[c-nsp] iBGP
Mark Tohill
Mark at u.tv
Fri Jul 29 10:54:17 EDT 2005
Hi,
Another BGP Question!
Consider an ISP with 2 PoP's and one upstream provider peered at each
PoP.
Each PoP advertising out own parts of /16. Running iBGP with upstream
only.
A third PoP (CoLo) is required for DSL aggragation (with different
provider).
Intention is to change to eBGP and advertise own distinct blocks of that
/16 from own AS no.
Redundancy/resiliency cant be fully implemented as yet since
infrastructure being upgraded.
Questions:
1. eBGP IS my only option, right??
2. Is there a need to configure iBGP neighbors on our side across PoP's
since these can't be used yet. Any other implications to not using iBGP?
3. What is the best way of favouring inbound traffic on one of two
routers configured identically in same PoP in a HSRP (Active-standy
router scenario.)? We had implemented this via local-pref, but this is
only intra-AS, which we are about to loose?
Thanks,
Mark.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
cisco-nsp-request at puck.nether.net
Sent: 29 July 2005 09:54
To: cisco-nsp at puck.nether.net
Subject: cisco-nsp Digest, Vol 32, Issue 108
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. Re: PA-MC-2T3+ and loopup codes (Mark Kent)
2. Re: Power Redundancy in 3550 or 3750? (Andrew Fort)
3. VPN3000 intermittent GUI login problem & hardening (Cis Ckp)
4. Re: Power Redundancy in 3550 or 3750? (Adam Griffiths)
5. Re: Netflow and Sup720 / 12.2(18)SXE (Adam Griffiths)
6. Cisco Security Advisory: IPv6 Crafted Packet Vulnerability
(Cisco Systems Product Security Incident Response Team)
----------------------------------------------------------------------
Message: 1
Date: Thu, 28 Jul 2005 22:14:20 -0700 (PDT)
From: Mark Kent <mark at noc.mainstreet.net>
Subject: Re: [c-nsp] PA-MC-2T3+ and loopup codes
To: cisco-nsp at puck.nether.net
Message-ID: <200507290514.j6T5EKt3075006 at noc.mainstreet.net>
>> I've heard that some of the NIU's (SBC units here, all
>> Westell AFAIK) are using a different loop up code now but have never
>> confirmed it. Has anyone else seen this?
Yes, we have a few stubborn NIU (CA SBC) that don't loop.
I haven't looked deeply to see if there is a pattern to this,
but we have more than Westell here. I've seen Adtran and
I think at least one other make.
Like you, dropping loops is no problem.
-mark
------------------------------
Message: 2
Date: Fri, 29 Jul 2005 17:16:55 +1000
From: Andrew Fort <afort at choqolat.org>
Subject: Re: [c-nsp] Power Redundancy in 3550 or 3750?
Cc: cisco-nsp at puck.nether.net
Message-ID: <42E9D7E7.10207 at choqolat.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Jan Friedel wrote:
> Check the RPS675 solution.
<friday afternoon rant>
'Solution' is a strong word for the RPS675. :-)
Unfortunately, it's a bit of a joke. You waste an additional 1RU per
device you want redundant power for -- why? Because the RPS is designed
to protect against power supply unit failure, not power supply failure;
i.e., if you plug in more than one device to the RPS, and lose mains
power, only one of the devices attached to the (usually 5 or 6) power
sockets will receive power.
So, although it's the only solution to Skeeve's problem, it's a space
eater when you really just want another power supply that you attach to
UPS as opposed to raw power.
Also, when you switch from RPS back to mains, the switch will power
cycle; so power outages still require an outage, just that you get to
choose when it'll be. Rumor is that this is a design flaw.
</friday afternoon rant>
-andrew
------------------------------
Message: 3
Date: Fri, 29 Jul 2005 15:54:30 +0800 (CST)
From: Cis Ckp <cisckp8 at yahoo.com.sg>
Subject: [c-nsp] VPN3000 intermittent GUI login problem & hardening
To: cisco-nsp at puck.nether.net
Message-ID: <20050729075430.82045.qmail at web31413.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Hi,
I recently took over the support of one VPN 3000 & was tasked to
harden it like :
- use TACACS for login authentication
- insert login banner
- recovery password with "service password-encryption"
I'm not sure if all these requests from our security can be
supported on VPN3000 - can someone give input & provide
a url to harden it?
Secondly, I kept getting intermittent login problem (which
sometimes go away by itself & I heard from my predecessor
that sometimes it needs reboot). The message is :
Invalid Login or Session Timeout
VPN 3000 Concentrator
Login: admin
Password: xxxxxxxxxx
Copyright ⌐ 1998-2004 Cisco Systems, Inc.
I found that when this problem happens, the VPN clients
can still login while I can still login thru the console, only
the http/https web interface (via public interface) gave the
above login error. We thought it's a bug with the VPN
software so we upgraded using vpn3000-4.1.7.F-k9.bin
image (was 4.0.1x-k9 previously but this problem
still persists; cant remember what's "x")
If you need the savelog, I can email it to you but I cant
seem to find anything. As I'm new to this, I still havent
track down to which syslog server this box logs to.
Thanks for any help
Send instant messages to your online friends
http://asia.messenger.yahoo.com
------------------------------
Message: 4
Date: Fri, 29 Jul 2005 18:03:52 +1000
From: Adam Griffiths <adam.griffiths at gmail.com>
Subject: Re: [c-nsp] Power Redundancy in 3550 or 3750?
To: cisco-nsp at puck.nether.net
Message-ID: <ec0762a605072901038d136fe at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
<rant>
I'd like to add that that the RPS675 "solution" requires somebody
onsite to actually press the button on the front of the RPS to swap
from RPS to internal supply.
This is not an ideal solution if you are using these switches in
remote locations, for instance in the basement of a building, or in a
mobile hut a 100km out of a capital city.
</rant>
> On 7/29/05, Andrew Fort <afort at choqolat.org> wrote:
> > Jan Friedel wrote:
> > > Check the RPS675 solution.
> >
> > <friday afternoon rant>
> > 'Solution' is a strong word for the RPS675. :-)
> >
> > Unfortunately, it's a bit of a joke. You waste an additional 1RU
per
> > device you want redundant power for -- why? Because the RPS is
designed
> > to protect against power supply unit failure, not power supply
failure;
> > i.e., if you plug in more than one device to the RPS, and lose mains
> > power, only one of the devices attached to the (usually 5 or 6)
power
> > sockets will receive power.
> >
> > So, although it's the only solution to Skeeve's problem, it's a
space
> > eater when you really just want another power supply that you attach
to
> > UPS as opposed to raw power.
> >
> > Also, when you switch from RPS back to mains, the switch will power
> > cycle; so power outages still require an outage, just that you get
to
> > choose when it'll be. Rumor is that this is a design flaw.
> >
> > </friday afternoon rant>
> >
> > -andrew
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
------------------------------
Message: 5
Date: Fri, 29 Jul 2005 18:04:47 +1000
From: Adam Griffiths <adam.griffiths at gmail.com>
Subject: Re: [c-nsp] Netflow and Sup720 / 12.2(18)SXE
To: Tim Stevenson <tstevens at cisco.com>
Cc: Gert Doering <gert at greenie.muc.de>, cisco-nsp at puck.nether.net
Message-ID: <ec0762a60507290104fbf0335 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Tim,
We've heard "It's on the roadmap" for quite a while now....since just
after the Sup720 was released.
Has a timeframe been determined for the release of this feature?
Cheers,
Adam
> On 7/29/05, Gert Doering <gert at greenie.muc.de> wrote:
> > Hi,
> >
> > On Thu, Jul 28, 2005 at 09:44:27AM -0700, Tim Stevenson wrote:
> > > >As far as I can see right now, the Sup720 still has the habit of
> > > >exporting flow records for *all* interfaces on the box, not only
for
> > > >interfaces that carry "ip flow ingress" or "ip route-cache flow".
> > >
> > > Per-interface netflow export is not supported today.
> >
> > I was afraid you'd say that...
> >
> > > It is on the roadmap.
> >
> > ... but this is good news, thanks. *Waiting for it* :-)
> >
> > (If it helps, I can open a TAC case and ask for it. Haven't
registered
> > the Smartnet yet, but it's lying on my desk...)
> >
> > > ><snip>
> > > >the ifindex "2" and "15" that are given as output interfaces are
fine -
> > > >but the "input = 0" value is no good.
> > >
> > > can you please try mls flow ip interface-full flow mask?
> >
> > Yes, that works. Overlooked that part of mls configuration.
> >
> > thanks again,
> >
> > gert
> >
> > --
> > USENET is *not* the non-clickable part of WWW!
> >
//www.muc.de/~gert/
> > Gert Doering - Munich, Germany
gert at greenie.muc.de
> > fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
------------------------------
Message: 6
Date: Fri, 29 Jul 2005 10:00:00 +0200
From: Cisco Systems Product Security Incident Response Team
<psirt at cisco.com>
Subject: [c-nsp] Cisco Security Advisory: IPv6 Crafted Packet
Vulnerability
To: cisco-nsp at puck.nether.net
Cc: psirt at cisco.com
Message-ID: <200507291000.ipv6 at psirt.cisco.com>
Content-Type: Text/Plain; charset="us-ascii"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: IPv6 Crafted Packet Vulnerability
Revision 1.0
For Public Release 2005 July 29 0800 UTC
-
------------------------------------------------------------------------
-------
Contents
========
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
-
------------------------------------------------------------------------
--
Summary
=======
Cisco Internetwork Operating System (IOS ) Software is vulnerable to a
Denial
of Service (DoS) and potentially an arbitrary code execution attack from
a
specifically crafted IPv6 packet. The packet must be sent from a local
network
segment. Only devices that have been explicitly configured to process
IPv6
traffic are affected. Upon successful exploitation, the device may
reload or be
open to further exploitation.
Cisco has made free software available to address this vulnerability for
all
affected customers.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
Affected Products
=================
Vulnerable Products
This issue affects all Cisco devices running any unfixed version of
Cisco IOS
code that supports, and is configured for, IPv6. A device which supports
IPv6
must have the interfaces specifically disabled to not be affected. IPv6
must be
completely disabled using both the command no ipv6 address and no ipv6
enable
on each interface.
Sample output of the show ipv6 interface command is shown below for two
systems, one not configured for IPv6 and one configured for IPv6.
An empty output or an error message will be displayed if IPv6 is
disabled or
unsupported on the system.
Router#show ipv6 int fa 0/0
-here you see blank output
In the example below the system is vulnerable.
Router#show ipv6 interface
Serial1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200
Global unicast address(es):
2001:1:33::3, subnet is 2001:1:33::/64
Joined group address(es):
FF02::1
FF02::1:FF00:3
FF02::1:FF00:D200
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Router#
A router that has IPv6 enabled on a physical or logical interface is
vulnerable
to this issue even if ipv6 unicast-routing is globally disabled. The
show ipv6
interface command can be used to determine whether IPv6 is enabled on
any
interface.
To determine the software running on a Cisco product, log in to the
device and
issue the show version command to display the system banner. Cisco IOS
Software
will identify itself as "Internetwork Operating System Software" or
simply
"IOS." On the next line of output, the image name will be displayed
between
parentheses, followed by "Version" and the IOS release name. Other Cisco
devices will not have the show version command or will give different
output.
The following example shows a product running IOS release 12.3(6) with
an image
name of C2600-JS-MZ:
Cisco Internetwork Operating System Software IOS (tm)
C2600 Software (C2600-JS-MZ), Version 12.3(6), RELEASE SOFTWARE
(fc1)
Additional information about Cisco IOS release naming can be found at
http://
www.cisco.com/warp/public/620/1.html.
Products Confirmed Not Vulnerable
Products that are not running Cisco IOS are not affected.
Products running any version of Cisco IOS that do not have IPv6
configured
interfaces are not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
IPv6 is the "Internet Protocol Version 6", designed by the Internet
Engineering
Task Force (IETF) to replace the current version Internet Protocol, IP
Version
4 (IPv4).
A vulnerability exists in the processing of IPv6 packets. Crafted
packets from
the local segment received on logical interfaces (that is, tunnels
including
6to4 tunnels) as well as physical interfaces can trigger this
vulnerability.
Crafted packets can not traverse a 6to4 tunnel and attack a box across
the
tunnel.
The crafted packet must be sent from a local network segment to trigger
the
attack. This vulnerability can not be exploited one or more hops from
the IOS
device.
This issue is documented in Cisco bug ID CSCef68324.
Impact
======
Successful exploitation of the vulnerability may result in a reload of
the
device or execution of arbitrary code. Repeated exploitation could
result in a
sustained DoS attack or execution of arbitrary code.
Software Versions and Fixes
===========================
Each row of the Cisco IOS software table below describes a release train
and
the platforms or products for which it is intended. If a given release
train is
vulnerable, then the earliest possible releases that contain the fix
(the First
Fixed Release) and the anticipated date of availability for each are
listed in
the Rebuild and Maintenance columns. A device running a release in the
given
train that is earlier than the release in a specific column (less than
the
First Fixed Release) is known to be vulnerable. The release should be
upgraded
at least to the indicated release or a later version (greater than or
equal to
the First Fixed Release label).
+---------------------------------------------+
| Major Release | Availability of Repaired |
| | Releases |
|----------------+----------------------------|
| Affected | | |
| 12.0-Based | Rebuild | Maintenance |
| Release | | |
|----------------+--------------+-------------|
| 12.0S | 12.0(26)S6 | |
|----------------+--------------+-------------|
| | 12.0(27)S5 | |
|----------------+--------------+-------------|
| | 12.0(28)S3 | |
|----------------+--------------+-------------|
| | 12.0(30)S2 | 12.0(31)S |
|----------------+----------------------------|
| 12.0SX | Vulnerable; contact TAC |
|----------------+----------------------------|
| | Vulnerable; migrate to |
| | 12.0(31)S or later |
|----------------+----------------------------|
| 12.0SL | Vulnerable; migrate to |
| | 12.0(31)S or later |
|----------------+----------------------------|
| 12.0ST | Vulnerable; migrate to |
| | 12.0(31)S or later |
|----------------+----------------------------|
| 12.0SY | Vulnerable; migrate to |
| | 12.0(31)S or later |
|----------------+----------------------------|
| Affected | | |
| 12.1-Based | Rebuild | Maintenance |
| Release | | |
|----------------+----------------------------|
| 12.1XU | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1XV | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1YB | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1YC | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1YD | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1YE | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1YF | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1YH | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.1YI | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| Affected | | |
| 12.2-Based | Rebuild | Maintenance |
| Release | | |
|----------------+----------------------------|
| 12.2B | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2BC | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2BW | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2BY | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2BX | Vulnerable; migrate to |
| | 12.3(7)XI4 or later |
|----------------+----------------------------|
| 12.2BZ | Vulnerable; migrate to |
| | 12.3(7)XI4 or later |
|----------------+----------------------------|
| 12.2CX | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2CY | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2CZ | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2DD | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2DX | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2EU | 12.2(20)EU1 | |
|----------------+----------------------------|
| 12.2EW | Vulnerable; migrate to |
| | 12.2(25)EWA |
|----------------+----------------------------|
| 12.2EWA | 12.2(25)EWA1 | |
|----------------+----------------------------|
| 12.2EX | Vulnerable; migrate to |
| | 12.2(25)SEA or later |
|----------------+----------------------------|
| 12.2EY | 12.2(25)EY1 | |
|----------------+--------------+-------------|
| 12.2EZ | | 12.2(25)EZ |
|----------------+----------------------------|
| 12.2JA | Vulnerable; migrate to |
| | 12.3(4)JA or later |
|----------------+----------------------------|
| 12.2JK | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2MB | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2MC | Vulnerable; migrate to |
| | 12.4(2)MR |
|----------------+----------------------------|
| 12.2MX | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| | 12.2(14)S14 | |
| |--------------+-------------|
| | 12.2(18)S9 | |
|12.2S |--------------+-------------|
| | 12.2(20)S8 | |
| |--------------+-------------|
| | 12.2(25)S4 | |
|----------------+----------------------------|
| 12.2SE | Vulnerable; migrate to |
| | 12.2(25)SEB or later |
|----------------+----------------------------|
| 12.2SEA | Vulnerable; migrate to |
| | 12.2(25)SEB or later |
|----------------+----------------------------|
| 12.2SEB | | 12.2(25)SEB |
|----------------+--------------+-------------|
| 12.2SEC | | 12.2(25)SEC |
|----------------+----------------------------|
| 12.2SO | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2SU | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2SV | | 12.2(26)SV |
|----------------+----------------------------|
| 12.2SW | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2SX | Vulnerable; migrate to |
| | 12.2(17d)SXB8 or later |
|----------------+----------------------------|
| 12.2SXA | Vulnerable; migrate to |
| | 12.2(17d)SXB8 or later |
|----------------+----------------------------|
| 12.2SXB | 12.2(17d) | |
| | SXB8 | |
|----------------+--------------+-------------|
| 12.2SXD | 12.2(18)SXD4 | |
|----------------+--------------+-------------|
| 12.2SXE | 12.2(18)SXE1 | |
|----------------+----------------------------|
| 12.2SY | Vulnerable; migrate to |
| | 12.2(17d)SXB8 or later |
|----------------+----------------------------|
| 12.2SZ | Vulnerable; migrate to |
| | 12.2(20)S8 or later |
|----------------+----------------------------|
| | 12.2(13)T16 | |
|12.2T |--------------+-------------|
| | 12.2(15)T16 | |
|----------------+----------------------------|
| 12.2XA | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XB | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XC | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2XD | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XE | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XF | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2XG | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XH | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XI | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XJ | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XK | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XL | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XM | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XN | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XQ | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XR | Vulnerable; migrate to |
| | 12.3(4)JA or later |
|----------------+----------------------------|
| 12.2XT | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XU | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XW | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2XZ | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2YT | Vulnerable; migrate to |
| | 12.2(15)T16 or later |
|----------------+----------------------------|
| 12.2YU | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2YV | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2YZ | Vulnerable; migrate to |
| | 12.2(20)S8 or later |
|----------------+----------------------------|
| 12.2ZA | Vulnerable; migrate to |
| | 12.2(17d)SXB8 or later |
|----------------+----------------------------|
| 12.2ZC | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2ZD | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2ZE | Vulnerable; migrate to |
| | 12.3(15) or later |
|----------------+----------------------------|
| 12.2ZF | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2ZG | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2ZH | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2ZJ | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2ZL | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.2ZN | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.2ZO | Vulnerable; migrate to |
| | 12.2(15)T16 or later |
|----------------+----------------------------|
| 12.2ZP | Vulnerable; contact TAC |
|----------------+----------------------------|
| Affected | | |
| 12.3-Based | Rebuild | Maintenance |
| Release | | |
|----------------+--------------+-------------|
| | 12.3(3h) | |
| |--------------+-------------|
| | 12.3(5e) | |
| |--------------+-------------|
| | 12.3(6e) | |
| |--------------+-------------|
| 12.3 | 12.3(9d) | |
| |--------------+-------------|
| | 12.3(10d) | |
| |--------------+-------------|
| | 12.3(12b) | |
| |--------------+-------------|
| | 12.3(13a) | 12.3(15) |
|----------------+--------------+-------------|
| 12.3B | 12.3(5a)B5 | |
|----------------+--------------+-------------|
| 12.3BC | | 12.3(13a)BC |
|----------------+----------------------------|
| 12.3BW | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.3JA | | 12.3(4)JA |
|----------------+--------------+-------------|
| 12.3JK | | 12.3(2)JK |
|----------------+--------------+-------------|
| | 12.3(7)T9 | |
| |--------------+-------------|
| | 12.3(8)T8 | |
|12.3T |--------------+-------------|
| | 12.3(11)T5 | |
| |--------------+-------------|
| | 12.3(14)T2 | |
|----------------+----------------------------|
| 12.3XA | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3XB | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.3XC | 12.3(2)XC3 | |
|----------------+----------------------------|
| 12.3XD | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3XE | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3XF | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.3XG | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3XH | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.3XI | 12.3(7)XI4 | |
|----------------+----------------------------|
| 12.3XJ | Vulnerable; migrate to |
| | 12.3(11)YF3 or later |
|----------------+----------------------------|
| 12.3XK | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3XL | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3XM | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.3XQ | 12.3(4)XQ1 | |
|----------------+--------------+-------------|
| 12.3XR | 12.3(7)XR4 | |
|----------------+----------------------------|
| 12.3XS | Vulnerable; migrate to |
| | 12.4(1) or later |
|----------------+----------------------------|
| 12.3XT | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3XU | Vulnerable; migrate to |
| | 12.4(2)T or later |
|----------------+----------------------------|
| 12.3XW | Vulnerable; migrate to |
| | 12.3(11)YF3 or later |
|----------------+----------------------------|
| 12.3XX | Vulnerable; migrate to |
| | 12.4(1) or later |
|----------------+----------------------------|
| 12.3XY | Vulnerable; migrate to |
| | fixed 12.3(14)T2 or later |
|----------------+----------------------------|
| 12.3YA | 12.3(8)YA1 | |
|----------------+----------------------------|
| 12.3YD | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3YF | 12.3(11)YF3 | |
|----------------+--------------+-------------|
| 12.3YG | 12.3(8)YG2 | |
|----------------+----------------------------|
| 12.3YH | Vulnerable; migrate to |
| | 12.3(8)YI1 or later |
|----------------+----------------------------|
| 12.3YI | 12.3(8)YI1 | |
|----------------+--------------+-------------|
| 12.3YJ | 12.3(11)YJ | |
|----------------+----------------------------|
| 12.3YK | Vulnerable; contact TAC |
|----------------+----------------------------|
| 12.3YQ | 12.3(14)YQ1 | |
|----------------+--------------+-------------|
| 12.3YS | | 12.3(11)YS |
|----------------+--------------+-------------|
| 12.3YT | | 12.3(14)YT |
|----------------+--------------+-------------|
| 12.3YU | | 12.3(14)YU |
|----------------+--------------+-------------|
| Affected | | |
| 12.4-Based | Rebuild | Maintenance |
| Release | | |
|----------------+--------------+-------------|
| 12.4 | | 12.4(1) |
|----------------+--------------+-------------|
| 12.4MR | | 12.4(2)MR |
|----------------+--------------+-------------|
| 12.4T | | 12.4(2)T |
+---------------------------------------------+
For further information on the terms "Rebuild" and "Maintenance, "
please
consult the following URL: http://www.cisco.com/warp/public/620/1.html
When considering software upgrades, please also consult
http://www.cisco.com/en
/US/products/products_security_advisories_listing.html and any
subsequent
advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be
upgraded contain sufficient memory and that current hardware and
software
configurations will continue to be supported properly by the new
release. If
the information is not clear, contact the Cisco Technical Assistance
Center
("TAC") for assistance.
Obtaining Fixed Software
========================
Customers with Service Contracts
Customers with contracts should obtain upgraded software through their
regular
update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at
http://
www.cisco.com.
Customers using Third-party Support Organizations
Customers whose Cisco products are provided or maintained through prior
or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be
free of
charge.
Customers without Service Contracts
Customers who purchase direct from Cisco but who do not hold a Cisco
service
contract and customers who purchase through third-party vendors but are
unsuccessful at obtaining fixed software through their point of sale
should get
their upgrades by contacting the Cisco Technical Assistance Center
(TAC). TAC
contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac at cisco.com
Please have your product serial number available and give the URL of
this
notice as evidence of your entitlement to a free upgrade. Free upgrades
for
non-contract customers must be requested through the TAC.
Please do not contact either "psirt at cisco.com" or
"security-alert at cisco.com"
for software upgrades.
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional
TAC contact information, including special localized telephone numbers
and
instructions and e-mail addresses for use in various languages.
Customers may only install and expect support for the feature sets they
have
purchased. By installing, downloading, accessing or otherwise using such
software upgrades, customers agree to be bound by the terms of Cisco's
software
license terms found at
http://www.cisco.com/public/sw-license-agreement.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public
/sw-center/sw-usingswc.shtml.
Workarounds
===========
The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and
releases,
customers should consult with their service provider or support
organization to
ensure any applied workaround is the most appropriate for use in the
intended
network before it is deployed.
In networks where IPv6 is not needed, disabling IPv6 processing on an
IOS
device will eliminate exposure to this vulnerability. On a router which
supports IPv6, this must be done by issuing the command "no ipv6 enable"
and
"no ipv6 address" on each interface.
Exploitation and Public Announcements
=====================================
This vulnerability was disclosed on July 27, 2005 at the Black Hat
security
conference.
Status of This Notice: INTERIM
==============================
THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR
USE OF
THE INFORMATION ON THE ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS
AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE
AT ANY
TIME.
A stand-alone copy or paraphrase of the text of this security advisory
that
omits the distribution URL in the following section is an uncontrolled
copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory will be posted on Cisco's worldwide website at http://
www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail
and Usenet news recipients.
* cust-security-announce at cisco.com
* first-teams at first.org (includes CERT/CC)
* bugtraq at securityfocus.com
* vulnwatch at vulnwatch.org
* cisco at spot.colorado.edu
* cisco-nsp at puck.nether.net
* full-disclosure at lists.grok.org.uk
* comp.dcom.sys.cisco at newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check
the
above URL for any updates.
Revision History
================
+---------------------------------------------+
| Revision | 2005-July-29 | Initial public |
| 1.0 | | release. |
+---------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide
website at
http://www.cisco.com/en/US/products/products_security_vulnerability_poli
cy.html
. This includes instructions for press inquiries regarding Cisco
security
notices. All Cisco security advisories are available at
http://www.cisco.com/go
/psirt.
-
------------------------------------------------------------------------
--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC6ecEezGozzK2tZARAtVdAKCkpjbIOl/eHLEvg/zh9v7+qjB9RgCfX1mH
PTBk+H6SNwsGUPdKBNpEbMg=
=fNt5
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 32, Issue 108
******************************************
More information about the cisco-nsp
mailing list