Re: [nsp] enquiry on MLS with access list

From: rkuhljr@uol.com.br
Date: Sun Feb 18 2001 - 10:41:49 EST


> i am studying on the feature of MLS, and found that when it is used with
> access-list(applied on route processor), there will be a security hole for
> the nework.

What platform, Cat6K ? I'll assume Cat6K (with Supervisor 1),
although MLS is available on Cat5K but is a very different beast.

> i know it is due to frames entering the switch only compare the
> destination address with entres in MLS cache.

The MLS cache on Cat6K/PFC is used only to determine where
the packet will go if it has decidied to forward it; the forward yes/no
decision is made by the PFC itself, so all L4 information (src/dst
ip, src/dst port, tcp flags) is evaluated no mather a previous packet
has created a destination shortcut or not.

> However, do you know any proved solution on this security hole for inbound
> and outbound access-list.

Current versions of Cat6K software have been correctly enforcing
access-lists (this was really flawed on 5.4(1)/12.1(2)E, for instance)
even with dest-only flows, but one way to be more strict is setting
MLS to full-flow. But for most nsp networks full-flow may be a full-
blow... even dest-flows can quickly load up a box, and Cisco's
answer is the replacement of MLS with CEF on Supervisor 2.

Rubens Kuhl Jr.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:29 EDT