All things related to multicast

["Michael H. Lambert" <>]

[cc'ing the IPv6 Working Group]

IPv6 isn't affected by the vulnerability, either...

Michael

--On Wednesday, 23 July 2003 16:52 -0400 Bill Owens <> 
wrote:

> As you all know there is a very serious problem with IOS that has led to
> mass upgrades all across the network in the last week. But someone just
> posted a note to the NANOG list pointing out that a new aspect of the bug
> was apparently discovered in the last couple of days. There are four
> protocol types that trigger the bug, 53, 55, 77 and our favorite, 103
> (PIM). Previously it was thought that the packets had to reach the router
> with a TTL of 0 or 1 to affect it, but apparently PIM is a special case.
> Cisco's update has this to say:
>
> "Cisco routers are configured to process and accept Internet Protocol
> version 4 (IPv4) packets by default. IPv4 packets handled by the
> processor on a Cisco IOS device with protocol types of 53 (SWIPE), 55 (IP
> Mobility, or 77 (Sun ND), all with Time-to-Live (TTL) values of 1 or 0,
> and 103 (Protocol Independent Multicast - PIM) with any TTL value, may
> force the device to incorrectly flag the input queue on an interface as
> full."
>
> So a PIM-based attack is easier to mount. But there's an easy answer -
> enable PIM:
>
> "Routers that have the PIM process running are not affected by traffic
> with protocol type 103. This process will be created when PIM is
> configured on any interface of the router. An interface with PIM enabled
> will have one of the following three commands in the interface
> configuration: ip pim dense-mode, ip pim sparse-mode, or ip pim
> sparse-dense-mode. "
>
> Sounds like a great reason to enable native multicast ;)
>
> Bill.