[nsp-sec] IPv6 packet causing LC to reload on GSR/XR
Nicolas Fischbach
nicolist at securite.org
Wed Sep 3 05:23:42 EDT 2014
Hi all,
Just a heads up in case you have seen something similar:
An IPv6 packet with the following SRC/DST addresses causes a LC reload
on a GSR running XR 4.3.2 (PRP-2, and I believe it's an STM-16):
Source: 2001:b7a1:a001:16::93
Destination: 2a02:2078:100:dead:d00d::25
We have a P1 open w/Cisco TAC and our Ops people are still trying to get
a full packet dump. The attack was short lived yesterday and we saw
it again earlier today. First analysis by C/TAC based on memory dump:
<< An IPv6 prefix being advertised from 6PE XXX.YYY was received in PE
XXX.YYY router. When the ipv6 enters the network we will impose 6PE
label and LDP label to reach the CE connected to XXX.YYY router.
This labelled traffic is going via the P routers (all of them GSR/XR
4.2.3). In the P router XXX.YYY the traffic can enter the box via
linecard 1 or linecard 3 and leave via linecard 5 or 6. The ingress
traffic is wrongly sent to linecard 4 and Asic in linecard 4 is dumping
the traffic & getting reloaded.
We identified the destination of the ipv6 prefix consistently as
2a02:2078:100:dead:d00d::25. We are waiting for a debug SMU to
understand why the traffic is being sent to wrong egress linecard
in XXX.YYY >>.
It's our first IPv6 DoS event !
Nico. (Colt/AS8220)
More information about the nsp-security
mailing list