[c-nsp] IP Options Drop
Saku Ytti
saku at ytti.fi
Sun Apr 20 12:41:07 EDT 2014
On (2014-04-18 16:40 +0000), Robert Williams wrote:
> I’ve got a 6500/720 which needs to have IP Options enabled; I need to secure it as best as possible as it will be globally reachable on some of its interfaces. It has a very comprehensive CoPP on it which protects it just fine at the moment, but IP Options opens up a new attack vector.
I believe you need to use 'mls rate-limit unicast ip options', of course it
will break your IP options dependent service earlier, but at least your whole
network won't be dead.
--
++ytti
More information about the cisco-nsp
mailing list