I remember a Cisco device with an ACL that was leaking. It was a 20 lines ACL with few lines to drop some packets based on UDP ports. When under heavy stress, nearly line rate, we would see some of these packets going through the ACL. I said to my peers that the ACL was leaking. They didn't believe me so I showed them the netflows. We were very surprised to see that. We thought that drop means drop. On 2020-02-10 08:40, Saku Ytti wrote:
On Mon, 10 Feb 2020 at 13:52, Jean | ddostest.me via NANOG <nanog@nanog.org> wrote:
I really thought that more Cisco devices were deployed among NANOG.
I guess that these devices are not used anymore or maybe that I understood wrong the severity of this CVE. Network devices are incredibly fragile and mostly work because no one is motivated to bring the infrastructure down. Getting any arbitrary vendor down if you have access to it on L2 is usually so easy you accidentally find ways to do it. There are various L3 packet of deaths where existing infra can be crashed with single packet, almost everyone has no or ridiculously broken iACL and control-plane protection, yet business does not seem to suffer from it.
Probably lower availability if you do upgrade your devices just because there is a known issue, due to new production affecting issues.