[c-nsp] Followup: ARP on ASR9k 4.3.2

Florian Lohoff f at zz.de
Wed Feb 12 05:36:26 EST 2014

> Andrew Koch wrote:
> > PS: I made some sysctl tweaks on the linux machine to behave a little
> > more nice but still i see a bug here.
> We did the same while waiting for the SMU.  The SMU should not be needed
> for 4.3.2 - the "arp learning local" interface command should be built-in,
> so hopefully you are good to go.
> Our biggest concern over this incident was receiving malicious ARPs on
> transit and peering links that have routes to large swaths of the network.
> If the route goes away, the ARP will be retained for long periods and the
> router will black-hole traffic until that clears.  Cisco PSIRT evaluated
> the concern but evaluated it as a fairly concern.

After insisting that learning out of subnet ARP entries was a sever Bug
we today got this reponse:

	"[...] as I explained before the default (intended) behaviour for IOS-XR
	(till this moment ) is to accept out-of-subnet ARP requests."

So okay - IOS-XR is "Broken by Design" and its intendet to be like this. Just
to continue:

	"Please be informed that, IOS-XR behaviour will be changed starting
	with 5.1.2 and 5.2.0 to have "arp learning local" as a default behaviour."

Okay - So we "Broke it by Design" and you may be a happy customer that 
we fix it for you 2 years later. Huh?

3.x was okay - 4.1 was okay - 4.3 broke it and now 5.1/5.2 fixes it.

Florian Lohoff                                                 f at zz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140212/464165f6/attachment.sig>

More information about the cisco-nsp mailing list