Thanks Paul, wonderful job. Side-note (taken from the exploit write-up http://www.linx.net/tunnel-advisory.txt):
// Adding "log-input" to the end of each access-list line will log // the hardware address of the sender for good measure. IOS 11.1 // and upwards only (from memory)
We find log-input to very unreliable and often producing wrong information. It indeed operates differently across the 11.1 train (no comment on 11.2 offered) I think 11.1.15 breaks it badly. Albeit improperly worded and not well defined in print on CCO, please reference cisco BUGid CSCdj40503 prior to trusting log-input for any valid info. Best regards, David Van Allen - FASTNET(tm) / You Tools Corporation dave@fast.net (888)321-FAST(3278) http://www.fast.net FASTNET - Business and Personal Internet Solutions
-----Original Message----- From: Paul Thornton [SMTP:prt@linx.net] Sent: Tuesday, November 25, 1997 9:47 AM To: nanog@merit.edu Cc: eof@ripe.net; se-gix@sunet.se; mae-east-tech@uu.net; membership@linx.net; ops@linx.net Subject: Advisory - tunneling of IP at exchange points.
-- PLEASE NOTE: If you are replying to this, consider pruning the list -- of cc's rather than crossposting replies wildly! Thanks.
[snip]
The LINX and several of its members have recently had to take action against an ISP that was using GRE tunneling between exchange points to appropriate the capacity of other ISPs.
Keith Mitchell
Chairman London InterNet Exchange keith@linx.org Geneva House, 3 Park Road Peterborough PE1 2UX United Kingdom Phone: +44 1733 705000 (fax 353929)
Paul
-- Paul Thornton, Network Engineer, London Internet Exchange Ltd. Tel: 07000 783797 Mobile: +44 467 372205