 940 Average ARIN Region AS path length visible: 4.3 Max ARIN Region AS path length visible: 20 Number of ARIN addresses announced to Internet: 254978581 Equivalent to 15 /8s, 50 /16s and 170 /24s Percentage of available ARIN address space announced: 63.3 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863 ARIN Address Blocks 24/8, 63/8, 64/6, 68/7, 70/6, 74/7, 76/8, 198/7, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 32277 Total RIPE prefixes after maximum aggregation: 22045 Prefixes being announced from the RIPE address blocks: 29251 Unique aggregates announced from the RIPE address blocks: 19668 RIPE Region origin ASes present in the Internet Routing Table: 6925 RIPE Region origin ASes announcing only one prefix: 3652 RIPE Region transit ASes present in the Internet Routing Table: 1128 Average RIPE Region AS path length visible: 5.2 Max RIPE Region AS path length visible: 26 Number of RIPE addresses announced to Internet: 212855424 Equivalent to 12 /8s, 175 /16s and 234 /24s Percentage of available RIPE address space announced: 63.4 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839 RIPE Address Blocks 62/8, 80/5, 88/6, 188/8, 193/8, 194/7, 212/7 and 217/8 LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 9153 Total LACNIC prefixes after maximum aggregation: 3150 Prefixes being announced from the LACNIC address blocks: 7531 Unique aggregates announced from the LACNIC address blocks: 4392 LACNIC Region origin ASes present in the Internet Routing Table: 626 LACNIC Region origin ASes announcing only one prefix: 192 LACNIC Region transit ASes present in the Internet Routing Table: 115 Average LACNIC Region AS path length visible: 5.2 Max LACNIC Region AS path length visible: 23 Number of LACNIC addresses announced to Internet: 20630016 Equivalent to 1 /8s, 58 /16s and 202 /24s Percentage of available LACNIC address space announced: 30.7 LACNIC AS Blocks 26592-26623, 27648-28671, plus ERX transfers LACNIC Address Blocks 189/8, 190/8, 200/7 AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 1641 Total AfriNIC prefixes after maximum aggregation: 784 Prefixes being announced from the AfriNIC address blocks: 1011 Unique aggregates announced from the AfriNIC address blocks: 779 AfriNIC Region origin ASes present in the Internet Routing Table: 131 AfriNIC Region origin ASes announcing only one prefix: 36 AfriNIC Region transit ASes present in the Internet Routing Table: 16 Average AfriNIC Region AS path length visible: 4.6 Max AfriNIC Region AS path length visible: 12 Number of AfriNIC addresses announced to Internet: 2340096 Equivalent to 0 /8s, 35 /16s and 181 /24s Percentage of available AfriNIC address space announced: 7.0 AfriNIC AS Blocks 36864-37887 & ERX transfers AfriNIC Address Blocks 41/8, 196/8 APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4134 954 5523 193 CHINANET-BACKBONE 1221 769 1457 534 Telstra Pty Ltd 9583 769 77 14 Sify Limited 4755 662 248 144 Videsh Sanchar Nigam Ltd. Aut 4766 590 3412 278 Korea Telecom (KIX) 7545 513 108 73 TPG Internet Pty Ltd 17676 463 6707 98 Softbank BB Corp. 9443 382 82 77 Primus Telecommunications 9929 343 224 46 China Netcom Corp. 2907 337 1789 314 SINET Japan 9498 333 83 61 BHARTI BT INTERNET LTD. 7474 317 273 219 SingTel Optus Pty Ltd 4802 297 53 164 Wantree Development 17557 296 23 153 Pakistan Telecom 18302 292 109 158 SK Global co., Ltd 4808 290 245 168 CNCGROUP IP network: China169 9837 278 79 181 Powertel Ltd 17974 270 65 14 PT TELEKOMUNIKASI INDONESIA 17488 267 16 8 Hathway IP Over Cable Interne 703 250 262 206 UUNET - Commercial IP service ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 7018 1492 6417 964 AT&T WorldNet Services 4323 1138 688 222 Time Warner Telecom 174 1125 5823 1042 Cogent Communications 721 1085 21779 311 DLA Systems Automation Center 701 1021 8172 864 UUNET Technologies, Inc. 6197 939 522 433 BellSouth Network Solutions, 2386 895 529 658 AT&T Data Communications Serv 1239 872 2879 630 Sprint 18566 833 224 7 Covad Communications 20115 651 499 321 Charter Communications 209 623 3471 492 Qwest 3356 563 10765 431 Level 3 Communications, LLC 27364 554 44 18 Armstrong Cable Services 3602 538 123 104 Sprint Canada, Inc. 3561 535 2384 421 Savvis 7725 510 64 16 MediaOne 22773 502 1188 23 Cox Communications, Inc. 5668 499 115 23 CenturyTel Internet Holdings, 6198 468 396 225 BellSouth Network Solutions, 852 466 1093 385 Telus Advanced Communications RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 702 592 1995 483 UUNET - Commercial IP service 3301 300 1081 286 TeliaNet Sweden 3320 292 3232 241 Deutsche Telekom AG 8220 266 473 262 COLT Telecommunications 680 245 2041 241 DFN-IP service G-WiN 3246 230 469 223 Song Networks 8708 225 253 211 Romania Data Systems S.A. 1257 196 712 174 SWIPnet Swedish IP Network 5515 181 778 127 Sonera Solution Autonomous Sy 786 175 1794 175 The JANET IP Service 6746 175 49 153 Dynamic Network Technologies, 5400 174 287 147 BT Ignite European Backbone 3269 169 1520 72 TELECOM ITALIA 719 168 340 100 LANLINK autonomous system 8866 167 21 11 Bulgarian Telecommunication C 3300 156 184 89 AUCS Communications Services 9121 154 273 34 TTnet Autonomous System 6830 148 537 31 UPC Distribution Services 25186 142 145 99 France Telecom Transpac's Tra 1273 136 174 96 Cable & Wireless Deutschland LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 380 599 160 UniNet S.A. de C.V. 16814 265 16 7 NSS, S.A. 11172 236 99 60 Servicios Alestra S.A de C.V 6147 192 110 21 Telefonica Del Peru 11664 181 20 23 Keytech SA 14117 152 9 5 Telefonica del Sur S.A. 7303 144 69 18 Telecom Argentina Stet-France 22047 143 112 7 VTR PUNTO NET S.A. 19632 142 14 5 Metropolis Intercom S.A. 11556 131 64 3 Cable-Wireless Panama 6505 130 90 87 Global One Communicaoes Ltda 19169 116 7 22 Telconet 6503 114 148 75 AVANTEL, S.A. 13999 110 52 9 Mega Cable S.A. de C.V. 18822 110 7 14 TELEFONICA MANQUEHUE 10481 101 40 7 Prima S.A. 21826 101 13 18 INTERCABLE 5639 96 12 9 Telecommunications Services o 22927 96 73 25 TELEFONICA DE ARGENTINA 23216 89 24 16 RAMtelecom Telecomunicaciones AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 3741 264 621 221 The Internet Solution 5536 120 15 17 Internet Egypt Network 2018 98 295 89 Tertiary Education Network 8452 96 28 6 TEDATA 2905 76 266 68 The Internetworking Company o 24835 57 34 6 RAYA Telecom - Egypt 20928 56 16 2 Noor Advanced Technologies AS 6713 51 54 8 Itissalat Al-MAGHRIB 15475 49 84 4 Nile Online 9129 42 3 3 UUNET Kenya 5713 36 142 29 Telkom SA Ltd 12455 36 6 3 Jambonet Autonomous system 15706 31 8 3 Sudatel Internet Exchange Aut 8524 23 1 4 AUCEGYPT Autonomous System 16637 22 10 19 Johnnic e-Ventures 23889 20 5 9 MAURITIUS TELECOM 10798 19 1 11 Standard Bank of South Africa 12258 17 3 11 Vodacom Internet Company 15808 17 2 2 Communication Solutions Ltd i 21491 17 1 1 UTL On-line is RF broadband I Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 1138 916 Time Warner Telecom 18566 833 826 Covad Communications 721 1085 774 DLA Systems Automation Center 4134 954 761 CHINANET-BACKBONE 9583 769 755 Sify Limited 27364 554 536 Armstrong Cable Services 4755 662 518 Videsh Sanchar Nigam Ltd. Aut 6197 939 506 BellSouth Network Solutions, 7725 510 494 MediaOne 22773 502 479 Cox Communications, Inc. 5668 499 476 CenturyTel Internet Holdings, 7545 513 440 TPG Internet Pty Ltd 3602 538 434 Sprint Canada, Inc. 17676 463 365 Softbank BB Corp. 6467 431 358 E.Spire Communications, Inc. 20115 651 330 Charter Communications 19262 433 319 Verizon Global Networks 4766 590 312 Korea Telecom (KIX) 9443 382 305 Primus Telecommunications 6140 401 299 ImpSat List of Unregistered ASNs (Global) ---------------------------------- Bad AS Designation Network Transit AS Description 64826 PRIVATE 64.200.250.0/23 7911 Williams Communicati 65050 PRIVATE 168.96.148.0/24 6140 ImpSat 65507 PRIVATE 200.0.64.0/24 27750 Cooperación Latino A 65142 PRIVATE 200.32.76.0/24 6140 ImpSat 65142 PRIVATE 200.32.77.0/24 6140 ImpSat 64512 PRIVATE 200.61.48.0/20 11664 Keytech SA 64512 PRIVATE 200.61.58.0/23 11664 Keytech SA 64512 PRIVATE 200.80.148.0/23 11664 Keytech SA 65005 PRIVATE 203.200.197.0/24 4755 Videsh Sanchar Nigam Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 50.160.0.0/13 1221 Telstra Pty Ltd 132.0.0.0/10 721 DLA Systems Automation Center 137.0.0.0/13 721 DLA Systems Automation Center 158.0.0.0/13 721 DLA Systems Automation Center 172.32.0.0/24 7011 Citizens Utilities 192.43.230.0/24 7575 Australian Academic and Rease 192.44.0.0/24 5501 Fraunhofer Gesellschaft 192.44.0.0/19 702 UUNET - Commercial IP service 192.70.164.0/24 25689 National Research Council of 192.84.205.0/24 719 LANLINK autonomous system 192.119.135.0/24 270 NASA 192.135.50.0/24 7018 AT&T WorldNet Services 192.169.0.0/23 3970 RGnet, Inc. 192.172.0.0/19 721 DLA Systems Automation Center 192.200.100.0/24 7018 AT&T WorldNet Services Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:17 /9:3 /10:8 /11:15 /12:75 /13:167 /14:317 /15:607 /16:8474 /17:2665 /18:4538 /19:10539 /20:11515 /21:9531 /22:13041 /23:13913 /24:91131 /25:351 /26:297 /27:178 /28:50 /29:26 /30:75 /31:0 /32:35 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 18566 817 833 Covad Communications 6197 765 939 BellSouth Network Solutions, 7018 703 1492 AT&T WorldNet Services 2386 606 895 AT&T Data Communications Serv 9583 586 769 Sify Limited 27364 545 554 Armstrong Cable Services 4323 539 1138 Time Warner Telecom 7725 480 510 MediaOne 4766 408 590 Korea Telecom (KIX) 5668 403 499 CenturyTel Internet Holdings, 702 365 592 UUNET - Commercial IP service 1239 360 872 Sprint 19916 354 361 OLM LLC 6198 343 468 BellSouth Network Solutions, 7011 327 378 Citizens Utilities 6517 295 317 Yipes Communications, Inc. 15270 292 316 PaeTec.net -a division of Pae 6467 287 431 E.Spire Communications, Inc. 20115 283 651 Charter Communications 18302 277 292 SK Global co., Ltd Number of /24s announced per /8 block (Global) ---------------------------------------------- 4:6 8:22 9:1 12:1560 13:1 15:9 16:2 17:3 18:3 20:4 24:1178 30:2 32:70 33:2 38:140 40:55 44:4 47:2 52:4 55:2 56:3 57:23 58:140 59:59 60:67 61:746 62:634 63:1882 64:2802 65:2066 66:2929 67:645 68:557 69:1115 70:151 71:10 72:276 80:579 81:572 82:437 83:299 84:225 85:304 86:67 87:18 128:161 129:168 130:88 131:293 132:38 133:1 134:146 135:42 136:138 137:73 138:163 139:61 140:306 141:105 142:147 143:141 144:203 145:34 146:291 147:109 148:288 149:175 150:107 151:65 152:108 153:88 154:5 155:140 156:79 157:99 158:165 159:167 160:81 161:70 162:218 163:94 164:192 165:189 166:156 167:241 168:438 169:143 170:324 171:8 172:1 190:1 192:5736 193:3231 194:2429 195:1606 196:660 198:3883 199:3295 200:4106 201:226 202:5934 203:6372 204:3802 205:2026 206:2452 207:2811 208:2046 209:3344 210:1628 211:742 212:1243 213:1330 214:275 215:31 216:3619 217:1126 218:213 219:160 220:403 221:252 222:124 End of report

1 0

RE: Boing Boing: Michael Lynn's controversial Cisco security presentation
by Buhrmaster, Gary 29 Jul '05

29 Jul '05

Would this not be a great way to infect thousands of network operations systems due to a PDF exploit? It is like "free beer" to many network operators, they just *have* to consume it. One could take control of the "network" by taking control of the systems of the people operating it and silently watch for the passwords, names, ip addresses that will enable one to take control later. I know, I am just being paranoid. There has never been an exploitable PDF exploit. Oh, wait, there has been :-) One has to admit it would be one hell of a combined social engineering and technical exploit if it could be pulled off. Gary > -----Original Message----- > From: owner-nanog(a)merit.edu [mailto:owner-nanog@merit.edu] On > Behalf Of Fergie (Paul Ferguson) > Sent: Friday, July 29, 2005 7:19 AM > To: nanog(a)merit.edu > Subject: Boing Boing: Michael Lynn's controversial Cisco > security presentation > > > > Over on Boing Boing: > > [snip] > > Here's a PDF that purports to be Michael Lynn's presentation > on Cisco's critical vulnerabilities ("The Holy Grail: Cisco > IOS Shellcode And Exploitation Techniques"), delivered at > last week's Black Hat conference. Lynn's employer, ISS, > wouldn't let him deliver the talk (they'd been leant on by > Cisco), so Lynn quit his job, walked onstage and delivered it > anyway. (See yesterday's post and Scheneier's take for more). > 1.9MB PDF Link > > [snip] > > http://www.boingboing.net/2005/07/29/michael_lynns_contro.html > > I think these guys better prepare for the "slashdot effect"... > > :-) > > - ferg > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(a)netzero.net or fergdawg(a)sbcglobal.net > ferg's tech blog: http://fergdawg.blogspot.com/ >

2 1

Cisco Security Advisory: IPv6 Crafted Packet Vulnerability
by Fergie (Paul Ferguson) 29 Jul '05

29 Jul '05

Got v6? - ferg [snip] Summary Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation. Cisco has made free software available to address this vulnerability for all affected customers. This advisory will be posted at: http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(a)netzero.net or fergdawg(a)sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/

1 0

The Cidr Report
by cidr-report＠potaroo.net 29 Jul '05

29 Jul '05

This report has been generated at Fri Jul 29 21:45:47 2005 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date Prefixes CIDR Agg 22-07-05 162992 110841 23-07-05 163109 110868 24-07-05 163221 110850 25-07-05 163286 110966 26-07-05 163299 110935 27-07-05 163364 110848 28-07-05 163152 111002 29-07-05 163523 110961 AS Summary 20064 Number of ASes in routing system 8288 Number of ASes announcing only one prefix 1477 Largest number of prefixes announced by an AS AS7018 : ATT-INTERNET4 - AT&T WorldNet Services 90506240 Largest address span announced by an AS (/32s) AS721 : DLA-ASNBLOCK-AS - DoD Network Information Center Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 29Jul05 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 163645 110967 52678 32.2% All ASes AS4323 1136 227 909 80.0% TWTC - Time Warner Telecom AS18566 833 8 825 99.0% COVAD - Covad Communications AS4134 950 230 720 75.8% CHINANET-BACKBONE No.31,Jin-rong Street AS27364 554 22 532 96.0% ACS-INTERNET - Armstrong Cable Services AS721 1086 558 528 48.6% DLA-ASNBLOCK-AS - DoD Network Information Center AS7018 1477 956 521 35.3% ATT-INTERNET4 - AT&T WorldNet Services AS7725 511 17 494 96.7% CCH-AS7 - Comcast Cable Communications Holdings, Inc AS22773 502 25 477 95.0% CCINET-2 - Cox Communications Inc. AS6197 933 512 421 45.1% BATI-ATL - BellSouth Network Solutions, Inc AS3602 547 150 397 72.6% SPRINT-CA-AS - Sprint Canada Inc. AS17676 463 103 360 77.8% JPNIC-JP-ASN-BLOCK Japan Network Information Center AS6467 435 78 357 82.1% ESPIRECOMM - e.spire Communications, Inc. AS9583 773 459 314 40.6% SIFY-AS-IN Sify Limited AS4766 576 280 296 51.4% KIXS-AS-KR Korea Telecom AS9929 332 46 286 86.1% CNCNET-CN China Netcom Corp. AS14654 285 9 276 96.8% WAYPORT - Wayport AS15270 316 48 268 84.8% AS-PAETEC-NET - PaeTec.net -a division of PaeTecCommunications, Inc. AS5668 499 234 265 53.1% AS-5668 - CenturyTel Internet Holdings, Inc. AS6167 327 65 262 80.1% CELLCO-PART - Cellco Partnership AS6140 399 139 260 65.2% IMPSAT-USA - ImpSat AS812 263 20 243 92.4% ROGERS-CABLE - Rogers Cable Inc. AS23126 266 25 241 90.6% KMCTELCOM-DIA - KMC Telecom, Inc. AS11456 314 74 240 76.4% NUVOX - NuVox Communications, Inc. AS1239 866 629 237 27.4% SPRINTLINK - Sprint AS2386 894 659 235 26.3% INS-AS - AT&T Data Communications Services AS6198 466 242 224 48.1% BATI-MIA - BellSouth Network Solutions, Inc AS9498 336 113 223 66.4% BBIL-AP BHARTI BT INTERNET LTD. AS7545 514 292 222 43.2% TPG-INTERNET-AP TPG Internet Pty Ltd AS6478 385 171 214 55.6% ATT-INTERNET3 - AT&T WorldNet Services AS19916 362 149 213 58.8% ASTRUM-0001 - OLM LLC Total 17600 6540 11060 62.8% Top 30 total Possible Bogus Routes 24.246.0.0/17 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 24.246.78.0/24 AS25994 NPG-001 - NPG Cable, INC 24.246.128.0/18 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 64.17.32.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.17.33.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.17.37.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.127.0.0/18 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 66.37.96.0/20 AS3764 IA-HOU-AS - Internet America, Inc. 66.187.96.0/22 AS9227 ONEHUNDRED-AS-AP ONE HUNDRED SERVICES, INC. 66.187.96.0/24 AS9227 ONEHUNDRED-AS-AP ONE HUNDRED SERVICES, INC. 66.187.97.0/24 AS9227 ONEHUNDRED-AS-AP ONE HUNDRED SERVICES, INC. 66.187.98.0/24 AS9227 ONEHUNDRED-AS-AP ONE HUNDRED SERVICES, INC. 66.187.99.0/24 AS9227 ONEHUNDRED-AS-AP ONE HUNDRED SERVICES, INC. 66.187.100.0/24 AS18194 PMMSI-AS-AP Philippine Multi-Media 66.187.101.0/24 AS18194 PMMSI-AS-AP Philippine Multi-Media 66.187.102.0/24 AS18194 PMMSI-AS-AP Philippine Multi-Media 66.187.103.0/24 AS18194 PMMSI-AS-AP Philippine Multi-Media 66.187.104.0/24 AS18194 PMMSI-AS-AP Philippine Multi-Media 66.187.105.0/24 AS18194 PMMSI-AS-AP Philippine Multi-Media 66.187.106.0/24 AS18194 PMMSI-AS-AP Philippine Multi-Media 66.187.108.0/24 AS10026 ANC Asia Netcom Corporation 66.187.109.0/24 AS10026 ANC Asia Netcom Corporation 66.205.193.0/24 AS174 COGENT Cogent/PSI 66.205.194.0/24 AS174 COGENT Cogent/PSI 69.77.192.0/19 AS6580 RAPIDNET-ASN - RapidNet LLC 72.24.0.0/16 AS11492 CABLEONE - CABLE ONE 85.129.3.0/24 AS14585 CIFNET - CIFNet, Inc. 85.129.4.0/24 AS14585 CIFNET - CIFNet, Inc. 87.122.0.0/15 AS8881 VERSATEL Versatel routing policies 87.243.192.0/18 AS8419 HOTCHILLI Hotchilli Internet, United Kingdom 89.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS Project. 89.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS Project. 90.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS Project. 90.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS Project. 91.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS Project. 91.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS Project. 132.0.0.0/10 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 137.0.0.0/13 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 138.136.0.0/13 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 158.0.0.0/13 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 163.142.0.0/16 AS2500 JPNIC-ASBLOCK-AP JPNIC 190.192.193.0/24 AS3301 TELIANET-SWEDEN TeliaNet Sweden 192.30.93.0/24 AS17757 HPAUS-AP HP Australia 192.30.94.0/24 AS17757 HPAUS-AP HP Australia 192.40.105.0/24 AS5515 SONERA-GLOBAL-IP Sonera Solution Autonomous System 192.43.230.0/24 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 192.44.0.0/19 AS702 AS702 MCI EMEA - Commercial IP service provider in Europe 192.44.0.0/24 AS5501 FRAUNHOFER-CLUSTER-BW Fraunhofer Gesellschaft 192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada 192.81.182.0/24 AS719 ELISA-AS Elisa Oyj 192.81.183.0/24 AS719 ELISA-AS Elisa Oyj 192.81.184.0/24 AS719 ELISA-AS Elisa Oyj 192.88.99.0/24 AS29259 DE-IABG-TELEPORT IABG Teleport, DE 192.107.104.0/24 AS6458 GUATEL 192.119.135.0/24 AS270 PSCNI-AS - National Aeronautics and Space Administration 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.133.6.0/24 AS4004 GLOBALONE-EQUANT-UK Equant UK & Greece Autonomous System 192.135.50.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 192.136.53.0/24 AS8346 SONATEL-AS Autonomous System 192.153.144.0/21 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 192.172.0.0/19 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 192.188.208.0/20 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 192.200.100.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 193.16.156.0/24 AS31494 DEVICE-MOBILE-INFONETS-AS Joint Stock Company "INFONETS" 193.32.19.0/24 AS702 AS702 MCI EMEA - Commercial IP service provider in Europe 193.32.20.0/23 AS702 AS702 MCI EMEA - Commercial IP service provider in Europe 193.36.1.0/24 AS8220 COLT COLT Telecommunications 193.37.69.0/24 AS2856 BT-UK-AS BTnet UK Regional network 193.37.236.0/24 AS702 AS702 MCI EMEA - Commercial IP service provider in Europe 193.47.157.0/24 AS31125 LINETEC-AS Linetec Linux Network Technologies GmbH 193.47.161.0/24 AS29037 TELIKO-AS TELIKO-AS# 193.47.162.0/24 AS25318 PROVISION SC ProVision Software Division SRL 193.47.163.0/24 AS12968 CDP Crowley Data Poland, sp. z o.o. 193.47.167.0/24 AS29686 PROBENETWORKS-AS Probe Networks 193.110.77.0/24 AS3356 LEVEL3 Level 3 Communications 193.110.78.0/24 AS3356 LEVEL3 Level 3 Communications 193.110.79.0/24 AS3356 LEVEL3 Level 3 Communications 193.110.97.0/24 AS3356 LEVEL3 Level 3 Communications 194.31.227.0/24 AS21461 TRANSFAIRNET Transfair-net GmbH Krefeld 194.32.174.0/23 AS8426 CLARANET-AS ClaraNET 194.59.176.0/20 AS1273 CW Cable & Wireless 194.59.178.0/24 AS8481 TRANSNET transnet INTERNET Services 194.153.156.0/24 AS24865 KMITCHELL-AS Keith Mitchell's Network 194.246.72.0/23 AS8893 ARTFILES-AS Artfiles New Media GmbH 196.3.162.0/24 AS6083 AFRINIC African Network Information Center 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.97.72.0/21 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 198.97.80.0/20 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 198.97.88.0/24 AS89 NUSC-CSTLNET-AS - Naval Underwater Systems Center 198.97.240.0/20 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 198.97.247.0/24 AS3475 LANT-AFLOAT - Department of the Navy 198.101.4.0/22 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 198.136.32.0/20 AS19329 MCNET - Martin County Board of County Commissioners 198.160.171.0/24 AS7046 UUNET-CUSTOMER - UUNET Technologies, Inc. 198.161.87.0/24 AS6539 GROUPTLCOM - GT Group Telecom Services Corp. 198.163.155.0/24 AS684 MTSAL-ASN - MTS Allstream Inc. 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.167.163.0/24 AS15290 ALLST-15290 - Allstream Corp. Corporation Allstream 198.168.0.0/16 AS701 ALTERNET-AS - UUNET Technologies, Inc. 198.169.0.0/16 AS803 SASKTEL - SaskTel 198.203.254.0/23 AS7046 UUNET-CUSTOMER - UUNET Technologies, Inc. 198.232.133.0/24 AS23075 SKOTOS-AS - Skotos Tech, Inc 199.9.128.0/17 AS668 ASN-ASNET-NET-AS - Defense Research and Engineering Network 199.10.0.0/16 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.60.0.0/20 AS271 BCNET-AS - University of British Columbia 199.96.44.0/23 AS19092 360NETWORKS-US - 360Networks (USA) Inc. 199.96.46.0/24 AS19092 360NETWORKS-US - 360Networks (USA) Inc. 199.114.0.0/21 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.128.0/18 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.130.0/24 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.132.0/24 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.134.0/24 AS3541 ITSDN-U4 - DISA/UNRRA 199.114.136.0/24 AS27044 DDN-ASNBLK1 - DoD Network Information Center 199.114.138.0/24 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.140.0/24 AS3544 ITSDN-U7 - DISA/UNRRA 199.114.142.0/24 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.148.0/24 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.150.0/24 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.114.152.0/24 AS27033 DDN-ASNBLK1 - DoD Network Information Center 199.114.153.0/24 AS27034 DDN-ASNBLK1 - DoD Network Information Center 199.114.154.0/24 AS1733 CENTAF-SWA - AF DDN PMO 199.114.160.0/24 AS1733 CENTAF-SWA - AF DDN PMO 199.120.32.0/19 AS16582 NEXTLEVELINTERNET - NEXTLEVEL INTERNET, INC. 199.121.0.0/16 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.123.0.0/18 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.123.16.0/20 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.123.80.0/21 AS721 DLA-ASNBLOCK-AS - DoD Network Information Center 199.189.32.0/19 AS7332 IQUEST-AS - IQuest Internet 199.202.0.0/16 AS701 ALTERNET-AS - UUNET Technologies, Inc. 199.246.116.0/24 AS813 UUNET-AS1 - UUNET Technologies, Inc. 200.2.224.0/24 AS10778 MCL Internet 200.49.0.0/20 AS14551 ALTERNET-SA-AS - UUNET Technologies, Inc. 200.49.8.0/21 AS6140 IMPSAT-USA - ImpSat 202.86.252.0/22 AS4748 RESOLINK-AS Resources Linke Network Limited 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.93.0.0/20 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 202.142.144.0/24 AS23750 GERRYS-AS-AP GEERRYS INFORMATION TECHNOLOGY PVT LTD. 203.62.0.0/17 AS7572 AARNET-ACT-RNO Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.99.0.0/19 AS17746 ORCONINTERNET-NZ-AP Orcon Internet 203.99.142.0/24 AS9826 ILINK-HK-AP iLink.net Ltd 203.210.69.0/24 AS17536 PRODIGY-AS-AP Prodidgy Telecommunications 204.14.224.0/21 AS26932 ICEBERG-NETWORKS - Iceberg Incorporated 204.14.244.0/22 AS33472 HUDSON-AS - Hudson Digital Limited Liability Company 204.14.248.0/21 AS2740 CARIBCABLE - Caribbean Cable Communications 204.48.118.0/23 AS29912 CITIZENS-PROPERTY-INSURANCE-CORPORATION - Citizens Property Insurance Corporation 204.48.119.0/24 AS29912 CITIZENS-PROPERTY-INSURANCE-CORPORATION - Citizens Property Insurance Corporation 204.154.125.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 204.154.126.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 204.154.127.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 205.150.0.0/15 AS701 ALTERNET-AS - UUNET Technologies, Inc. 206.108.96.0/19 AS577 BACOM - Bell Advanced Communications Inc. 206.128.104.0/21 AS11709 VIC - VIRTUAL INTERACTIVE CENTER 206.167.57.0/24 AS376 RISQ-AS - Reseau Interordinateurs Scientique Quebecois (RISQ) 206.188.160.0/20 AS15267 702COM - 702 communications 206.191.64.0/18 AS15290 ALLST-15290 - Allstream Corp. Corporation Allstream 206.191.96.0/19 AS15290 ALLST-15290 - Allstream Corp. Corporation Allstream 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc 208.53.224.0/19 AS13576 SDNET - SOUTH DAKOTA NETWORK 208.138.48.0/20 AS6971 ATG-1 - Advanced Telcom Group, Inc 209.40.208.0/21 AS16592 Cybernet El Salvador 209.40.216.0/21 AS16592 Cybernet El Salvador 209.44.124.0/24 AS22241 ICCEPTS - Integrated Communications Concepts 209.205.69.0/24 AS21578 Universidad autonoma de Bucaramanga 209.205.70.0/24 AS21578 Universidad autonoma de Bucaramanga 209.205.81.0/24 AS15066 SkyNet de Colombia S.A. 209.205.82.0/24 AS15066 SkyNet de Colombia S.A. 209.205.84.0/24 AS15066 SkyNet de Colombia S.A. 209.213.32.0/19 AS10629 INTERPAC - Inter-Pacific Network Services 209.239.192.0/19 AS4355 ERMS-EARTHLNK - EARTHLINK, INC 209.251.0.0/19 AS11036 SISCOM - SISCOM, Inc 216.37.110.0/23 AS4264 CERNET-ASN-BLOCK - California Education and Research Federation Network 216.82.160.0/20 AS20481 CALYX-NL Calyx Internet B.V. Netherlands 216.96.128.0/18 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 216.171.96.0/20 AS3356 LEVEL3 Level 3 Communications 216.178.37.0/24 AS3356 LEVEL3 Level 3 Communications 216.178.39.0/24 AS3356 LEVEL3 Level 3 Communications 216.178.42.0/24 AS3356 LEVEL3 Level 3 Communications 216.178.43.0/24 AS3356 LEVEL3 Level 3 Communications 216.228.64.0/21 AS6295 WHIDBEY1 - Whidbey Internet Services Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog(a)merit.edu eof-list(a)ripe.net apops(a)apops.net routing-wg(a)ripe.net afnog(a)afnog.org

1 0

Re: Cisco and the tobacco industry
by Fergie (Paul Ferguson) 29 Jul '05

29 Jul '05

Hey, Dan... What's that they say abou 800 lb. Gorillas... :-) - ferg -- Daniel Golding <dgolding(a)burtongroup.com> wrote: Cisco's conduct in this case may or may not be improper - we'll have to wait for a little more information. From a PR point of view, they probably should have let things ride and allowed the Blackhat talk to occur. They look like bullies now, which is never good. Hindsight is 20/20, though. That being said, their policy of offering free updates for certain bug fixes to those who don't pay them for support is generous. See that hand feeding you? Don't bite it. -- Daniel Golding -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(a)netzero.net or fergdawg(a)sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/

2 1

Cisco Security Advisory: IPv6 Crafted Packet Vulnerability
by Cisco Systems Product Security Incident Response Team 29 Jul '05

29 Jul '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: IPv6 Crafted Packet Vulnerability Revision 1.0 For Public Release 2005 July 29 0800 UTC - ------------------------------------------------------------------------------- Contents ======== Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures - -------------------------------------------------------------------------- Summary ======= Cisco Internetwork Operating System (IOS ) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation. Cisco has made free software available to address this vulnerability for all affected customers. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml. Affected Products ================= Vulnerable Products This issue affects all Cisco devices running any unfixed version of Cisco IOS code that supports, and is configured for, IPv6. A device which supports IPv6 must have the interfaces specifically disabled to not be affected. IPv6 must be completely disabled using both the command no ipv6 address and no ipv6 enable on each interface. Sample output of the show ipv6 interface command is shown below for two systems, one not configured for IPv6 and one configured for IPv6. An empty output or an error message will be displayed if IPv6 is disabled or unsupported on the system. Router#show ipv6 int fa 0/0 -here you see blank output In the example below the system is vulnerable. Router#show ipv6 interface Serial1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200 Global unicast address(es): 2001:1:33::3, subnet is 2001:1:33::/64 Joined group address(es): FF02::1 FF02::1:FF00:3 FF02::1:FF00:D200 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds Router# A router that has IPv6 enabled on a physical or logical interface is vulnerable to this issue even if ipv6 unicast-routing is globally disabled. The show ipv6 interface command can be used to determine whether IPv6 is enabled on any interface. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example shows a product running IOS release 12.3(6) with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.3(6), RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at http:// www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable Products that are not running Cisco IOS are not affected. Products running any version of Cisco IOS that do not have IPv6 configured interfaces are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= IPv6 is the "Internet Protocol Version 6", designed by the Internet Engineering Task Force (IETF) to replace the current version Internet Protocol, IP Version 4 (IPv4). A vulnerability exists in the processing of IPv6 packets. Crafted packets from the local segment received on logical interfaces (that is, tunnels including 6to4 tunnels) as well as physical interfaces can trigger this vulnerability. Crafted packets can not traverse a 6to4 tunnel and attack a box across the tunnel. The crafted packet must be sent from a local network segment to trigger the attack. This vulnerability can not be exploited one or more hops from the IOS device. This issue is documented in Cisco bug ID CSCef68324. Impact ====== Successful exploitation of the vulnerability may result in a reload of the device or execution of arbitrary code. Repeated exploitation could result in a sustained DoS attack or execution of arbitrary code. Software Versions and Fixes =========================== Each row of the Cisco IOS software table below describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the First Fixed Release) and the anticipated date of availability for each are listed in the Rebuild and Maintenance columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). +---------------------------------------------+ | Major Release | Availability of Repaired | | | Releases | |----------------+----------------------------| | Affected | | | | 12.0-Based | Rebuild | Maintenance | | Release | | | |----------------+--------------+-------------| | 12.0S | 12.0(26)S6 | | |----------------+--------------+-------------| | | 12.0(27)S5 | | |----------------+--------------+-------------| | | 12.0(28)S3 | | |----------------+--------------+-------------| | | 12.0(30)S2 | 12.0(31)S | |----------------+----------------------------| | 12.0SX | Vulnerable; contact TAC | |----------------+----------------------------| | | Vulnerable; migrate to | | | 12.0(31)S or later | |----------------+----------------------------| | 12.0SL | Vulnerable; migrate to | | | 12.0(31)S or later | |----------------+----------------------------| | 12.0ST | Vulnerable; migrate to | | | 12.0(31)S or later | |----------------+----------------------------| | 12.0SY | Vulnerable; migrate to | | | 12.0(31)S or later | |----------------+----------------------------| | Affected | | | | 12.1-Based | Rebuild | Maintenance | | Release | | | |----------------+----------------------------| | 12.1XU | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1XV | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1YB | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1YC | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1YD | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1YE | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1YF | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1YH | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.1YI | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | Affected | | | | 12.2-Based | Rebuild | Maintenance | | Release | | | |----------------+----------------------------| | 12.2B | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2BC | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2BW | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2BY | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2BX | Vulnerable; migrate to | | | 12.3(7)XI4 or later | |----------------+----------------------------| | 12.2BZ | Vulnerable; migrate to | | | 12.3(7)XI4 or later | |----------------+----------------------------| | 12.2CX | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2CY | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2CZ | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2DD | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2DX | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2EU | 12.2(20)EU1 | | |----------------+----------------------------| | 12.2EW | Vulnerable; migrate to | | | 12.2(25)EWA | |----------------+----------------------------| | 12.2EWA | 12.2(25)EWA1 | | |----------------+----------------------------| | 12.2EX | Vulnerable; migrate to | | | 12.2(25)SEA or later | |----------------+----------------------------| | 12.2EY | 12.2(25)EY1 | | |----------------+--------------+-------------| | 12.2EZ | | 12.2(25)EZ | |----------------+----------------------------| | 12.2JA | Vulnerable; migrate to | | | 12.3(4)JA or later | |----------------+----------------------------| | 12.2JK | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2MB | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2MC | Vulnerable; migrate to | | | 12.4(2)MR | |----------------+----------------------------| | 12.2MX | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | | 12.2(14)S14 | | | |--------------+-------------| | | 12.2(18)S9 | | |12.2S |--------------+-------------| | | 12.2(20)S8 | | | |--------------+-------------| | | 12.2(25)S4 | | |----------------+----------------------------| | 12.2SE | Vulnerable; migrate to | | | 12.2(25)SEB or later | |----------------+----------------------------| | 12.2SEA | Vulnerable; migrate to | | | 12.2(25)SEB or later | |----------------+----------------------------| | 12.2SEB | | 12.2(25)SEB | |----------------+--------------+-------------| | 12.2SEC | | 12.2(25)SEC | |----------------+----------------------------| | 12.2SO | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2SU | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2SV | | 12.2(26)SV | |----------------+----------------------------| | 12.2SW | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2SX | Vulnerable; migrate to | | | 12.2(17d)SXB8 or later | |----------------+----------------------------| | 12.2SXA | Vulnerable; migrate to | | | 12.2(17d)SXB8 or later | |----------------+----------------------------| | 12.2SXB | 12.2(17d) | | | | SXB8 | | |----------------+--------------+-------------| | 12.2SXD | 12.2(18)SXD4 | | |----------------+--------------+-------------| | 12.2SXE | 12.2(18)SXE1 | | |----------------+----------------------------| | 12.2SY | Vulnerable; migrate to | | | 12.2(17d)SXB8 or later | |----------------+----------------------------| | 12.2SZ | Vulnerable; migrate to | | | 12.2(20)S8 or later | |----------------+----------------------------| | | 12.2(13)T16 | | |12.2T |--------------+-------------| | | 12.2(15)T16 | | |----------------+----------------------------| | 12.2XA | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XB | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XC | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2XD | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XE | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XF | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2XG | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XH | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XI | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XJ | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XK | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XL | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XM | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XN | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XQ | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XR | Vulnerable; migrate to | | | 12.3(4)JA or later | |----------------+----------------------------| | 12.2XT | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XU | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XW | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2XZ | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2YT | Vulnerable; migrate to | | | 12.2(15)T16 or later | |----------------+----------------------------| | 12.2YU | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2YV | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2YZ | Vulnerable; migrate to | | | 12.2(20)S8 or later | |----------------+----------------------------| | 12.2ZA | Vulnerable; migrate to | | | 12.2(17d)SXB8 or later | |----------------+----------------------------| | 12.2ZC | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2ZD | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2ZE | Vulnerable; migrate to | | | 12.3(15) or later | |----------------+----------------------------| | 12.2ZF | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2ZG | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2ZH | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2ZJ | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2ZL | Vulnerable; contact TAC | |----------------+----------------------------| | 12.2ZN | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.2ZO | Vulnerable; migrate to | | | 12.2(15)T16 or later | |----------------+----------------------------| | 12.2ZP | Vulnerable; contact TAC | |----------------+----------------------------| | Affected | | | | 12.3-Based | Rebuild | Maintenance | | Release | | | |----------------+--------------+-------------| | | 12.3(3h) | | | |--------------+-------------| | | 12.3(5e) | | | |--------------+-------------| | | 12.3(6e) | | | |--------------+-------------| | 12.3 | 12.3(9d) | | | |--------------+-------------| | | 12.3(10d) | | | |--------------+-------------| | | 12.3(12b) | | | |--------------+-------------| | | 12.3(13a) | 12.3(15) | |----------------+--------------+-------------| | 12.3B | 12.3(5a)B5 | | |----------------+--------------+-------------| | 12.3BC | | 12.3(13a)BC | |----------------+----------------------------| | 12.3BW | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.3JA | | 12.3(4)JA | |----------------+--------------+-------------| | 12.3JK | | 12.3(2)JK | |----------------+--------------+-------------| | | 12.3(7)T9 | | | |--------------+-------------| | | 12.3(8)T8 | | |12.3T |--------------+-------------| | | 12.3(11)T5 | | | |--------------+-------------| | | 12.3(14)T2 | | |----------------+----------------------------| | 12.3XA | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3XB | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.3XC | 12.3(2)XC3 | | |----------------+----------------------------| | 12.3XD | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3XE | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3XF | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.3XG | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3XH | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.3XI | 12.3(7)XI4 | | |----------------+----------------------------| | 12.3XJ | Vulnerable; migrate to | | | 12.3(11)YF3 or later | |----------------+----------------------------| | 12.3XK | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3XL | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3XM | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.3XQ | 12.3(4)XQ1 | | |----------------+--------------+-------------| | 12.3XR | 12.3(7)XR4 | | |----------------+----------------------------| | 12.3XS | Vulnerable; migrate to | | | 12.4(1) or later | |----------------+----------------------------| | 12.3XT | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3XU | Vulnerable; migrate to | | | 12.4(2)T or later | |----------------+----------------------------| | 12.3XW | Vulnerable; migrate to | | | 12.3(11)YF3 or later | |----------------+----------------------------| | 12.3XX | Vulnerable; migrate to | | | 12.4(1) or later | |----------------+----------------------------| | 12.3XY | Vulnerable; migrate to | | | fixed 12.3(14)T2 or later | |----------------+----------------------------| | 12.3YA | 12.3(8)YA1 | | |----------------+----------------------------| | 12.3YD | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3YF | 12.3(11)YF3 | | |----------------+--------------+-------------| | 12.3YG | 12.3(8)YG2 | | |----------------+----------------------------| | 12.3YH | Vulnerable; migrate to | | | 12.3(8)YI1 or later | |----------------+----------------------------| | 12.3YI | 12.3(8)YI1 | | |----------------+--------------+-------------| | 12.3YJ | 12.3(11)YJ | | |----------------+----------------------------| | 12.3YK | Vulnerable; contact TAC | |----------------+----------------------------| | 12.3YQ | 12.3(14)YQ1 | | |----------------+--------------+-------------| | 12.3YS | | 12.3(11)YS | |----------------+--------------+-------------| | 12.3YT | | 12.3(14)YT | |----------------+--------------+-------------| | 12.3YU | | 12.3(14)YU | |----------------+--------------+-------------| | Affected | | | | 12.4-Based | Rebuild | Maintenance | | Release | | | |----------------+--------------+-------------| | 12.4 | | 12.4(1) | |----------------+--------------+-------------| | 12.4MR | | 12.4(2)MR | |----------------+--------------+-------------| | 12.4T | | 12.4(2)T | +---------------------------------------------+ For further information on the terms "Rebuild" and "Maintenance, " please consult the following URL: http://www.cisco.com/warp/public/620/1.html When considering software upgrades, please also consult http://www.cisco.com/en /US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance. Obtaining Fixed Software ======================== Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http:// www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public /sw-center/sw-usingswc.shtml. Workarounds =========== The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. In networks where IPv6 is not needed, disabling IPv6 processing on an IOS device will eliminate exposure to this vulnerability. On a router which supports IPv6, this must be done by issuing the command "no ipv6 enable" and "no ipv6 address" on each interface. Exploitation and Public Announcements ===================================== This vulnerability was disclosed on July 27, 2005 at the Black Hat security conference. Status of This Notice: INTERIM ============================== THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory will be posted on Cisco's worldwide website at http:// www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org (includes CERT/CC) * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------------+ | Revision | 2005-July-29 | Initial public | | 1.0 | | release. | +---------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… . This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go /psirt. - -------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC6ecEezGozzK2tZARAtVdAKCkpjbIOl/eHLEvg/zh9v7+qjB9RgCfX1mH PTBk+H6SNwsGUPdKBNpEbMg= =fNt5 -----END PGP SIGNATURE-----

1 0