[nsp-sec] mpls MFI dos

[Smith, Donald]

Ok I will try it then. NSP security team-mates this is NOT limited to
nsp-sec members only.

Replies to this will also go to the cisco psirt team. Since my qwestion
is for them but the answer is likely to affect you I will reply to Wendy
(whom I trust and who has been vetted) and the rest of the cisco psirt
team:)



"In newer versions of Cisco IOS software, a new packet forwarding
infrastructure was introduced to improve scalability and performance.
This forwarding infrastructure, called MFI, is transparent to the user.
MFI manages MPLS data structures used for forwarding and replaces the
older implementation, Label Forwarding Information Base (LFIB). Cisco
IOS MFI implementation is vulnerable to a DoS attack from specially
crafted packets that are handled in the software path, including transit
packets that are handled in the software path. Such packets can be sent
from the local segment to the interfaces that are configured for MPLS or
via tunnel interfaces that are configured for MPLS. To target a remote
system in an MPLS network, an attacker needs to have access to the MPLS
network through an MPLS-enabled interface. MPLS packets are dropped on
interfaces that are not configured for MPLS"

What is the nature of "the specially crafted packets that are handled in
the software path".
It sounds like they have to be mpls packets. Clearly they can be transit
packets. Software path implies they are not normally handled on the line
card. I assume it isn't EVERY mpls packet that travels via the software
path.  

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Wendy Garvin [mailto:wgarvin at cisco.com] 
> Sent: Wednesday, September 24, 2008 11:39 AM
> To: Smith, Donald
> Cc: psirt at cisco.com; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Cisco Security Advisory: Cisco 10000, 
> uBR10012,uBR7200 Series Devices IPC Vulnerability
> 
> 
> Don,
> 
> Appreciate the feedback. 
> 
> We've worked to rotate our team members through nsp-sec, so 
> although not
> all of us are on the list, most of us have been vetted. We 
> can continue
> that process with a new batch of members, but we really, really don't
> want a single point of failure for responses to our advisories.
> 
> I think in this case we're going to trust the nsp-sec membership to be
> careful about their conversations with us, because to us 
> that's less of
> a risk than missing an important question and leaving one of our
> customers without support.
> 
> Thanks,
> 
> -Wendy
> 
> > Smith, Donald <Donald.Smith at qwest.com> [2008-09-24 10:21] wrote:
> > While I appreciate seeing these hit our list I am not sure it is
> > appropriate for the response address to be the psirt team since the
> > cisco psirt team isn't signed up to the nsp list.
> > 
> > Anyone responding to this message MIGHT accidentally 
> violate our sharing
> > framework.
> > 
> > In the future I recommend you send this with a reply to 
> address of psirt
> > members that have been vetted onto the nsp sec list.
> > 
> > 
> > Security through obscurity WORKS against some worms and ssh 
> attacks:)
> > Donald.Smith at qwest.com giac 
> > 
> > 
> > This communication is the property of Qwest and may contain 
> confidential or
> > privileged information. Unauthorized use of this 
> communication is strictly 
> > prohibited and may be unlawful.  If you have received this 
> communication 
> > in error, please immediately notify the sender by reply 
> e-mail and destroy 
> > all copies of the communication and any attachments.
> > [    ----- End of Included Message -----    ]
> 
> -- 
> Wendy Garvin - Cisco PSIRT - 408 525-1888 . : | : .
> ----------------------------------------------------
>            http://www.cisco.com/go/psirt
>