[c-nsp] Upgrade issue for Cisco Security Advisory: IPv6 Crafted Packet Vulnerability

David Freedman david.freedman at uk.clara.net
Thu Aug 18 12:43:15 EDT 2005


I'd be careful about this, I had this happen to a vpnv4 PE router when 
performing a security upgrade in the 12.3 train.

What I found appeared to be a bug which forced a per neighbor activation 
in each AFI, I tried to re-apply the configuration from a TFTP server 
but it didn't change it so I instantly re-downgraded the box.

In the lab I put the image on a box and attempted to write a simple 
multi-AFI bgp config (ipv4 unicast / vpnv4),
with this particular ios that I was running the neighbors would not 
inherit the AFI activation from the peer group ,instead they were each 
force activated in the address-family.

After moving to the next release of the code in the lab, the problem 
appeared to have been fixed, so we ended up rolling that code out instead.

 From memory, the affected code was somewhere in 12.3(10), our target 
hardware was 75xx RSP4.

Dave.


Zacchello Marco wrote:
> Hi all,
> 
> after Cisco mailed this Advisory, we upgraded some c7206VXR (NPE400) to this release: c7200-jk9o3s-mz.123-15a.bin
> (ENTERPRISE/FW/IDS IPSEC 3DES), but after the reload the bgp peer-group configuration slightly changed,
> some neighbor statements were deleted (the 'neighbor XXX activate' and the 'neighbor A.B.C.D peer-group XXX' )
> in the address-family configuration, and new other were configured ('neighbor A.B.C.D  activate').
> The bgp peer-group configuration in the global bgp configuration didn't change.
> This happened for all the AF configured:IPV4, IPV4 multicast, VPNV4, IPV6.
> Now, is this a bug? Or is a old-style CLI to new-style CLI change like the changes in the CLI when MPLS 
> was introduced? Any suggestion or experiences?
> We are afraid to do any upgrade or downgrade.
> To be more accurate, after the reload obviuosly the startup-config was different from the running config, and after a write, the startup-config
> used this new-style CLI. Moreover at the moment the BGP peer-group configuration is working, and the Show commands output is right.
> Thanks
> Bye 
> 
> Marco
> 
> p.s.: this is how the configuration changed:
> 
> 
>     address-family ipv4
>     redistribute connected
>     redistribute static
>  -  neighbor PGROUP_A activate
>     neighbor PGROUP_A next-hop-self
>     neighbor PGROUP_A send-community
>  -  neighbor vpnv4-internal activate
>  -  neighbor 117.12.225.223 peer-group PGROUP_A 
>  +  neighbor 117.12.225.223 activate
>     exit-address-family
>     !
>     address-family ipv4 multicast
>  -  neighbor PGROUP_A activate
>  -  neighbor 117.12.225.223 peer-group PGROUP_A 
>  +  neighbor 117.12.225.223 activate
>     no auto-summary
>     no synchronization
>     exit-address-family
>     !
>     address-family vpnv4
>  -  neighbor vpnv4-internal activate
>     neighbor vpnv4-internal send-community extended
>  -  neighbor 117.12.225.63 peer-group vpnv4-internal
>  +  neighbor 117.12.225.63 activate
>     exit-address-family
>     !
>     address-family ipv6
>  -  neighbor PGROUP_A-IPV6 activate
>  -  neighbor 5001:6F9:D00::E2E0 peer-group PGROUP_A-IPV6
>  +  neighbor 5001:6F9:D00::E2E0 activate
>     exit-address-family
> 
> 
> 
> 
> 
> marco.zacchello at netengineering.it 
> Net Engineering S.p.A. 
> Tel. +3902241254.1 
> Fax.+3902241254323 
> cell. +393482302981
> Web site: www.netengineering.it
> 
> 
> ******************* DISCLAIMER *******************************
> Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione è contraria alla legge e preghiamo di darci prontamente avviso e di cancellare quanto ricevuto. Grazie.
> 
> This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message. Thank you.
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list