[59751] in North American Network Operators' Group
Re: Patching for Cisco vulnerability
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Jul 18 15:29:59 2003
Date: Fri, 18 Jul 2003 15:31:25 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: nanog@merit.edu
In-Reply-To: <20030718212128.A2877@homebase.cluenet.de>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Jul 18, 2003 at 09:21:28PM +0200, Daniel Roesen wrote:
>
> On Fri, Jul 18, 2003 at 03:04:45PM -0400, Jared Mauch wrote:
> > most providers can easily go from (for example)
> > 12.0(21)S3 to 12.0(21)S7 with less testing than from 12.0(21)S to 12.0(25)S
>
> 12.0(21)S* (at least S5 and above) have broken SNMP interface counters
> and Cisco refuses to fix the bug in 12.0(21)S*, so people who don't
Do you have a DDTS I can reference?
> want to lose money (accounting) are forced to upgrade to 12.0(25)S*.
> I guess they want to force all "conservative" ISPs to jump over
> the 12.0(22)S "barrier".
I agree that Cisco should actually take more serious ownership
of these issues within a customers network. They're selling us
these software/hw and claiming that we can obtain a particular SLA
level. Yet they can't seem to add in some code that says
if (ifc->in_bps > ifc->phy_speed || ifc->out_bps > ifc->phy_speed)
{
crash_router();
}
If they added this code, they'd find these bugs in their
labs instead of in our networks.
- jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
