nanog mailing list archives

RE: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)

From: "Barry Raveendran Greene" <bgreene () cisco com>
Date: Fri, 18 Jul 2003 18:53:41 -0700



As mentioned before, Receive Path ACL (rACL) is already in 12.0(21)S2 (and
forward) for the GSR and 12.0(24)S for the 7500. This is one way of doing
infrastructure filtering without packet filtering the data plane (customer
traffic). The second phase of Receive Path ACL (rACL) is going everywhere.
The marketing name is Control Plane Protocol (CPP) ... but it also takes
care of any packet punted to the receive path (i.e. packet with destination
address = to the router). It is MQC based (ACL + rate-limiting). Think of it
as a "TCP wrapper" for the receive path - but with the rate-limiting. The
rate limiting part is important. 

It will first show up in 12.2S (and forward) and then cross-port/back-port
through customer pressure (talk to your Cisco Account Teams). You'll see it
on everything for the small boxes (26XX) to switches (CAT6Ks) to the high
end (GSRs).

Personally, I see this "TCP Wrapper with Rate-Limit" around a router as
something that is going to be a requirement for all vendors on the Net.

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Charles Sprickman
Sent: Friday, July 18, 2003 1:21 PM
To: nanog () merit edu
Subject: Infrastructure Filtering (was Re: Patching for Cisco
vulnerability)

This has me wondering if there are any BCPs that touch on the whole idea
of filtering traffic destined to your router, or what the advisory called
"infrastructure filtering".  All in all, it seems like a good idea to
block any direct access to router interfaces.  But as some have probably
found already, it's a big pain in the arse.

If I recall correctly, Rob's Secure IOS Template touches on filtering
known services (the BGP listener, snmp), but what are people's feelings on
maintaining filters on all interfaces *after* loading a fixed IOS?

Thanks,

Charles

--
Charles Sprickman
spork () inch com

On Fri, 18 Jul 2003, Irwin Lazar wrote:


Just out of curiosity, are folks just applying the Cisco patch or do you

go through some sort of testing/validation process to ensure that the
patch doesn't cause any other problems?  Given typical change management
procedures how long is taking you to get clearance to apply the patch?


I'm trying here to gauge the length of time before this vulnerability is

closed out.


irwin

Current thread:

Re: Patching for Cisco vulnerability, (continued)
- - - Re: Patching for Cisco vulnerability Jason Frisvold (Jul 18)
- Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Charles Sprickman (Jul 18)
  - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Petri Helenius (Jul 18)
  - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
    - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Curtis Maurand (Jul 18)
  - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Jared Mauch (Jul 18)
    - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
    - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Christopher L. Morrow (Jul 18)
    - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
    - Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Christopher L. Morrow (Jul 18)
  - RE: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Barry Raveendran Greene (Jul 18)
- Re: Patching for Cisco vulnerability Måns Nilsson (Jul 20)
- RE: Patching for Cisco vulnerability Dan Lockwood (Jul 18)