[59775] in North American Network Operators' Group
RE: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
daemon@ATHENA.MIT.EDU (Barry Raveendran Greene)
Fri Jul 18 21:54:21 2003
Reply-To: <bgreene@cisco.com>
From: "Barry Raveendran Greene" <bgreene@cisco.com>
To: "'Charles Sprickman'" <spork@inch.com>, <nanog@merit.edu>
Date: Fri, 18 Jul 2003 18:53:41 -0700
In-Reply-To: <20030718161714.E20962@shell.inch.com>
Errors-To: owner-nanog-outgoing@merit.edu
As mentioned before, Receive Path ACL (rACL) is already in 12.0(21)S2 =
(and
forward) for the GSR and 12.0(24)S for the 7500. This is one way of =
doing
infrastructure filtering without packet filtering the data plane =
(customer
traffic). The second phase of Receive Path ACL (rACL) is going =
everywhere.
The marketing name is Control Plane Protocol (CPP) ... but it also takes
care of any packet punted to the receive path (i.e. packet with =
destination
address =3D to the router). It is MQC based (ACL + rate-limiting). Think =
of it
as a "TCP wrapper" for the receive path - but with the rate-limiting. =
The
rate limiting part is important.=20
It will first show up in 12.2S (and forward) and then =
cross-port/back-port
through customer pressure (talk to your Cisco Account Teams). You'll see =
it
on everything for the small boxes (26XX) to switches (CAT6Ks) to the =
high
end (GSRs).
Personally, I see this "TCP Wrapper with Rate-Limit" around a router as
something that is going to be a requirement for all vendors on the Net.=20
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf =
Of
> Charles Sprickman
> Sent: Friday, July 18, 2003 1:21 PM
> To: nanog@merit.edu
> Subject: Infrastructure Filtering (was Re: Patching for Cisco
> vulnerability)
>=20
>=20
> This has me wondering if there are any BCPs that touch on the whole =
idea
> of filtering traffic destined to your router, or what the advisory =
called
> "infrastructure filtering". All in all, it seems like a good idea to
> block any direct access to router interfaces. But as some have =
probably
> found already, it's a big pain in the arse.
>=20
> If I recall correctly, Rob's Secure IOS Template touches on filtering
> known services (the BGP listener, snmp), but what are people's =
feelings on
> maintaining filters on all interfaces *after* loading a fixed IOS?
>=20
> Thanks,
>=20
> Charles
>=20
> --
> Charles Sprickman
> spork@inch.com
>=20
>=20
> On Fri, 18 Jul 2003, Irwin Lazar wrote:
>=20
> >
> > Just out of curiosity, are folks just applying the Cisco patch or do =
you
> go through some sort of testing/validation process to ensure that the
> patch doesn't cause any other problems? Given typical change =
management
> procedures how long is taking you to get clearance to apply the patch?
> >
> > I'm trying here to gauge the length of time before this =
vulnerability is
> closed out.
> >
> > irwin
> >
