[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: impact of recent cisco vulnerability

To: itojun@iijlab.net
Subject: Re: impact of recent cisco vulnerability
From: Mark Handley <M.Handley@cs.ucl.ac.uk>
Date: Mon, 21 Jul 2003 07:46:29 +0100
Cc: iab@ietf.org, iesg@ietf.org
In-reply-to: Your message of "Mon, 21 Jul 2003 15:12:12 +0900." <20030721061212.8865813@coconut.itojun.org>

>	because of recent cisco vulnerability, many ISPs installed filters
>	that would drop mobile-ip4 (ip protocol type 55), both inbound and
>	outbound at EBGP routers, as a countermeasure until they upgrade all
>	of the cisco routers they have.  it would seriously impact the
>	deployment/use of mobile-ip4.
>
>	also swipe (53), sun ND (77), PIM (103) are getting filtered.  i don't
>	think PIM operation will be affected by this as people wouldn't use
>	PIM across AS borders.  not sure about swipe and sun ND.

Actually people do use PIM across AS borders.  Typical current
deployments use MSDP inter-domain for source discovery, and then
PIM-SM joins travel inter-domain to draw down the traffic.  Future
SSM deployments would just start with source-specific joins which
would often travel inter-domain.

But anyone who has PIM-SM enabled on their outward-facing interfaces
would probably remember not to filter PIM joins, and it doesn't matter
for anyone else.

As a general point though, I fear we're moving closer and closer to
the deployment of inter-ISP firewalls.  If this is going to happen
anyway, I wonder if we should be trying to architect a solution?

Cheers,
	Mark

Follow-Ups:
- Re: impact of recent cisco vulnerability
  - From: itojun@iijlab.net

References:
- impact of recent cisco vulnerability
  - From: itojun@iijlab.net

Prev by Date: Re: impact of recent cisco vulnerability
Next by Date: Re: impact of recent cisco vulnerability
Previous by thread: Re: impact of recent cisco vulnerability
Next by thread: Re: impact of recent cisco vulnerability
Index(es):
- Date
- Thread