[c-nsp] Cisco Security Advisory: Cisco Catalyst 6000, 6500 and Cisco 7600 Series MPLS Packet Vulnerability
Jared Mauch
jared at puck.nether.net
Wed Feb 28 12:23:07 EST 2007
On Wed, Feb 28, 2007 at 11:17:39AM -0600, Dale W. Carder wrote:
> Thus spake Jared Mauch (jared at puck.nether.net) on Wed, Feb 28, 2007 at 12:08:28PM -0500:
> > On Wed, Feb 28, 2007 at 06:59:36PM +0200, Saku Ytti wrote:
> > > On (2007-02-28 17:00 +0100), Cisco Systems Product Security Incident Response Team wrote:
> > >
> > > > Cisco Security Advisory: Cisco Catalyst 6000, 6500 and Cisco 7600
> > > > Series MPLS Packet Vulnerability
> > >
> > > > * Cisco Catalyst 6500 systems that run 12.2(18)SXF4 with Cisco IOS
> > > > Software Modularity are affected.
> > >
> > > Silly me, I thought that modularity is far from having MPLS or IPv6
> > > implemented.
> >
> > My guess is that's why it caused it to die. Likely some poor
> > error checking :(
>
> I was thinking that one packet crashing the whole router didn't sound very
> modular to me. Shouldn't 'IP Input' just restart? ;-)
If you take a look at the "modular" software, there's some stuff
that is in a process called ios-base. If this crashes, you've got an issue,
much the same way if your kernel does a panic() on some other platform.
This does leave open the interesting question of will MPLS
stuff be inside ios-base once the "Whitney" release that has been
discussed here comes out. It may be worthwhile to have that discussion
with Cisco.
- Jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list