[c-nsp] Cisco Security Advisory: Cisco IOS Software Tunnels Vulnerability
Gert Doering
gert at greenie.muc.de
Thu Sep 24 03:24:48 EDT 2009
Hi,
On Wed, Sep 23, 2009 at 05:13:12PM -0400, ML wrote:
> The malicious packet *must* contain the actual tunnel source and
> destination address. Anything else and the attack is ineffective.
This is how I understood Wendy - and this makes this attack quite easy
to mitigate for us. Actually, we don't need to mitigate anything on
all-but-two routers, as those have only a single tunnel with a destination
address that's inside our network, and a source address coming from a
well-known block.
Infrastructure ACLs at the edge prevent packets to that destination
address, and anti-spoofing iACLs prevent packets with a source address
that would match the "tunnel destination".
Customer interfaces ALL have uRPF configured, so there is no way a packet
with a matching source address can enter our network. Case closed.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090924/c9080fdc/attachment.bin>
More information about the cisco-nsp
mailing list