[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: impact of recent cisco vulnerability
> because of recent cisco vulnerability, many ISPs installed filters
> that would drop mobile-ip4 (ip protocol type 55), both inbound and
> outbound at EBGP routers, as a countermeasure until they upgrade all
> of the cisco routers they have. it would seriously impact the
> deployment/use of mobile-ip4.
>
> also swipe (53), sun ND (77), PIM (103) are getting filtered. i don't
> think PIM operation will be affected by this as people wouldn't use
> PIM across AS borders. not sure about swipe and sun ND.
Actually people do use PIM across AS borders. Typical current
deployments use MSDP inter-domain for source discovery, and then
PIM-SM joins travel inter-domain to draw down the traffic. Future
SSM deployments would just start with source-specific joins which
would often travel inter-domain.
But anyone who has PIM-SM enabled on their outward-facing interfaces
would probably remember not to filter PIM joins, and it doesn't matter
for anyone else.
As a general point though, I fear we're moving closer and closer to
the deployment of inter-ISP firewalls. If this is going to happen
anyway, I wonder if we should be trying to architect a solution?
Cheers,
Mark