Tag: IOS

Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerabilities

Official document on Cisco Security Advisory website

Summary

Cisco IOS XR Software contains multiple vulnerabilities in the Border Gateway Protocol (BGP) feature. These vulnerabilities include:

Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update.

The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This vulnerability was disclosed in revision 1.0 of this advisory.

Cisco IOS XR BGP process will crash when sending a long length BGP update message.

When Cisco IOS XR sends a long length BGP update message, the BGP process may crash. The number of AS numbers required to exceed the total/maximum length of update message and cause the crash are well above normal limits seen within production environments.

Cisco IOS XR BGP process will crash when constructing a BGP update with a large number of AS prepends.

If the Cisco IOS XR BGP process is configured to prepend a very large number of Autonomous System (AS) Numbers to the AS path, the BGP process will crash. The number of AS numbers required to be prepended and cause the crash are well above normal limits seen within production environments.All three vulnerabilities are different vulnerabilities from what was disclosed in the Cisco Security Advisory “Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities” on the 2009 July 29 1600 UTC.

Affected Products

The “Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update” vulnerability affects all Cisco IOS XR Software devices after and including software release 3.4.0 configured with BGP routing.

The other two vulnerabilities affect all Cisco IOS XR Software devices configured with BGP routing.

Workarounds

Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update.
There are no workarounds on the affected device itself. Co-ordination is required with the peering neighbor support staff to filter the invalid update on their outbound path. The following procedure explains how to help mitigate this vulnerability:

Using the peer IP address in the log message that was generated when the Cisco IOS XR Software device received the invalid update; capture the notification message hex dump from the CLI command show bgp neighbor and contact the Cisco TAC, who can assist with a decode. Details on how to contact Cisco TAC are contained within the “Obtaining Fixed Software” section of this advisory.

For illustrative purposes, the following example shows a log message generated by an affected device when it receives an invalid/corrupt update message:

RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path

These details can be captured and provided to Cisco TAC to decode the update message. show bgp neighbors [ip address of neighbor from above log message]:

RP/0/RP0/CPU0:CRS#show bgp neighbors 192.168.0.1        

<capture output and provide to Cisco TAC>

Working with Cisco TAC, the decode of the above will display the AS path in a manner illustrated below.

ATTRIBUTE NAME:  AS_PATH

 AS_PATH: Type 2 is AS_SEQUENCE
 AS_PATH: Segment Length is 4 (0x04) segments long
 AS_PATH: 65533  65532 65531 65531

Working cooperatively with your peering partner, request that they filter outbound prefix advertisements from the identified source AS (in this example 65531) for your peering session. The filters configuration methods will vary depending on the routing device operating system used. For Cisco IOS XR Software the filters will be applied using Routing Policy Language (RPL) policies or with Cisco IOS Software via applying route-maps that deny advertisements matching that AS in their AS-PATH. Once these policies are applied, the peering session will be re-established.

For further information on Cisco IOS XR RPL consult the document “Implementing Routing Policy on Cisco IOS XR Software” at the following link: http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3rpl.html#wp1118699.

For further information on Cisco IOS route maps with BGP, consult the document “Cisco IOS BGP Configuration Guide, Release 12.4T” at the following link: http://www.cisco.com/en/US/docs/ios/12_2sr/12_2srb/feature/guide/tbgp_c.html.

Cisco IOS XR BGP process will crash when sending a long length BGP update message
While the long length BGP update message can be caused by any number of attributes, then most common would be the AS Path. Limiting the number of AS numbers in the AS Path Attribute should mitigate this vulnerability. The following shows an example of filtering on AS paths within Cisco IOS XR Software:

route-policy maxas-limit
# Check number of AS Numbers in AS Path attribute.
# If greater than 100 drop the update.
# If less than 100 pass the update.
  if as-path length ge 100 then
        drop
  else
        pass
  endif
end-policy

router bgp 65533
 neighbor 192.168.0.1
  remote-as 65534
   address-family ipv4 unicast
     policy maxas-limit in
     policy maxas-limit out

For further information on Cisco IOS XR RPL consult the document “Implementing Routing Policy on Cisco IOS XR Software” at the following link: http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3rpl.html#wp1118699.

Cisco IOS XR BGP process will crash when constructing a BGP update with a large number of AS prepends
There is no workaround for this vulnerability, other than reducing the number of AS path prepends configured within Cisco IOS XR.

I must admit that after reading the document above, a big question sign appeared in my head about the BGP functionality on IOS XR and if we can rely on this in a working environment. I’m sure that Cisco will mitigate this issues as the currently workarounds are just a temporary solution.

Cisco: How to configure privileges for local users

I believe that all of you are familiar with privilege levels (0-15) on Cisco IOS. The most useful for network engineers is level 15 and the highest one as it will allow you full access to all IOS features, but in most networks only a few persons have this privilege level. In my opinion is normal to be like this, as with this limitation in, the risk that somebody will login and configure something that will lead to a system failure is minimized. Also true is that this will limit the troubleshooting on the network in case of an issue.

Let’s take the following scenario:
– you are the network engineer and you have privilege level 15 access;
– somewhere in your remote network there is a device that has a failure and you need somebody on site to tell you some informations about the device;|
– the local administrator does not have access (e.g to read running-config) on that Cisco device as you don’t want him to break something by some misconfiguration that she / he applies;


In this scenario you are either stuck with the problem and you have to travel to remote location to fix the problem or to give user access. I will chose from this a middle path. Give a user limited access just to read information that might be useful for you like IP address assigned on interfaces, access-lists or routing table (of course you have to do this before you have a problem on some remote device and possible a connection lost).

In the example below I will show you how you can configure an user with limited access just to read the running-config and in this file just the following information: hostname, interfaces (and here only IP addresses assigned to the interfaces) and routing protocols (with networks advertised into specific network protocol). This is just a basic example, but the privilege levels can be customized as you need.

Please check the presentation below:

Cisco: privilege levels

Cisco: Quick IOS check in 4 simple steps

This post is rather for the beginners in Cisco’s world than for advance professionals, but still I encounter situation when IOS image was corrupted even if it was uploaded to the device by a network guru. Why? It’s quite simple! Because you can be the master of the Cisco networking,  but still sometime you cannot control the device behavior or the transport of the packets to destination.

The problems is that in case of a corrupted IOS image being uploaded on a Cisco device, and having that device reloaded you can run into situation when it will not boot up anymore. When the device is in front of you, or on your desk, there is not a problem, because you can troubleshoot, find the issue (e.g wrong or corrupted IOS image) and solve it! But, what if your device is at 5000 km distance, it is 3:00 AM and you have no professional help on that location?! That’s one ugly situation and the reason for which I always insist to verify the IOS image after it is uploaded and ready to go into production.

For those of you who are dealing with this stuff everyday, this post may seem like a joke, but I bet that there are out there IT’s which never check this stuff or they are beginners and don’t know how to do it. It’s more simple that you may think it is, make you spend about 4-5 minutes for a full check, but can spare you for bigger problems in the future.

So, what are the 4 steps:
1. Check what Cisco device you have (to know what IOS image you need)
2. Check what IOS image Cisco device has (to know what IOS release to download)
3. Verify the IOS image
4. Check the results of your verification
As simplest as it can get.

Please check the tutorial by clicking the image below:

IOS check

For those who cannot see a Flash movie, please read this text file, that consist of the command you should perform for IOS checking.

Cisco: How-to get notifications for IP SLA monitor using EEM

In some previous post, I explained how to configure a basic IP SLA monitor for checking the round-trip time between two Cisco routers. Because in the comments of that post I have been asked how you can get e-mail notification for IP SLA monitor, I have decided to write another post to extend a little bit this topic.

To accomplish e-mail notification for IP SLA monitors we will use Embedded Event Manager (EEM) and some SNMP knowledge.Cisco IOS EEM is a powerful device and system management technology integrated into specific Cisco switches and routers. EEM gives us the ability to customize Cisco IOS behavior based on network events as they happen.

EEM will use a SNMP event to report anomalies in regarding the RTT threshold value. For SNMP to work we need to know and Object name and the OID associated with it. In my example I will use the SNMP Object name: rttMonCtrlOperOverThresholdOccurred (OID: 1.3.6.1.4.1.9.9.42.1.2.9.1.7). On Cisco website you can find more about this SNMP Object and I advice you to read it before going on with this tutorial.

Below you have a basic example about how to get e-mail notification when the threshold of the RTT IP SLA monitor is reached. More examples you can find on Ivan Pepelnjak’s blog: blog.ioshints.info . It’s a good idea to check them also.

The topology remains the same like in the previous post about IP SLA. You can check it here. Please click below to check the tutorial:

IP SLA EEM

If you cannot check the tutorial above, please read this text file, as it contains all the information from the video presentation.