All things related to multicast

[Bill Owens <>]

As you all know there is a very serious problem with IOS that has led 
to mass upgrades all across the network in the last week. But someone 
just posted a note to the NANOG list pointing out that a new aspect 
of the bug was apparently discovered in the last couple of days. 
There are four protocol types that trigger the bug, 53, 55, 77 and 
our favorite, 103 (PIM). Previously it was thought that the packets 
had to reach the router with a TTL of 0 or 1 to affect it, but 
apparently PIM is a special case. Cisco's update has this to say:

"Cisco routers are configured to process and accept Internet Protocol 
version 4 (IPv4) packets by default. IPv4 packets handled by the 
processor on a Cisco IOS device with protocol types of 53 (SWIPE), 55 
(IP Mobility, or 77 (Sun ND), all with Time-to-Live (TTL) values of 1 
or 0, and 103 (Protocol Independent Multicast - PIM) with any TTL 
value, may force the device to incorrectly flag the input queue on an 
interface as full."

So a PIM-based attack is easier to mount. But there's an easy answer 
- enable PIM:

"Routers that have the PIM process running are not affected by 
traffic with protocol type 103. This process will be created when PIM 
is configured on any interface of the router. An interface with PIM 
enabled will have one of the following three commands in the 
interface configuration: ip pim dense-mode, ip pim sparse-mode, or ip 
pim sparse-dense-mode. "

Sounds like a great reason to enable native multicast ;)

Bill.