[c-nsp] SUP720 - 12.2(18)SXF17
Phil Mayers
p.mayers at imperial.ac.uk
Fri Oct 9 10:10:58 EDT 2009
Jared Mauch wrote:
> I think it's important to note that there are similar limiters in
> other devices, eg: Juniper m20/m40 that we've encountered over the
> years.
>
> This has caused customer confusion as they hit these, even in a fully
> distributed linecard environment. The reality is unless it's done in
> a low-level ASIC, it can easily turn into a security vulnerability.
>
> Drop 5 gigs of ttl=1 traffic at a device and it will fall over unless
> there is some protection. It may not even need to be as high as 5g.
>
> There are a lot of rate-limiters available, check out 'show mls rate-
> limit' on your Earl7 (76k, ie: (65|76)00) based device. Set them low
> to avoid problems. I find 100/10 works well.
One point worth adding - some of the rate-limiters can do more harm than
good, in some cases a *lot* more harm than good.
The main examples cited tend to be the "CEF RECEIVE" and "CEF GLEAN"
ones. Both just serve to drop traffic earlier than it would otherwise,
but with no granularity, so an attacker can DoS the CPU for legitimate
services. CoPP is far superior to the former, and the latter is hard to
fix without per-layer3-interface rate-limiters.
I also vaguely recall TAC telling me there are underlying problems with
the CEF GLEAN one, but they never forwarded the bug ID to me.
But I agree, we set 100/10 for RPF/TTL/UNREACH-no-route/MTU failure, and
I'm glad of it, because it's saved us from a couple of nasties.
More information about the cisco-nsp
mailing list