[c-nsp] Followup: ARP on ASR9k 4.3.2
Florian Lohoff
f at zz.de
Wed Feb 12 05:36:26 EST 2014
> Andrew Koch wrote:
> > PS: I made some sysctl tweaks on the linux machine to behave a little
> > more nice but still i see a bug here.
>
> We did the same while waiting for the SMU. The SMU should not be needed
> for 4.3.2 - the "arp learning local" interface command should be built-in,
> so hopefully you are good to go.
>
> Our biggest concern over this incident was receiving malicious ARPs on
> transit and peering links that have routes to large swaths of the network.
> If the route goes away, the ARP will be retained for long periods and the
> router will black-hole traffic until that clears. Cisco PSIRT evaluated
> the concern but evaluated it as a fairly concern.
After insisting that learning out of subnet ARP entries was a sever Bug
we today got this reponse:
"[...] as I explained before the default (intended) behaviour for IOS-XR
(till this moment ) is to accept out-of-subnet ARP requests."
So okay - IOS-XR is "Broken by Design" and its intendet to be like this. Just
to continue:
"Please be informed that, IOS-XR behaviour will be changed starting
with 5.1.2 and 5.2.0 to have "arp learning local" as a default behaviour."
Okay - So we "Broke it by Design" and you may be a happy customer that
we fix it for you 2 years later. Huh?
3.x was okay - 4.1 was okay - 4.3 broke it and now 5.1/5.2 fixes it.
Flo
--
Florian Lohoff f at zz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140212/464165f6/attachment.sig>
More information about the cisco-nsp
mailing list