[c-nsp] 6500 - Is it possible to sniff DSCP values over RSPAN?
Jared Mauch
jared at puck.nether.net
Thu Jan 4 08:25:55 EST 2007
On Thu, Jan 04, 2007 at 07:45:01AM -0500, Dennis wrote:
> " that is if you enable 'mls qos' it silently stomps all
> over the dscp values unless you disable this. not obvious that enabling
> QoS would cause this issue. When I saw this, i asked cisco to raise a
> bug on it, I don't have an ID handy though."
>
> I'm not sure why this would qualify as a bug... this is good security
> behavior IMO... just because you enable QOS does not mean you want to trust
> all markings on all switch ports. Any host could configure QOS and mark
> their traffic to get priority on the network. The default behavior seems to
> follow the good security practice of implicitly deny unless it's explicitly
> allowed...
I would generally agree if the default value (as they say)
nvgen'ed. Otherwise you have a switch that does nothing
with dscp markings, you type 'mls qos' and now they're
magically gone. no hint you've silently enabled a (essentially)
hidden command to rewrite the dscp.
It's not really the stomping on the markings that bugs
me, it's the fact that you have this subtree of commands that are
magically enabled that don't generate any associated configuration
so you know they're on.
This is just sloppy coding in the nvgen tree.
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list