[c-nsp] RE: cisco-nsp Digest, Vol 26, Issue 120
Said, Ronald
Ronald.Said at wiltel.com
Wed Jan 26 17:47:11 EST 2005
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of
cisco-nsp-request at puck.nether.net
Sent: Wednesday, January 26, 2005 4:31 PM
To: cisco-nsp at puck.nether.net
Subject: cisco-nsp Digest, Vol 26, Issue 120
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. RE: 6500/7600 10GB XENPAK modules shortage
(Hudson Delbert J Contr 61 CS/SCBN)
2. RE: 6500/7600 10GB XENPAK modules shortage (Sean Granger)
3. Re: 6500/7600 10GB XENPAK modules shortage (Joshua Brady)
4. Re: Excluding MAC address from DHCP (james edwards)
5. Re: Excluding MAC address from DHCP (MADMAN)
6. Re: Cisco Security Advisory: Multiple Crafted IPv6 Packets
Cause Reload (Siva Valliappan)
7. Re: Cisco Security Advisory: Multiple Crafted IPv6 Packets
Cause Reload (Gert Doering)
8. Re: Cisco Security Advisory: Multiple Crafted IPv6 Packets
Cause Reload (Gert Doering)
9. Re: Cisco Security Advisory: Multiple Crafted IPv6 Packets
Cause Reload (Elmar K. Bins)
10. Re: Cisco Security Advisory: Multiple Crafted IPv6 Packets
Cause Reload (Gert Doering)
----------------------------------------------------------------------
Message: 1
Date: Wed, 26 Jan 2005 12:49:08 -0800
From: "Hudson Delbert J Contr 61 CS/SCBN"
<Delbert.Hudson at LOSANGELES.AF.MIL>
Subject: RE: [c-nsp] 6500/7600 10GB XENPAK modules shortage
To: "Simon Hamilton-Wilkes" <simon at jettis.com>,
<cisco-nsp at puck.nether.net>
Message-ID:
<186AC876521E0F46BDE77079A6567FD06F5FA1 at la-ncc-ms1nsabb.losangeles.afspc.ds.af.mil>
Content-Type: text/plain; charset="iso-8859-1"
simon,
good one..
fscking moron..gotta remeber that one.
classic...
i love when someone says what i want to say in just the way i would have said it..
they just beat me to it.
later....keep on 'em..
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Simon
Hamilton-Wilkes
Sent: Wednesday, January 26, 2005 9:51 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 6500/7600 10GB XENPAK modules shortage
Cisco have completely lost the plot on this one. I've had problems
getting SPF's from stock in the past too, but found that I could get
them by buying a couple of their storage routers in a bundle with SPFs.
If they're going to rip us all off by locking the code they absolutely
HAVE to have stock.
Whatever high up made that profit related decision is a fscking moron,
for every extra dollar they make they lose one in customer goodwill.
Simon
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
Message: 2
Date: Wed, 26 Jan 2005 14:53:57 -0600
From: "Sean Granger" <sgranger at randfinancial.com>
Subject: RE: [c-nsp] 6500/7600 10GB XENPAK modules shortage
To: <cisco-nsp at puck.nether.net>
Message-ID: <s1f7af08.023 at mail.randfinancial.com>
Content-Type: text/plain; charset=US-ASCII
Every time Delbert posts, I think, "Tax dollars, hard at work."
Though, maybe that's just me.
>>> "Hudson Delbert J Contr 61 CS/SCBN" <Delbert.Hudson at LOSANGELES.AF.MIL> 01/26/05 02:49PM >>>
simon,
good one..
fscking moron..gotta remeber that one.
classic...
i love when someone says what i want to say in just the way i would have said it..
they just beat me to it.
later....keep on 'em..
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Simon
Hamilton-Wilkes
Sent: Wednesday, January 26, 2005 9:51 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 6500/7600 10GB XENPAK modules shortage
Cisco have completely lost the plot on this one. I've had problems
getting SPF's from stock in the past too, but found that I could get
them by buying a couple of their storage routers in a bundle with SPFs.
If they're going to rip us all off by locking the code they absolutely
HAVE to have stock.
Whatever high up made that profit related decision is a fscking moron,
for every extra dollar they make they lose one in customer goodwill.
Simon
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
Message: 3
Date: Wed, 26 Jan 2005 16:18:07 -0500
From: Joshua Brady <somitho at comcast.net>
Subject: Re: [c-nsp] 6500/7600 10GB XENPAK modules shortage
To: cisco-nsp at puck.nether.net
Message-ID: <200501261618.07528.somitho at comcast.net>
Content-Type: text/plain; charset="iso-8859-1"
On Wednesday 26 January 2005 15:53, Sean Granger wrote:
> Every time Delbert posts, I think, "Tax dollars, hard at work."
>
> Though, maybe that's just me.
Thats just you. Dilbert is just a contractor out there in LA. He does not
represent the LA AFB, nor the US Airforce, I would appreciate if we just kept
politics on the NOG and not on a cisco list. If you want to complain to his
CO, because you think tax money isn't being spent well then call his CO.
Leave it off list.
--
Josh
------------------------------
Message: 4
Date: Wed, 26 Jan 2005 15:06:28 -0700
From: "james edwards" <hackerwacker at cybermesa.com>
Subject: Re: [c-nsp] Excluding MAC address from DHCP
To: "MADMAN" <david.madland at qwest.com>
Cc: cisco-nsp at puck.nether.net
Message-ID: <007a01c503f3$48cd2f70$0200020a at jamesnew>
Content-Type: text/plain; charset="iso-8859-1"
Cool, thanks. A few questions, though. I have a nasty multipoint interface
for DSL and a DHCP pool
is attached to the BVI. All pvc's will be moved to individual if's doing
"atm routed-bridge" shortly
but for now I need a better way to take down infected users. We do not auth
here as the LEC does
not supply routers that support PPPoX.
Here is the present conifg:
ip dhcp pool foobar
network a.b.c.0. 255.255.255.0
domain-name cybermesa.com
default-router a.b.c.d
lease 0 2
!
interface ATM4/ima0.1 multipoint
description Espanola DSL Bridged IMA group
no ip redirects
no ip unreachables
no ip mroute-cache
pvc 0/36
!
pvc 0/37
!
pvc 0/38
!
pvc 0/39
/////////
!
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address a.b.c.d 255.255.255.0
ip verify unicast source reachable-via rx allow-self-ping
no ip redirects
no ip unreachables
no ip proxy-arp
arp timeout 3600
clns mtu 1514
hold-queue 150 in
So if I add:
ip dhcp pool infected
host 1.1.1.1
hardware-address 02c7.f800.0422 ieee802
Will the pvc (on ATM4/ima0.1) which has hardware-address 02c7.f800.0422
ieee802 (client side)
get address 1.1.1.1, while the others get assigned addresses out of dhcp
pool foobar ?
Reading at CCO, it seems I need to do a "ip dhcp pool <whatever>" for each
MAC address, correct ?
Thanks so much for the help !
James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jamesh at cybermesa.com noc at cybermesa.com
http://www.cybermesa.com/ContactCM
(505) 795-7101
------------------------------
Message: 5
Date: Wed, 26 Jan 2005 16:19:33 -0600
From: MADMAN <david.madland at qwest.com>
Subject: Re: [c-nsp] Excluding MAC address from DHCP
To: james edwards <hackerwacker at cybermesa.com>
Cc: cisco-nsp at puck.nether.net
Message-ID: <41F81775.7080206 at qwest.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
I think you are correct. To be honest I have not used the feature
but simply recalled there was some MAC addresse related command for
DHCP and looked it up.
Dave
james edwards wrote:
> Cool, thanks. A few questions, though. I have a nasty multipoint interface
> for DSL and a DHCP pool
> is attached to the BVI. All pvc's will be moved to individual if's doing
> "atm routed-bridge" shortly
> but for now I need a better way to take down infected users. We do not auth
> here as the LEC does
> not supply routers that support PPPoX.
>
> Here is the present conifg:
>
> ip dhcp pool foobar
> network a.b.c.0. 255.255.255.0
> domain-name cybermesa.com
> default-router a.b.c.d
> lease 0 2
>
> !
> interface ATM4/ima0.1 multipoint
> description Espanola DSL Bridged IMA group
> no ip redirects
> no ip unreachables
> no ip mroute-cache
> pvc 0/36
> !
> pvc 0/37
> !
> pvc 0/38
> !
> pvc 0/39
> /////////
> !
> bridge-group 1
> bridge-group 1 spanning-disabled
> !
> interface BVI1
> ip address a.b.c.d 255.255.255.0
> ip verify unicast source reachable-via rx allow-self-ping
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> arp timeout 3600
> clns mtu 1514
> hold-queue 150 in
>
> So if I add:
>
> ip dhcp pool infected
> host 1.1.1.1
> hardware-address 02c7.f800.0422 ieee802
>
> Will the pvc (on ATM4/ima0.1) which has hardware-address 02c7.f800.0422
> ieee802 (client side)
> get address 1.1.1.1, while the others get assigned addresses out of dhcp
> pool foobar ?
>
> Reading at CCO, it seems I need to do a "ip dhcp pool <whatever>" for each
> MAC address, correct ?
>
> Thanks so much for the help !
>
> James H. Edwards
> Routing and Security Administrator
> At the Santa Fe Office: Internet at Cyber Mesa
> jamesh at cybermesa.com noc at cybermesa.com
> http://www.cybermesa.com/ContactCM
> (505) 795-7101
>
>
>
>
--
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367
"Emotion should reflect reason not guide it"
------------------------------
Message: 6
Date: Wed, 26 Jan 2005 14:20:03 -0800 (PST)
From: Siva Valliappan <svalliap at cisco.com>
Subject: Re: [c-nsp] Cisco Security Advisory: Multiple Crafted IPv6
Packets Cause Reload
To: "Ryan O'Connell" <ryan at complicity.co.uk>
Cc: cisco-nsp at puck.nether.net
Message-ID: <Pine.GSO.4.58.0501261415230.1488 at sj-cse-717.cisco.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII
clarification below -
On Wed, 26 Jan 2005, Ryan O'Connell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 26/01/2005 16:21, Kim Onnel wrote:
> | Was that why all tier-1 providers were upgrading ?
>
> They generally get such notices a week before the rest of us, so quite
> probably.
>
the mentioned Cisco PSIRT on this thread was released simultaneously (not a
staggered release). so it only went out today. based on threads on
NANOG and other public aliases, i do not believe it was Cisco equipment
that was undergoing the upgrades earlier this week.
cheers
siva
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFB98PMoaLhvISWLh0RAjC1AKCvRK5YFEK/AFjp1AjirFwWoGv9kQCfdYof
> +2L6b94EZtcfrc5qn+NmqBQ=
> =Cikj
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------
Message: 7
Date: Wed, 26 Jan 2005 23:22:34 +0100
From: Gert Doering <gert at greenie.muc.de>
Subject: Re: [c-nsp] Cisco Security Advisory: Multiple Crafted IPv6
Packets Cause Reload
To: Kim Onnel <karim.adel at gmail.com>
Cc: Ryan O'Connell <ryan at complicity.co.uk>, cisco-nsp at puck.nether.net
Message-ID: <20050126222234.GQ26144 at greenie.muc.de>
Content-Type: text/plain; charset=us-ascii
Hi,
On Wed, Jan 26, 2005 at 06:21:09PM +0200, Kim Onnel wrote:
> Was that why all tier-1 providers were upgrading ?
No, *they* upgrade because of the Juniper security advisory... :-o
It's a tough week...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
------------------------------
Message: 8
Date: Wed, 26 Jan 2005 23:23:28 +0100
From: Gert Doering <gert at greenie.muc.de>
Subject: Re: [c-nsp] Cisco Security Advisory: Multiple Crafted IPv6
Packets Cause Reload
To: Pekka Savola <pekkas at netcore.fi>
Cc: Ryan O'Connell <ryan at complicity.co.uk>, cisco-nsp at puck.nether.net
Message-ID: <20050126222328.GR26144 at greenie.muc.de>
Content-Type: text/plain; charset=us-ascii
Hi,
On Wed, Jan 26, 2005 at 06:31:38PM +0200, Pekka Savola wrote:
> For example, we've run a 12.2S version which has fixed this problem
> for 219 days now... :-)
*This* bug (IPv6), yes. But you missed "the other" advisory that tells you
you need to go to 12.2(25)S if you want to keep "bgp log-neighbour-changes"
functionality...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
------------------------------
Message: 9
Date: Wed, 26 Jan 2005 23:27:50 +0100
From: "Elmar K. Bins" <elmi at 4ever.de>
Subject: Re: [c-nsp] Cisco Security Advisory: Multiple Crafted IPv6
Packets Cause Reload
To: Gert Doering <gert at greenie.muc.de>
Cc: cisco-nsp at puck.nether.net
Message-ID: <20050126222749.GE59881 at new.detebe.org>
Content-Type: text/plain; charset=us-ascii
gert at greenie.muc.de (Gert Doering) wrote:
> *This* bug (IPv6), yes. But you missed "the other" advisory that tells you
> you need to go to 12.2(25)S if you want to keep "bgp log-neighbour-changes"
> functionality...
12.2(25)S...tough on a 7400 since obviously nobody bothered to compile it
for that platform. Looks like Cisco doesn't cater for this box in the
12.2S train anymore. I'll have to step to 12.3...
Elmar.
--
"Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren."
(PLemken, <bu6o7e$e6v0p$2 at ID-31.news.uni-berlin.de>)
--------------------------------------------------------------[ ELMI-RIPE ]---
------------------------------
Message: 10
Date: Wed, 26 Jan 2005 23:30:20 +0100
From: Gert Doering <gert at greenie.muc.de>
Subject: Re: [c-nsp] Cisco Security Advisory: Multiple Crafted IPv6
Packets Cause Reload
To: "Elmar K. Bins" <elmi at 4ever.de>
Cc: Gert Doering <gert at greenie.muc.de>, cisco-nsp at puck.nether.net
Message-ID: <20050126223020.GS26144 at greenie.muc.de>
Content-Type: text/plain; charset=us-ascii
Hi,
On Wed, Jan 26, 2005 at 11:27:50PM +0100, Elmar K. Bins wrote:
> gert at greenie.muc.de (Gert Doering) wrote:
>
> > *This* bug (IPv6), yes. But you missed "the other" advisory that tells you
> > you need to go to 12.2(25)S if you want to keep "bgp log-neighbour-changes"
> > functionality...
>
> 12.2(25)S...tough on a 7400 since obviously nobody bothered to compile it
> for that platform. Looks like Cisco doesn't cater for this box in the
> 12.2S train anymore. I'll have to step to 12.3...
Just set "no bgp log-neighbour-changes" and be happy with 12.2(18)S5+ :-)
<minirant>12.2S release cycles and stability could be improved.</minirant>
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 26, Issue 120
******************************************
More information about the cisco-nsp
mailing list