[c-nsp] Cisco 6500/Sup720 ARP CoPP

Saku Ytti saku at ytti.fi
Tue Feb 9 16:28:29 EST 2010


On (2010-02-09 20:13 +0000), Nick Hilliard wrote:
 
> so, this looks like an effective attack vector for trashing sup720 RPs then
> - if you have l2 access to the device.  Makes a good argument for
> implementing arp sponges on core paths and edges so that this cannot be
> exploited remotely.

I personally choose to police all ARP, so attack vector is to congest ARP
so that no new hosts can't come up, but nothing that used to work, would
break. If this would be JNPR then all hosts would break after ARP timeouts,
as JNPR does not refresh ARP cache on traffic.
But there are plenty of attack vectors in L2, like IXP or IS-IS packets, no
special rate-limiter so will go 'class-default'.

> I assume that ipv6 nd is sufficiently high up the protocol stack that it
> can be managed by copp?

There is mls rate-limiter for ND, but that will also affect transit
traffic.

-- 
  ++ytti


More information about the cisco-nsp mailing list