[c-nsp] CSCuy29638 - MPLS (for IPv4) Brokenness Fixed - ASR920

Gert Doering gert at greenie.muc.de
Fri Aug 5 09:01:04 EDT 2016


Hi,

On Fri, Aug 05, 2016 at 11:02:01AM +0300, Saku Ytti wrote:
> I disappointed Cisco does not mention CoPP at all.
> 
> Anyone running reasonable CoPP would have been completely unaffected
> by this issue. CoPP is not just about protecting from DoS, it's also
> protecting from 0days.

Sure about that?

I'm not sure about *this* interface wedge bug, but if it's similar to the
original one, if your CoPP policer lets even 1% of the packets through,
you're still toast - just slower.  With NTP, of course you have permit
rules in your CoPP config, so depending on which NTP servers you talk
to, nastygrams can still arrive...

(OTOH if you have a CoPP rule that says "drop all that might be harmful",
I'm all ears)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20160805/d84b5b20/attachment.sig>


More information about the cisco-nsp mailing list