apops January 2007

apops@apops.net

6 participants
19 discussions

Cisco Security Advisory: SIP Packet Reloads IOS Devices Not Configured for SIP

by Cisco Systems Product Security Incident Response Team

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: SIP Packet Reloads IOS Devices Not Configured for SIP Advisory ID: cisco-sa-20070131-sip http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml Revision 1.0 For Public Release 2007 Jan 31 0900 UTC (GMT) - --------------------------------------------------------------------- Summary ======= Cisco devices running IOS which support voice and are not configured for Session Initiated Protocol (SIP) are vulnerable to a crash under yet to be determined conditions, but isolated to traffic destined to Port 5060. SIP is enabled by default on all Advanced images which support voice and do not contain the fix for CSCsb25337. There are no reports of this vulnerability on the devices which are properly configured for SIP processing. Workarounds exist to mitigate the effects of this problem. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml Affected Products ================= IOS releases that include voice support after 12.3(14)T, 12.3(8)YC1, 12.3(8)YG and all of 12.4 are affected. Please see the fixed software table for a complete list of fixed and vulnerable trains. To determine if your device has SIP enabled, enter the commands 'show ip sockets' and 'show tcp brief all'. Below is an example of a router running code without the fix, and without the workaround enabled. The router in this example is vulnerable to this issue. IOS image in example: 7200-p-mz.124-3.bin Router#show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 --any-- 5060 0 0 211 0 17 0.0.0.0 0 192.168.100.2 67 0 0 2211 0 17 0.0.0.0 0 192.168.100.2 2517 0 0 11 0 The first line with UDP Port 5060 shows that UDP SIP is enabled. Router#show tcp brief all TCB Local Address Foreign Address (state) 2051E680 *.5060 *.* LISTEN 2051E680 *.5060 *.* LISTEN The above lines with *.5060 show that TCP SIP is enabled. Vulnerable Products +------------------ The following is a list of products that support voice and could be affected by this vulnerability. * 815 * 871 * 876 * 877 * 878 * 1701 * 1711 * 1712 * 1721 * 1751 * 1751-V * 1760 * 1801 * 1802 * 1803 * 1811 * 1812 * 1841 * 2610XM-2611XM * 2620XM-2621XM * 2650XM-2651XM * 2691 * 2801 * 2811 * 2821 * 2851 * 3220 * 3250 * 3270 * 3725 * 3745 * 3825 * 3845 * 7200 * 7200-NPE-G2 * 7301 Products Confirmed Not Vulnerable +-------------------------------- Devices which do not support voice are not affected by this issue. Devices which are properly configured for SIP processing are not affected by this issue. We have no reports of this vunerability on devices that are configured for SIP processing. We also have no reports of affected IOS-XR devices, CatOS devices, or any device which does not run IOS, but can not conclusively rule them out without further testing. This advisory will be updated with more information as it becomes available. Below is an example of a router not vulnerable to this issue. The router in this example is running the fixed release c7200-js-mz.124-5b.bin. Router#show tcp brief all Router#show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 192.168.100.2 67 0 0 2211 0 No lines with UDP Port 5060 are shown and UDP SIP is not enabled. In this example UDP port 67 is used by DHCP is not related to this vulnerability. Details ======= SIP is a protocol designed for use in IP phone networks, and is widely used for Voice over Internet Protocol (VOIP) communications worldwide. Cisco devices running an affected image which supports voice services automatically enable SIP, which opens a listening port on UDP port 5060. TCP port 5060 is also opened, but does not appear to be related to the IOS crash detailed in this advisory. CSCsb25337 turns off the listening ports TCP and UDP 5060, and there have been no reports of this vulnerability in any images with this fix integrated. Impact ====== Successful exploitation of the vulnerability may result in a reload of the device. The issue may be repeatedly exploited, leading to an extended Denial Of Service (DOS) condition. Software Version and Fixes ========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label. For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html +---------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+--------------------------| | Affected | | | | 12.0-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.0 | All 12.0 releases are | | | not vulnerable | |------------+--------------------------| | Affected | | | | 12.1-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.1 | All 12.1 releases are | | | not vulnerable | |------------+--------------------------| | Affected | | | | 12.2-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.2 | All 12.2 releases are | | | not vulnerable | |------------+--------------------------| | Affected | | | | 12.3-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.3 | Not vulnerable | |------------+--------------------------| | 12.3B | Not vulnerable | |------------+--------------------------| | 12.3BC | Not vulnerable | |------------+--------------------------| | 12.3BW | Not vulnerable | |------------+--------------------------| | 12.3JA | Not vulnerable | |------------+--------------------------| | 12.3JEA | Not vulnerable | |------------+--------------------------| | 12.3JEB | Not vulnerable | |------------+--------------------------| | 12.3JK | Not vulnerable | |------------+--------------------------| | 12.3JX | Not vulnerable | |------------+--------------------------| | | Only 12.3(14)T releases | | | are vulnerable; migrate | | 12.3T | to 12.4(8) or later. All | | | other 12.3T releases are | | | not vulnerable. | |------------+--------------------------| | 12.3TPC | Not vulnerable | |------------+--------------------------| | 12.3XA | Not vulnerable | |------------+--------------------------| | 12.3XB | Not vulnerable | |------------+--------------------------| | 12.3XC | Not vulnerable | |------------+--------------------------| | 12.3XD | Not vulnerable | |------------+--------------------------| | 12.3XE | Not vulnerable | |------------+--------------------------| | 12.3XF | Not vulnerable | |------------+--------------------------| | 12.3XG | Not vulnerable | |------------+--------------------------| | 12.3XH | Not vulnerable | |------------+--------------------------| | 12.3XI | Not vulnerable | |------------+--------------------------| | 12.3XJ | Not vulnerable | |------------+--------------------------| | 12.3XK | Not vulnerable | |------------+--------------------------| | 12.3XQ | Not vulnerable | |------------+--------------------------| | 12.3XR | Not vulnerable | |------------+--------------------------| | 12.3XS | Not vulnerable | |------------+--------------------------| | 12.3XU | Not vulnerable | |------------+--------------------------| | 12.3XW | Not vulnerable | |------------+--------------------------| | 12.3XX | Not vulnerable | |------------+--------------------------| | 12.3XY | Not vulnerable | |------------+--------------------------| | 12.3YA | Not vulnerable | |------------+--------------------------| | 12.3YD | Not vulnerable | |------------+--------------------------| | 12.3YF | Not vulnerable | |------------+--------------------------| | 12.3YG | 12.3(8)YG5 | | |------------+--------------------------| | 12.3YH | Not vulnerable | |------------+--------------------------| | 12.3YI | Not vulnerable | |------------+--------------------------| | 12.3YJ | Not vulnerable | |------------+--------------------------| | 12.3YK | Vulnerable; migrate to | | | 12.4(4)T3 or later | |------------+--------------------------| | 12.3YM | 12.3(14) | | | | YM8 | | |------------+--------------------------| | 12.3YQ | Vulnerable; migrate to | | | 12.4(6)T1 or later | |------------+--------------------------| | 12.3YS | Not vulnerable | |------------+--------------------------| | 12.3YT | Vulnerable; migrate to | | | 12.4(4)T3 or later | |------------+--------------------------| | 12.3YU | Vulnerable; migrate to | | | 12.4(2)XB2 or later | |------------+--------------------------| | 12.3YX | 12.3(14) | | | | YX2 | | |------------+--------------------------| | 12.3YZ | Not vulnerable | |------------+--------------------------| | Affected | | | | 12.4-Based | Rebuild | Maintenance | | Release | | | |------------+------------+-------------| | | 12.4(3d) | | | |------------+-------------| | 12.4 | 12.4(5b) | | | |------------+-------------| | | 12.4(7a) | 12.4(8) | |------------+------------+-------------| | 12.4MR | | 12.4(6)MR | |------------+--------------------------| | 12.4SW | All 12.4SW releases are | | | fixed | |------------+--------------------------| | | 12.4(2)T5 | | | |------------+-------------| | 12.4T | 12.4(4)T3 | | | |------------+-------------| | | 12.4(6)T1 | 12.4(9)T | |------------+--------------------------| | 12.4XA | Vulnerable; migrate to | | | 12.4(6)T1 or later | |------------+--------------------------| | 12.4XB | 12.4(4)XB2 | | |------------+--------------------------| | 12.4XC | Vulnerable; contact TAC | |------------+--------------------------| | 12.4XD | 12.4(4)XD2 | | |------------+--------------------------| | 12.4XE | All 12.4XE releases are | | | fixed | |------------+--------------------------| | 12.4XG | All 12.4XG releases are | | | fixed | |------------+--------------------------| | 12.4XJ | All 12.4XJ releases are | | | fixed | |------------+--------------------------| | 12.4XP | All 12.4XP releases are | | | fixed | |------------+--------------------------| | 12.4XT | All 12.4XT releases are | | | fixed | +---------------------------------------+ Workarounds =========== Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml Turn off SIP processing +----------------------- Since this vulnerability is reported only in routers not configured for SIP, the simplest and most effective workaround is to turn SIP processing off. Enter configuration commands, one per line. End with CNTL/Z. Router(config)#sip-ua Router(config-sip-ua)#no transport udp Router(config-sip-ua)#no transport tcp Router(config-sip-ua)#end Control Plane Policing +--------------------- Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the Control Plane Policing (CoPP) feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure device in accordance with existing security policies and configurations. The following example can be adapted to your network. !-- Permit all TCP and UDP SIP traffic sent to all IP addresses !-- configured on all interfaces of the affected device so that it !-- will be policed and dropped by the CoPP feature access-list 100 permit tcp any any eq 5060 access-list 100 permit udp any any eq 5060 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature class-map match-all drop-sip-class match access-group 100 !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device policy-map drop-sip-traffic class drop-sip-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device control-plane service-policy input drop-sip-traffic Note: In the above CoPP example, the access control list entries (ACEs) which match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804f… and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_gui…. Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== This issue was first reported to Cisco by a customer. Cisco PSIRT is seeing randomly generated traffic which may be unintentionally causing this issue to manifest. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================= +---------------------------------------+ | Revision | | Initial | | 1.0 | 2007-January-31 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFwGMG8NUAbBmDaxQRAlTmAKCRiz8v9q0ooRzpmx89W6HhITrUVwCZARsf mIdw8K1qQSI6UXkaxlUsXS8= =pSPg -----END PGP SIGNATURE-----

15 years, 5 months

Weekly Routing Table Report

by Routing Analysis Role Account

This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats(a)lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith <pfs(a)cisco.com>. Routing Table Report 04:00 +10GMT Sat 27 Jan, 2007 Analysis Summary ---------------- BGP routing table entries examined: 209098 Prefixes after maximum aggregation: 112768 Deaggregation factor: 1.85 Unique aggregates announced to Internet: 101751 Total ASes present in the Internet Routing Table: 24204 Origin-only ASes present in the Internet Routing Table: 21078 Origin ASes announcing only one prefix: 10191 Transit ASes present in the Internet Routing Table: 3126 Transit-only ASes present in the Internet Routing Table: 77 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 32 Max AS path prepend of ASN (20858) 18 Prefixes from unregistered ASNs in the Routing Table: 3 Unregistered ASNs in the Routing Table: 4 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 12 Number of addresses announced to Internet: 1667168908 Equivalent to 99 /8s, 94 /16s and 250 /24s Percentage of available address space announced: 45.0 Percentage of allocated address space announced: 61.8 Percentage of available address space allocated: 72.8 Total number of prefixes smaller than registry allocations: 107085 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 46704 Total APNIC prefixes after maximum aggregation: 18720 APNIC Deaggregation factor: 2.49 Prefixes being announced from the APNIC address blocks: 44152 Unique aggregates announced from the APNIC address blocks: 19260 APNIC Region origin ASes present in the Internet Routing Table: 2827 APNIC Region origin ASes announcing only one prefix: 787 APNIC Region transit ASes present in the Internet Routing Table: 420 Average APNIC Region AS path length visible: 3.7 Max APNIC Region AS path length visible: 16 Number of APNIC addresses announced to Internet: 281267552 Equivalent to 16 /8s, 195 /16s and 205 /24s Percentage of available APNIC address space announced: 69.7 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 116/6, 120/6, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 102763 Total ARIN prefixes after maximum aggregation: 60807 ARIN Deaggregation factor: 1.69 Prefixes being announced from the ARIN address blocks: 75685 Unique aggregates announced from the ARIN address blocks: 29044 ARIN Region origin ASes present in the Internet Routing Table: 11294 ARIN Region origin ASes announcing only one prefix: 4324 ARIN Region transit ASes present in the Internet Routing Table: 1041 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 21 Number of ARIN addresses announced to Internet: 314814208 Equivalent to 18 /8s, 195 /16s and 175 /24s Percentage of available ARIN address space announced: 69.5 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks 24/8, 63/8, 64/5, 72/6, 76/8, 96/6, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 43318 Total RIPE prefixes after maximum aggregation: 28259 RIPE Deaggregation factor: 1.53 Prefixes being announced from the RIPE address blocks: 40007 Unique aggregates announced from the RIPE address blocks: 26608 RIPE Region origin ASes present in the Internet Routing Table: 9073 RIPE Region origin ASes announcing only one prefix: 4781 RIPE Region transit ASes present in the Internet Routing Table: 1467 Average RIPE Region AS path length visible: 4.0 Max RIPE Region AS path length visible: 32 Number of RIPE addresses announced to Internet: 287181220 Equivalent to 17 /8s, 30 /16s and 9 /24s Percentage of available RIPE address space announced: 77.8 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-43007 RIPE Address Blocks 62/8, 77/8, 78/7, 80/5, 88/6, 193/8, 194/7, 212/7 and 217/8 LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 13810 Total LACNIC prefixes after maximum aggregation: 4028 LACNIC Deaggregation factor: 3.43 Prefixes being announced from the LACNIC address blocks: 11834 Unique aggregates announced from the LACNIC address blocks: 7250 LACNIC Region origin ASes present in the Internet Routing Table: 758 LACNIC Region origin ASes announcing only one prefix: 248 LACNIC Region transit ASes present in the Internet Routing Table: 133 Average LACNIC Region AS path length visible: 4.2 Max LACNIC Region AS path length visible: 20 Number of LACNIC addresses announced to Internet: 36468224 Equivalent to 2 /8s, 44 /16s and 118 /24s Percentage of available LACNIC address space announced: 54.3 LACNIC AS Blocks 26592-26623, 27648-28671, plus ERX transfers LACNIC Address Blocks 189/8, 190/8, 200/7 AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 2501 Total AfriNIC prefixes after maximum aggregation: 953 AfriNIC Deaggregation factor: 2.62 Prefixes being announced from the AfriNIC address blocks: 1769 Unique aggregates announced from the AfriNIC address blocks: 1142 AfriNIC Region origin ASes present in the Internet Routing Table: 174 AfriNIC Region origin ASes announcing only one prefix: 51 AfriNIC Region transit ASes present in the Internet Routing Table: 32 Average AfriNIC Region AS path length visible: 3.6 Max AfriNIC Region AS path length visible: 15 Number of AfriNIC addresses announced to Internet: 5367552 Equivalent to 0 /8s, 81 /16s and 231 /24s Percentage of available AfriNIC address space announced: 16.0 AfriNIC AS Blocks 36864-37887 & ERX transfers AfriNIC Address Blocks 41/8, 196/8 APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4134 1279 8663 273 CHINANET-BACKBONE 4755 1090 383 75 Videsh Sanchar Nigam Ltd. Aut 9583 1030 109 16 Sify Limited 9498 933 467 64 BHARTI BT INTERNET LTD. 23577 771 34 699 Korea Telecom (ATM-MPLS) 4766 763 4944 313 Korea Telecom (KIX) 17488 588 37 20 Hathway IP Over Cable Interne 1221 569 1697 440 Telstra Pty Ltd 7545 558 126 72 TPG Internet Pty Ltd 18101 514 103 27 Reliance Infocom Ltd Internet 17676 503 10935 66 Softbank BB Corp. 9443 442 111 74 Primus Telecommunications 4812 435 763 69 China Telecom (Shanghai) 17974 364 129 14 PT TELEKOMUNIKASI INDONESIA 4802 360 86 149 Wantree Development 17849 353 33 93 Telecommunications Technology 17557 349 34 168 Pakistan Telecom 2907 335 1733 309 SINET Japan 4837 334 4071 146 chinanet IDC center beijing n 7474 315 212 244 SingTel Optus Pty Ltd ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 7018 1550 6127 996 AT&T WorldNet Services 2386 1105 585 730 AT&T Data Communications Serv 4323 1062 818 297 Time Warner Telecom 6197 1023 647 501 BellSouth Network Solutions, 18566 989 288 9 Covad Communications 701 938 6695 746 UUNET Technologies, Inc. 174 934 6789 864 Cogent Communications 11492 912 99 15 Cable One 1239 827 2729 577 Sprint 19262 808 2576 180 Verizon Global Networks 20115 795 689 412 Charter Communications 7011 731 218 454 Citizens Utilities 22773 723 1872 41 Cox Communications, Inc. 209 715 3750 563 Qwest 721 687 21836 280 DLA Systems Automation Center 852 607 1093 393 Telus Advanced Communications 5668 577 161 19 CenturyTel Internet Holdings, 19916 568 49 54 OLM LLC 855 565 250 73 Canadian Research Network 6198 552 521 258 BellSouth Network Solutions, RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 702 537 1898 425 UUNET - Commercial IP service 3301 305 1199 287 TeliaNet Sweden 3320 298 4993 249 Deutsche Telekom AG 24863 298 45 25 LINKdotNET AS number 8220 271 474 263 COLT Telecommunications 6746 270 95 247 Dynamic Network Technologies, 680 257 2044 251 DFN-IP service G-WiN 3215 237 2192 93 France Telecom Transpac 8708 234 283 221 Romania Data Systems S.A. 1257 224 1097 173 SWIPnet Swedish IP Network 3269 213 2391 71 TELECOM ITALIA 30890 212 18 91 SC Kappa Invexim SRL 3246 207 354 197 Song Networks 5416 206 13 9 BATELCO-BH 8551 192 193 28 Bezeq International 20858 189 34 3 This AS will be used to conne 3352 182 1767 31 Ibernet, Internet Access Netw 3300 178 171 89 AUCS Communications Services 12479 176 578 6 Uni2 Autonomous System 786 172 1779 172 The JANET IP Service LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 910 2015 203 UniNet S.A. de C.V. 11830 482 299 19 Instituto Costarricense de El 11172 385 113 83 Servicios Alestra S.A de C.V 16814 329 20 8 NSS, S.A. 22047 307 206 11 VTR PUNTO NET S.A. 6471 254 74 30 ENTEL CHILE S.A. 14117 238 16 13 Telefonica del Sur S.A. 11556 235 116 6 Cable-Wireless Panama 7303 231 103 33 Telecom Argentina Stet-France 6147 225 180 24 Telefonica Del Peru 6503 216 168 91 AVANTEL, S.A. 10481 181 72 8 Prima S.A. 21826 159 22 38 INTERCABLE 7910 152 11 32 ANDINET ON LINE 23216 147 19 43 RAMtelecom Telecomunicaciones 20299 146 22 17 NEWCOM AMERICAS 18822 145 9 10 TELEFONICA MANQUEHUE 19169 141 9 24 Telconet 19429 138 84 33 E.T.B. 14522 136 21 8 SatNet S.A. AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 3741 290 868 232 The Internet Solution 8452 226 60 6 TEDATA 15475 153 84 4 Nile Online 6713 144 135 11 Itissalat Al-MAGHRIB 2018 138 309 113 Tertiary Education Network 5536 123 8 15 Internet Egypt Network 33783 112 6 5 EEPAD TISP TELECOM & INTERNET 24835 86 48 6 RAYA Telecom - Egypt 2905 79 173 72 The Internetworking Company o 2561 62 6 2 Egyptian Universities Network 15706 54 12 4 Sudatel Internet Exchange Aut 23889 53 16 13 MAURITIUS TELECOM 5713 45 294 35 Telkom SA Ltd 12455 39 6 3 Jambonet Autonomous system 33774 38 12 22 AS Number for Telecom Algeria 16637 33 21 25 Johnnic e-Ventures 8524 30 2 6 AUCEGYPT Autonomous System 33776 27 2 5 Starcomms Nigeria Limited 10798 23 1 14 Standard Bank of South Africa 21280 23 4 4 Swift Global Kenya Ltd.Is an Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4755 1090 1015 Videsh Sanchar Nigam Ltd. Aut 9583 1030 1014 Sify Limited 4134 1279 1006 CHINANET-BACKBONE 18566 989 980 Covad Communications 11492 912 897 Cable One 9498 933 869 BHARTI BT INTERNET LTD. 4323 1062 765 Time Warner Telecom 8151 910 707 UniNet S.A. de C.V. 22773 723 682 Cox Communications, Inc. 19262 808 628 Verizon Global Networks 17488 588 568 Hathway IP Over Cable Interne 5668 577 558 CenturyTel Internet Holdings, 6197 1023 522 BellSouth Network Solutions, 19916 568 514 OLM LLC 855 565 492 Canadian Research Network 18101 514 487 Reliance Infocom Ltd Internet 7545 558 486 TPG Internet Pty Ltd 15270 500 466 PaeTec.net -a division of Pae 11830 482 463 Instituto Costarricense de El 4766 763 450 Korea Telecom (KIX) List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 23456 UNALLOCATED 203.10.62.0/24 1221 Telstra Pty Ltd 24410 UNALLOCATED 203.119.28.0/24 4134 CHINANET-BACKBONE 24409 UNALLOCATED 203.119.29.0/24 9808 Guangdong Mobile Com Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 7.1.1.0/24 1239 Sprint 132.0.0.0/10 721 DLA Systems Automation Center 137.0.0.0/13 721 DLA Systems Automation Center 158.0.0.0/13 721 DLA Systems Automation Center 172.33.1.0/24 7018 AT&T WorldNet Services 180.190.0.0/16 24003 JUBILANT ORGANOSYS LTD., INDI 192.0.10.0/24 9498 BHARTI BT INTERNET LTD. 192.44.0.0/24 5501 Fraunhofer Gesellschaft 192.44.0.0/19 702 UUNET - Commercial IP service 192.70.164.0/24 25689 National Research Council of 192.153.136.0/21 721 DLA Systems Automation Center 192.172.0.0/19 721 DLA Systems Automation Center Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:10 /10:13 /11:33 /12:115 /13:226 /14:414 /15:811 /16:9197 /17:3680 /18:5961 /19:12943 /20:14559 /21:13000 /22:16650 /23:17873 /24:111872 /25:663 /26:459 /27:373 /28:65 /29:39 /30:90 /31:0 /32:33 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 18566 971 989 Covad Communications 11492 898 912 Cable One 9583 859 1030 Sify Limited 7018 855 1550 AT&T WorldNet Services 2386 829 1105 AT&T Data Communications Serv 6197 795 1023 BellSouth Network Solutions, 23577 757 771 Korea Telecom (ATM-MPLS) 7011 634 731 Citizens Utilities 9498 591 933 BHARTI BT INTERNET LTD. 4766 571 763 Korea Telecom (KIX) 19916 563 568 OLM LLC 4755 499 1090 Videsh Sanchar Nigam Ltd. Aut 15270 468 500 PaeTec.net -a division of Pae 855 464 565 Canadian Research Network 18101 446 514 Reliance Infocom Ltd Internet 5668 444 577 CenturyTel Internet Holdings, 17488 411 588 Hathway IP Over Cable Interne 1239 408 827 Sprint 33588 403 425 Bresnan Communications, LLC. 6198 390 552 BellSouth Network Solutions, Number of /24s announced per /8 block (Global) ---------------------------------------------- 4:9 7:1 8:61 9:1 12:1658 13:1 15:15 16:3 17:3 18:5 20:36 24:873 25:1 32:54 38:278 40:57 41:66 44:2 47:10 52:4 55:1 56:3 57:25 58:292 59:376 60:203 61:953 62:1048 63:1901 64:3206 65:2300 66:3135 67:715 68:637 69:1715 70:426 71:133 72:1140 73:1 74:148 75:55 76:22 80:831 81:776 82:647 83:348 84:493 85:758 86:465 87:478 88:272 89:766 90:2 91:177 97:1 116:1 117:1 118:1 119:1 120:1 121:129 122:68 123:26 124:574 125:786 128:304 129:221 130:126 131:317 132:49 133:9 134:182 135:44 136:180 137:113 138:190 139:53 140:519 141:137 142:371 143:213 144:290 145:66 146:319 147:139 148:366 149:190 150:115 151:117 152:90 153:119 154:5 155:250 156:125 157:172 158:170 159:147 160:98 161:88 162:228 163:162 164:450 165:288 166:246 167:281 168:495 169:121 170:379 171:15 172:1 189:131 190:356 192:5741 193:3656 194:2916 195:2214 196:897 198:3772 199:3274 200:4641 201:963 202:7176 203:7288 204:3960 205:2087 206:2434 207:2893 208:2432 209:3573 210:2342 211:880 212:1303 213:1418 214:395 215:39 216:4060 217:1179 218:358 219:268 220:845 221:369 222:277 End of report Report Website: http://thyme.apnic.net

15 years, 5 months

APRICOT 2007 drawing near

by Philip Smith

(apologies for duplicates) Hi everyone, Just a reminder that APRICOT 2007 is drawing closer. This year APRICOT is hosted by APJII, the Indonesian Internet Service Provider Association, and is being held on the island of Bali, at the Bali International Convention Centre in Nusa Dua. If you are intending to attend APRICOT you are encourage to register as soon as possible at http://www.apricot2007.net/registration.html. Also, it is very important that you book your hotel as soon as possible. The conference rate room blocks *will* be released on 31st January. With the Chinese New Year holidays overlapping with the initial days of APRICOT, it is quite likely that you may not find anywhere to stay if you leave your booking until next month. Hotel accommodation can be arranged at http://www.apricot2007.net/accommodation.html. The provisional programme for APRICOT 2007 is now available: http://www.apricot2007.net/program.html - the final programme should be published in the next few days. I look forward to seeing you all in Bali next month. Best wishes! Philip Smith On behalf of the APRICOT organising committee --

15 years, 5 months

BGP Update Report

by cidr-report＠potaroo.net

BGP Update Report Interval: 12-Jan-07 -to- 25-Jan-07 (14 days) Observation Point: BGP Peering with AS4637 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS4788 26578 1.9% 14.5 -- TMNET-AS-AP TM Net, Internet Service Provider 2 - AS209 25393 1.8% 5.7 -- ASN-QWEST - Qwest 3 - AS9471 21545 1.5% 167.0 -- MANA-PF-AP MANA S.A. 4 - AS4795 17893 1.3% 72.7 -- INDOSAT2-ID INDOSATM2 ASN 5 - AS702 14961 1.1% 20.8 -- AS702 MCI EMEA - Commercial IP service provider in Europe 6 - AS28751 14891 1.1% 107.1 -- CAUCASUS-NET-AS Caucasus Network Tbilisi, Georgia 7 - AS24326 14249 1.0% 130.7 -- TTT-AS-AP TT&T Public Company Limited, Service Provider,Bangkok 8 - AS5800 13646 1.0% 158.7 -- DDN-ASNBLK - DoD Network Information Center 9 - AS17974 13442 0.9% 31.6 -- TELKOMNET-AS2-AP PT TELEKOMUNIKASI INDONESIA 10 - AS306 11820 0.8% 64.9 -- DNIC - DoD Network Information Center 11 - AS4618 11228 0.8% 170.1 -- INET-TH-AS Internet Thailand Company Limited 12 - AS4621 10389 0.7% 77.0 -- UNSPECIFIED UNINET-TH 13 - AS4775 9293 0.7% 41.7 -- GLOBE-TELECOM-AS Telecom Carrier / ISP Plus + 14 - AS24731 9207 0.7% 204.6 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 15 - AS701 8639 0.6% 9.2 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 16 - AS30890 8469 0.6% 39.2 -- EVOLVA Evolva Telecom 17 - AS12654 8120 0.6% 208.2 -- RIPE-NCC-RIS-AS RIPE NCC RIS project 18 - AS33783 7890 0.6% 70.4 -- EEPAD 19 - AS8151 7177 0.5% 7.9 -- Uninet S.A. de C.V. 20 - AS9583 6385 0.5% 6.2 -- SIFY-AS-IN Sify Limited TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS31594 4121 0.3% 4121.0 -- FORTESS-AS Fortess LLC Network 2 - AS35489 3623 0.3% 3623.0 -- TOTO-TECH-AS Toto Ltd. 3 - AS27407 1854 0.1% 1854.0 -- FRISCHS-INC - Frisch's Restaurants, Inc. 4 - AS15774 1751 0.1% 1751.0 -- MEDIANAT LLC "MEDIANAT", ISP primarily for educational institution 5 - AS39250 1398 0.1% 1398.0 -- COLOPROVIDER-AS Colo Provider 6 - AS31480 1217 0.1% 1217.0 -- GLOBAL-TS-AS CJSC Global TeleSystems 7 - AS34378 948 0.1% 948.0 -- RUG-AS Razguliay-UKRROS Group 8 - AS3043 3339 0.2% 834.8 -- AMPHIB-AS - Amphibian Media Corporation 9 - AS38134 4014 0.3% 802.8 -- IMUB-AS-KR INCHEON MUSIC BROADCASTING.CO.,LTD 10 - AS39610 1460 0.1% 730.0 -- LCH-CLEARNET LCH Clearnet 11 - AS3727 691 0.1% 691.0 -- SHRUBB - Shrubbery Networks 12 - AS35966 680 0.1% 680.0 -- GUBA-NETWORK - GUBA LLC 13 - AS33188 1196 0.1% 598.0 -- SCS-NETWORK-1 - Sono Corporate Suites 14 - AS8349 517 0.0% 517.0 -- IPI-UA 15 - AS14548 473 0.0% 473.0 -- LISTEN-SF-1 - Listen.com 16 - AS30355 455 0.0% 455.0 -- PATRIOT-COMMUNICATIONS - PATRIOT COMMUNICATIONS 17 - AS28912 893 0.1% 446.5 -- OLMA-AS OLMA Investment Company 18 - AS38151 442 0.0% 442.0 -- ENUM-AS-ID APJII-RD 19 - AS21391 1302 0.1% 434.0 -- TDA-AS TDA AS Maintainer 20 - AS31527 429 0.0% 429.0 -- TELEPOL-AS Telepol Security TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 222.127.32.0/19 4588 0.3% AS4775 -- GLOBE-TELECOM-AS Telecom Carrier / ISP Plus + 2 - 194.242.124.0/22 4121 0.2% AS31594 -- FORTESS-AS Fortess LLC Network 3 - 216.32.206.0/24 4070 0.2% AS20473 -- AS-CHOOPA - Choopa, LLC 4 - 61.0.0.0/8 3645 0.2% AS17607 -- ATT7192-AS-KR ATT GNS korea AS4678 -- FINE CANON NETWORK COMMUNICATIONS INC. 5 - 62.213.176.0/23 3623 0.2% AS35489 -- TOTO-TECH-AS Toto Ltd. 6 - 209.140.24.0/24 3336 0.2% AS3043 -- AMPHIB-AS - Amphibian Media Corporation 7 - 89.4.131.0/24 2706 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 8 - 89.4.129.0/24 2136 0.1% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 9 - 203.199.128.0/19 2089 0.1% AS4755 -- VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System 10 - 89.4.128.0/24 1948 0.1% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 11 - 66.117.207.0/24 1854 0.1% AS27407 -- FRISCHS-INC - Frisch's Restaurants, Inc. 12 - 62.68.143.0/24 1751 0.1% AS15774 -- MEDIANAT LLC "MEDIANAT", ISP primarily for educational institution 13 - 203.212.120.0/21 1639 0.1% AS38134 -- IMUB-AS-KR INCHEON MUSIC BROADCASTING.CO.,LTD 14 - 203.212.116.0/22 1531 0.1% AS38134 -- IMUB-AS-KR INCHEON MUSIC BROADCASTING.CO.,LTD 15 - 138.187.128.0/18 1478 0.1% AS3303 -- SWISSCOM Swisscom Solutions Ltd 16 - 203.223.32.0/20 1470 0.1% AS17726 -- CAMNET-AS CAMNET is an ISP of Ministry of Posts 17 - 89.4.130.0/24 1437 0.1% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 18 - 83.98.220.0/23 1398 0.1% AS39250 -- COLOPROVIDER-AS Colo Provider 19 - 203.177.144.0/23 1333 0.1% AS4775 -- GLOBE-TELECOM-AS Telecom Carrier / ISP Plus + 20 - 216.85.83.0/24 1331 0.1% AS6467 -- ESPIRECOMM - Xspedius Communications Co. Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog(a)merit.edu eof-list(a)ripe.net apops(a)apops.net routing-wg(a)ripe.net afnog(a)afnog.org ausnog(a)ausnog.net

15 years, 5 months

The Cidr Report

by cidr-report＠potaroo.net

This report has been generated at Fri Jan 26 21:47:04 2007 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date Prefixes CIDR Agg 19-01-07 205110 133829 20-01-07 205211 134172 21-01-07 205309 133999 22-01-07 205117 133862 23-01-07 205342 133990 24-01-07 205587 133947 25-01-07 205622 133802 26-01-07 205748 133854 AS Summary 24121 Number of ASes in routing system 10190 Number of ASes announcing only one prefix 1533 Largest number of prefixes announced by an AS AS7018 : ATT-INTERNET4 - AT&T WorldNet Services 90760448 Largest address span announced by an AS (/32s) AS721 : DISA-ASNBLK - DoD Network Information Center Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 26Jan07 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 205887 133826 72061 35.0% All ASes AS4134 1246 305 941 75.5% CHINANET-BACKBONE No.31,Jin-rong Street AS18566 989 87 902 91.2% COVAD - Covad Communications Co. AS4755 1052 192 860 81.7% VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System AS4323 1057 301 756 71.5% TWTC - Time Warner Telecom, Inc. AS9498 934 190 744 79.7% BBIL-AP BHARTI BT INTERNET LTD. AS22773 720 47 673 93.5% CCINET-2 - Cox Communications Inc. AS11492 912 331 581 63.7% CABLEONE - CABLE ONE AS19262 762 181 581 76.2% VZGNI-TRANSIT - Verizon Internet Services Inc. AS7018 1533 988 545 35.6% ATT-INTERNET4 - AT&T WorldNet Services AS17488 588 50 538 91.5% HATHWAY-NET-AP Hathway IP Over Cable Internet AS6197 1023 509 514 50.2% BATI-ATL - BellSouth Network Solutions, Inc AS19916 568 71 497 87.5% ASTRUM-0001 - OLM LLC AS18101 514 32 482 93.8% RIL-IDC Reliance Infocom Ltd Internet Data Centre, AS8151 910 466 444 48.8% Uninet S.A. de C.V. AS17676 503 66 437 86.9% JPNIC-JP-ASN-BLOCK Japan Network Information Center AS15270 497 66 431 86.7% AS-PAETEC-NET - PaeTec.net -a division of PaeTecCommunications, Inc. AS4766 728 318 410 56.3% KIXS-AS-KR Korea Telecom AS721 687 283 404 58.8% DISA-ASNBLK - DoD Network Information Center AS2386 1107 735 372 33.6% INS-AS - AT&T Data Communications Services AS4812 428 69 359 83.9% CHINANET-SH-AP China Telecom (Group) AS6467 411 54 357 86.9% ESPIRECOMM - Xspedius Communications Co. AS3602 525 187 338 64.4% AS3602-RTI - Rogers Telecom Inc. AS16852 394 68 326 82.7% BROADWING-FOCAL - Broadwing Communications, Inc. AS33588 425 123 302 71.1% BRESNAN-AS - Bresnan Communications, LLC. AS5668 573 279 294 51.3% AS-5668 - CenturyTel Internet Holdings, Inc. AS6517 406 115 291 71.7% YIPESCOM - Yipes Communications, Inc. AS6198 554 265 289 52.2% BATI-MIA - BellSouth Network Solutions, Inc AS9583 1030 741 289 28.1% SIFY-AS-IN Sify Limited AS855 565 280 285 50.4% CANET-ASN-4 - Bell Aliant AS7011 731 455 276 37.8% FRONTIER-AND-CITIZENS - Frontier Communications, Inc. Total 22372 7854 14518 64.9% Top 30 total Possible Bogus Routes 24.246.0.0/17 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 24.246.128.0/18 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 61.4.64.0/20 AS9929 CNCNET-CN China Netcom Corp. 63.248.0.0/16 AS3356 LEVEL3 Level 3 Communications 63.248.0.0/17 AS3356 LEVEL3 Level 3 Communications 64.7.112.0/21 AS13511 ITXC - ITXC 64.7.120.0/21 AS13537 ITXC-2 - ITXC 64.7.240.0/20 AS3602 AS3602-RTI - Rogers Telecom Inc. 64.17.32.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.17.33.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.17.37.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.46.96.0/20 AS13680 AS13680 Hostway Corporation Tampa, FL 64.46.112.0/20 AS13680 AS13680 Hostway Corporation Tampa, FL 64.79.64.0/19 AS10789 BIGNET-AS - The Bignet 64.79.86.0/24 AS10789 BIGNET-AS - The Bignet 64.79.87.0/24 AS10789 BIGNET-AS - The Bignet 64.79.88.0/24 AS10789 BIGNET-AS - The Bignet 64.79.89.0/24 AS10789 BIGNET-AS - The Bignet 64.79.90.0/24 AS10789 BIGNET-AS - The Bignet 64.79.96.0/20 AS10789 BIGNET-AS - The Bignet 64.89.224.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.225.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.226.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.232.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.239.0/24 AS15276 MAX-LV - Intuitive Logic 64.188.0.0/16 AS3356 LEVEL3 Level 3 Communications 64.250.128.0/18 AS10789 BIGNET-AS - The Bignet 65.60.45.0/24 AS32311 JKS-ASN - JKS Media, LLC 66.11.32.0/20 AS6261 VISINET - Visionary Systems, Inc. 66.37.96.0/20 AS3764 IA-HOU-AS - Internet America, Inc. 66.97.32.0/20 AS11305 INTERLAND-NET1 - Interland Incorporated 66.163.96.0/20 AS25767 WAVEFORM - Waveform Technology, LLC 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.235.158.0/23 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 69.36.128.0/20 AS16527 GVTCINTERNET - Guadalupe Valley Telephone Co-op, Inc. 69.36.192.0/20 AS29804 INTEGRATIX - Integratix Inc. 69.55.108.0/24 AS4977 NET1 - Pecos Technologies 72.9.128.0/20 AS27572 THEBOE-27572 - The Boeing Company 72.9.130.0/24 AS29904 THEBOE-29904 - The Boeing Company 72.172.64.0/19 AS558 NET2EZ - Net2EZ 77.66.128.0/17 AS6767 RU-CTSRND-AS Rostov-on-Don CTS/ICOMM Node 77.109.192.0/18 AS21366 KYMPNET-AS KympNet ISP Services South-Eastern Finland 77.236.0.0/19 AS16366 AUTOCOM AUTOCOM Autonomous System 77.240.224.0/20 AS24749 ASIMANTOVA-AS TEANET Mantova - 46100 - MANTOVA - ITALY 78.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 78.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 79.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 79.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 91.189.88.0/21 AS6908 DATAHOP Datahop Autonomous System 128.209.0.0/16 AS4017 BELLST - Bell Atlantic Science & Technology 131.64.0.0/12 AS721 DISA-ASNBLK - DoD Network Information Center 132.0.0.0/10 AS721 DISA-ASNBLK - DoD Network Information Center 137.0.0.0/13 AS721 DISA-ASNBLK - DoD Network Information Center 138.136.0.0/13 AS721 DISA-ASNBLK - DoD Network Information Center 139.56.0.0/19 AS14956 BROADVISION-ASN - Broadvision Inc. 139.56.72.0/23 AS702 AS702 MCI EMEA - Commercial IP service provider in Europe 151.135.0.0/16 AS4763 TELSTRANZ-AS TelstraClear Ltd 158.0.0.0/13 AS721 DISA-ASNBLK - DoD Network Information Center 159.3.211.0/24 AS2687 ASATTCA AT&T Global Network Services - AP 159.220.0.0/22 AS16050 REUTERS-DOCKLANDS-RES-AS Reuters Docklands resiliancy 159.220.4.0/22 AS16050 REUTERS-DOCKLANDS-RES-AS Reuters Docklands resiliancy 159.220.4.0/24 AS16050 REUTERS-DOCKLANDS-RES-AS Reuters Docklands resiliancy 159.220.8.0/22 AS35528 REUTERS-UK2-AS Reuters-UK2 159.220.40.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.41.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.42.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.43.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.64.0/23 AS24977 MONEYLINE-UK Moneyline Telerate 162.54.122.0/24 AS5400 BT BT European Backbone 163.142.0.0/16 AS2500 JPNIC-ASBLOCK-AP JPNIC 180.190.0.0/16 AS24003 JUBL-MAIN-AS-IN JUBILANT ORGANOSYS LTD., INDIA, LEADING CHEMICAL MANUFACTURER 190.54.0.0/16 AS6429 Core Internet AT&T Chile 192.30.93.0/24 AS17757 HPAUS-AP HP Australia 192.30.94.0/24 AS17757 HPAUS-AP HP Australia 192.40.105.0/24 AS12582 TSF-DATANET-NGD-AS TSF MPLS VPN Services 192.69.107.0/24 AS5515 SONERA-GLOBAL-IP Sonera Solution Autonomous System 192.69.108.0/24 AS5515 SONERA-GLOBAL-IP Sonera Solution Autonomous System 192.69.177.0/24 AS5515 SONERA-GLOBAL-IP Sonera Solution Autonomous System 192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada 192.81.160.0/24 AS719 ELISA-AS Elisa Oyj 192.81.182.0/24 AS719 ELISA-AS Elisa Oyj 192.81.183.0/24 AS719 ELISA-AS Elisa Oyj 192.81.184.0/24 AS719 ELISA-AS Elisa Oyj 192.88.99.0/24 AS559 SWITCH SWITCH, Swiss Education and Research Network 192.96.36.0/24 AS5713 SAIX-NET 192.96.37.0/24 AS10474 NETACTIVE 192.96.135.0/24 AS2018 TENET-1 192.96.136.0/23 AS2018 TENET-1 192.96.140.0/24 AS2018 TENET-1 192.96.143.0/24 AS2018 TENET-1 192.96.145.0/24 AS2018 TENET-1 192.96.177.0/24 AS6083 POSIX-AFRICA 192.96.250.0/24 AS2018 TENET-1 192.107.104.0/24 AS7137 TELEMATIX/ ENITEL 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.133.6.0/24 AS10282 EQUANT-CEEUR EQUANT AS for Central and Eastern Europe region 192.139.3.0/24 AS23184 PERSONA - PERSONA COMMUNICATIONS INC. 192.153.136.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 192.153.144.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 192.172.0.0/19 AS721 DISA-ASNBLK - DoD Network Information Center 192.188.208.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 192.245.235.0/24 AS29748 CARPATHIA-HOSTING - Carpathia Hosting 193.33.30.0/23 AS31736 SENSELAN-AS senseLAN GmbH, Duedingen, Switzerland 193.43.228.0/22 AS8757 ACCESS11 Access 11 Ltd. (UK) 194.0.181.0/24 AS6778 BPTNET-AS EXATEL 194.0.183.0/24 AS25394 MK-NETZDIENSTE-AS AS for MK Netzdienste GmbH & Co. KG 194.31.227.0/24 AS21461 TRANSFAIRNET Transfair-net GmbH Krefeld 194.59.176.0/20 AS1273 CW Cable & Wireless 194.246.72.0/23 AS8893 ARTFILES-AS Artfiles New Media GmbH 195.35.104.0/24 AS12445 SPIDERNET-AS Selene s.p.a. 196.6.108.0/24 AS5713 SAIX-NET 196.6.175.0/24 AS3741 IS 196.6.176.0/23 AS3741 IS 196.6.183.0/24 AS3741 IS 196.6.196.0/24 AS3741 IS 196.6.199.0/24 AS3741 IS 196.6.204.0/22 AS3741 IS 196.6.208.0/24 AS3741 IS 196.6.211.0/24 AS3741 IS 196.6.212.0/23 AS3741 IS 196.6.212.0/24 AS3741 IS 196.6.222.0/23 AS3741 IS 196.6.237.0/24 AS3741 IS 196.10.119.0/24 AS2018 TENET-1 196.10.122.0/23 AS2018 TENET-1 196.10.136.0/22 AS3741 IS 196.10.140.0/22 AS3741 IS 196.10.231.0/24 AS3741 IS 196.10.251.0/24 AS2018 TENET-1 196.10.252.0/23 AS2018 TENET-1 196.10.254.0/24 AS2018 TENET-1 196.11.0.0/20 AS3741 IS 196.11.40.0/21 AS3741 IS 196.11.135.0/24 AS3741 IS 196.11.188.0/23 AS3741 IS 196.11.190.0/24 AS3741 IS 196.11.251.0/24 AS3741 IS 196.13.101.0/24 AS2018 TENET-1 196.13.102.0/23 AS2018 TENET-1 196.13.104.0/24 AS2018 TENET-1 196.13.108.0/24 AS3741 IS 196.13.116.0/22 AS2018 TENET-1 196.13.121.0/24 AS2018 TENET-1 196.13.125.0/24 AS2018 TENET-1 196.13.126.0/24 AS2018 TENET-1 196.13.128.0/22 AS3741 IS 196.13.144.0/22 AS2905 TICSA-ASN 196.13.152.0/21 AS2905 TICSA-ASN 196.13.160.0/24 AS2905 TICSA-ASN 196.13.169.0/24 AS2018 TENET-1 196.13.174.0/23 AS2018 TENET-1 196.13.176.0/21 AS2018 TENET-1 196.13.188.0/22 AS2018 TENET-1 196.13.192.0/22 AS2018 TENET-1 196.13.196.0/24 AS2018 TENET-1 196.13.214.0/23 AS3741 IS 196.13.216.0/23 AS3741 IS 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.54.82.0/24 AS2018 TENET-1 198.54.92.0/24 AS2018 TENET-1 198.54.222.0/24 AS2018 TENET-1 198.54.249.0/24 AS2018 TENET-1 198.54.250.0/24 AS2018 TENET-1 198.54.251.0/24 AS2018 TENET-1 198.97.72.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 198.97.80.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 198.97.96.0/19 AS721 DISA-ASNBLK - DoD Network Information Center 198.97.240.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.155.0/24 AS684 MTSAL-ASN - MTS Allstream Inc. 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - SaskTel 199.9.128.0/17 AS668 ASN-ASNET-NET-AS - Defense Research and Engineering Network 199.10.0.0/16 AS721 DISA-ASNBLK - DoD Network Information Center 199.60.0.0/20 AS271 BCNET-AS - University of British Columbia 199.114.0.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.128.0/18 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.130.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.132.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.134.0/24 AS3541 ITSDN-U4 - DISA/UNRRA 199.114.136.0/24 AS27044 DDN-ASNBLK1 - DoD Network Information Center 199.114.138.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.140.0/24 AS3544 ITSDN-U7 - DISA/UNRRA 199.114.142.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.144.0/24 AS27064 DDN-ASNBLK1 - DoD Network Information Center 199.114.148.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.150.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.152.0/24 AS27033 DDN-ASNBLK1 - DoD Network Information Center 199.114.153.0/24 AS27034 DDN-ASNBLK1 - DoD Network Information Center 199.114.154.0/24 AS1733 CENTAF-SWA - AF DDN PMO 199.114.160.0/24 AS1733 CENTAF-SWA - AF DDN PMO 199.121.0.0/16 AS721 DISA-ASNBLK - DoD Network Information Center 199.123.0.0/18 AS721 DISA-ASNBLK - DoD Network Information Center 199.123.16.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 199.123.80.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 199.175.64.0/19 AS6539 GT-BELL - Bell Canada 199.189.32.0/19 AS7332 IQUEST-AS - IQuest Internet 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 202.4.160.0/24 AS9498 BBIL-AP BHARTI BT INTERNET LTD. 202.4.161.0/24 AS9498 BBIL-AP BHARTI BT INTERNET LTD. 202.4.162.0/24 AS9498 BBIL-AP BHARTI BT INTERNET LTD. 202.9.64.0/19 AS9290 TPN-AS-AP Smart Global Network (M) Sdn Bhd 202.58.113.0/24 AS19161 INNOCOM-TELECOM - INNOCOM TELECOM 202.58.224.0/19 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.224.0/20 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.240.0/20 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.240.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.244.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.249.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.250.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.253.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.86.252.0/22 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.90.33.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.40.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.41.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.42.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.43.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.44.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.94.70.0/24 AS9837 POWERTEL-AP Powertel Ltd 202.124.192.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.193.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.194.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.195.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.196.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.197.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.198.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.199.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.200.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.201.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.202.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.203.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.204.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.205.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.206.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.207.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.125.96.0/20 AS7693 COMNET-TH KSC Commercial Internet Co. Ltd. 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.148.32.0/20 AS17495 GATEWAY-AP BROADBAND WIRELESSS INTERNET SERVICE PROVIDER 202.164.100.0/24 AS18101 RIL-IDC Reliance Infocom Ltd Internet Data Centre, 202.182.32.0/22 AS10223 UECOMM-AU Uecomm Ltd 203.13.171.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.80.32.0/20 AS4817 DESTRA-AU-AP Destra Corporation 203.89.139.0/24 AS17911 BRAINPK-AS-AP Brain Telecommunication Ltd. 203.111.192.0/20 AS7473 SINGTEL-AS-AP Singapore Telecom 203.128.128.0/19 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 203.152.136.0/23 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.152.138.0/23 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.152.142.0/24 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.152.143.0/24 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.160.104.0/22 AS23914 OCI-AS-VN One-Connection Internet Company 203.160.110.0/23 AS7643 VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 204.29.196.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 204.29.197.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 204.48.58.0/24 AS4323 TWTC - Time Warner Telecom, Inc. 204.48.60.0/24 AS4323 TWTC - Time Warner Telecom, Inc. 204.153.68.0/24 AS4017 BELLST - Bell Atlantic Science & Technology 204.153.71.0/24 AS4017 BELLST - Bell Atlantic Science & Technology 204.153.104.0/24 AS10913 INTERNAP-BLK - Internap Network Services 204.154.125.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 204.154.126.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 204.154.127.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 205.143.144.0/21 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 206.128.104.0/21 AS11709 VIC - VIRTUAL INTERACTIVE CENTER 207.7.64.0/19 AS14093 ITRIBE - iTRiBE, Inc. 207.189.62.0/23 AS7132 SBIS-AS - SBC Internet Services 207.191.224.0/23 AS2828 XO-AS15 - XO Communications 207.191.232.0/21 AS2828 XO-AS15 - XO Communications 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc 207.246.192.0/20 AS5656 ACCESSUS-DOM - accessU.S./BASENet 208.74.88.0/21 AS14230 COVAULT - CoVault Technology LLC 209.105.224.0/19 AS20074 KNOWLEDGENET - KNOWLEDGENET 209.159.128.0/19 AS209 ASN-QWEST - Qwest 209.177.64.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.65.0/24 AS8088 SRTNET - SRT ENTERPRISES 209.177.66.0/23 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.68.0/23 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.70.0/24 AS19159 STING - Sting Communications 209.177.89.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.93.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.94.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 209.177.95.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.205.81.0/24 AS15066 SkyNet de Colombia S.A. 209.205.82.0/24 AS15066 SkyNet de Colombia S.A. 209.205.84.0/24 AS15066 SkyNet de Colombia S.A. 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 212.63.192.0/19 AS30880 SPACEDUMP-AS SpaceDump IT 216.21.1.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.6.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.7.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.15.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.17.0/24 AS11652 DATATONE - Datatone Communications Inc 216.59.0.0/17 AS3356 LEVEL3 Level 3 Communications 216.65.160.0/19 AS7770 TRITON - Triton Technologies, Inc. 216.71.224.0/20 AS23527 COTELLIGENCE - Cotelligence, Inc. 216.201.72.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.73.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.74.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.75.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.76.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.77.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.78.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.79.0/24 AS14709 Telefonica Moviles Panama S.A. 216.230.224.0/20 AS15270 AS-PAETEC-NET - PaeTec.net -a division of PaeTecCommunications, Inc. 216.235.224.0/20 AS22136 NYCT - New York Connect 216.240.240.0/20 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 216.240.242.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog(a)merit.edu eof-list(a)ripe.net apops(a)apops.net routing-wg(a)ripe.net afnog(a)afnog.org ausnog(a)ausnog.net

15 years, 5 months

Cisco Security Advisory: Crafted IP Option Vulnerability

by Cisco Systems Product Security Incident Response Team

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Crafted IP Option Vulnerability Advisory ID: cisco-sa-20070124-crafted-ip-option http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… Revision 1.0 For Public Release 2007 January 24 1600 UTC (GMT) +-------------------------------------------------------------------- Contents ======== Summary Affected Products Details Vulnerability Scoring Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - --------------------------------------------------------------------- Summary ======= Cisco routers and switches running Cisco IOS? or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue. Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This vulnerability was discovered during internal testing. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… Affected Products ================= Vulnerable Products +------------------ This issue affects all Cisco devices running Cisco IOS or Cisco IOS XR software and configured to process Internet Protocol version 4 (IPv4) packets. Devices which run only Internet Protocol version 6 (IPv6) are not affected. This vulnerability is present in all unfixed versions of Cisco IOS software, including versions 9.x, 10.x, 11.x and 12.x. This vulnerability is present in all unfixed versions of Cisco IOS XR software, including versions 2.0.X, 3.0.X, and 3.2.X. All versions of Cisco IOS or Cisco IOS XR prior to the versions listed in the Fixed Software table below may be susceptible to this vulnerability. To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Cisco IOS XR software will identify itself as "Cisco IOS XR Software" followed by "Version" and the version number. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running Cisco IOS release 12.2(14)S16 with an installed image name of C7200-IS-M: Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16, RELEASE SOFTWARE (fc1) The release train label is "12.2". The next example shows a product running IOS release 12.3(7)T12 with an image name of C7200-IK9S-M: Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS Banners is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper… Cisco IOS XR Software is a member of the Cisco IOS software family that uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs only on Cisco Carrier Routing System 1 (CRS-1) and Cisco XR 12000 series routers. Additional information about Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5845/index.html The following example shows partial output from the show version command which identifies a Cisco product running Cisco IOS XR release 3.3.0: RP/0/RP0/CPU0:router#show version Cisco IOS XR Software, Version 3.3.0 Copyright (c) 2006 by cisco Systems, Inc. ROM: System Bootstrap, Version 1.32(20050525:193559) [CRS-1 ROMMON] Products Confirmed Not Vulnerable +-------------------------------- Cisco devices that do not run Cisco IOS or Cisco IOS XR software are not affected. CatOS software is not affected by this issue. No other Cisco products are currently known to be affected by this vulnerability. Details ======= This vulnerability may be exploited when an affected device processes a packet that meets all three of the following conditions: +---------------------------------------+ | 1. The packet contains a specific | | crafted IP option. | |---------------------------------------| | AND | |---------------------------------------| | 2. The packet is one of the following | | protocols: | |---------------------------------------| | * ICMP - Echo (Type 8) - 'ping' | |---------------------------------------| | * ICMP - Timestamp (Type 13) | |---------------------------------------| | * ICMP - Information Request (Type | | 15) | |---------------------------------------| | * ICMP - Address Mask Request (Type | | 17) | |---------------------------------------| | * PIMv2 - IP protocol 103 | |---------------------------------------| | * PGM - IP protocol 113 | |---------------------------------------| | * URD - TCP Port 465 | |---------------------------------------| | AND | |---------------------------------------| | 3. The packet is sent to a physical | | or virtual IPv4 address configured on | | the affected device. | +---------------------------------------+ No other ICMP message types are affected by this issue. No other IP protocols are affected by this issue. No other TCP services are affected by this issue. The packet can be sent from a local network or from a remote network. The source IP address of the packet can be spoofed or non-spoofed. Packets which transit the device (packets not sent to one of the device's IP addresses) do not trigger the vulnerability and the device is not affected. This vulnerability is documented in these Bug IDs: * Cisco Bug ID CSCec71950 for Cisco IOS * Cisco Bug ID CSCeh52410 for Cisco IOS XR Cisco IOS +-------- A crafted packet addressed directly to a vulnerable device running Cisco IOS software may result in the device reloading or may allow execution of arbitrary code. Cisco IOS XR +----------- A crafted packet addressed directly to a vulnerable device running Cisco IOS XR software may result in the ipv4_io process restarting or may allow execution of arbitrary code. CRS-1 Nodes that run the ipv4_io process include Route Processors (RP), Distributed Route Processors (DRP), Modular Services Cards (MSC), and XR 12000 Line Cards. While the ipv4_io process is restarting, all ICMP traffic destined for the device itself and exception punts will be dropped. Examples of exception punts include packets having IP header information that requires further processing such as IP options, Time-to-Live equal to 0 or 1, and layer-2 keepalives. CLNS traffic to the Node or Line Card is not affected. If the ipv4_io process is restarted several times consecutively, the CRS-1 Node or XR 12000 Line Card may reload, causing a Denial of Service (DoS) condition for the transit traffic switched on that Node or Line card. Devices Configured for ICMP Message Types +---------------------------------------- ICMP Type 8 +---------- By default, devices running all Cisco IOS and Cisco IOS XR versions will process ICMP echo-request (Type 8) packets. This behavior cannot be modified. ICMP Type 13 +----------- By default, devices running all Cisco IOS versions will process ICMP timestamp (Type 13) packets. This behavior cannot be modified. By default, devices running all Cisco IOS XR versions will NOT process ICMP timestamp (Type 13) packets. This behavior cannot be modified. ICMP Type 15 +----------- With the introduction of CSCdz50424, by default routers will NOT process ICMP information request (Type 15) packets. Releases of Cisco IOS that contain CSCdz50424 include 12.3, 12.3T, 12.4, 12.4T, later 12.0S and later 12.2S. See CSCdz50424 for complete release information. A router running a Cisco IOS release containing CSCdz50424 that has been modified to process ICMP information request packets will have the interface configuration statement "ip information-reply", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include information-reply ip information-reply or router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip information-reply By default, devices running all other Cisco IOS versions will process ICMP information request (Type 15) packets. This behavior cannot be modified. Since this is the default behavior, "ip information-reply" will not be visible in the device's configuration. By default, devices running all Cisco IOS XR versions will NOT process ICMP information request (Type 15) packets. This behavior cannot be modified. ICMP Type 17 +----------- Beginning in Cisco IOS version 10.0, by default devices will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement "ip mask-reply", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include mask-reply ip mask-reply or router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip mask-reply By default, devices running all Cisco IOS XR versions will NOT process ICMP address mask request (Type 17) packets. A router that has been modified to process ICMP address mask request packets will have the interface configuration statement "ipv4 mask-reply", which can be seen by issuing the command show running-config as shown in the following examples: RP/0/RP0/CPU0:router#show running-config | include mask-reply Building configuration... ipv4 mask-reply or RP/0/RP0/CPU0:router#show running-config interface POS0/1/3/0 ipv4 address 192.0.2.1 255.255.255.252 ipv4 mask-reply Devices Configured for Protocol Independent Multicast Version 2 (PIMv2) +-------------------------------------------------------------- Cisco IOS +-------- A router running Cisco IOS that is configured to process PIMv2 packets will have an interface configuration statement that begins with "ip pim", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include ip pim ip pim sparse-mode or router#show running-config interface FastEthernet0/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode The command "show ip pim interface" can also be used to determine if a router is configured to process PIMv2 packets, as shown in the following example: router#show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 192.0.2.1 FastEthernet0/0 v1/S 0 30 1 0.0.0.0 192.168.1.1 FastEthernet1/0 v2/SD 0 30 1 0.0.0.0 Interfaces running PIMv2 will show "v2/" under the Ver/Mode column. Interfaces without PIM configured will not be shown in the command output. PIMv2 is the default PIM version. Routers configured to process only PIMv1 messages are not vulnerable to the PIMv2 exploit. Routers that do not have PIM configured are not vulnerable to the PIMv2 exploit. PIM is not enabled by default. Additional information about PIM is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configurati… Cisco IOS XR +----------- The command show pim interface can be used to determine if a router running Cisco IOS XR is configured to process PIMv2 packets, as shown in the following example: RP/0/0/CPU0:router#show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 Loopback0 on 1 30 1 this system 192.168.2.1 MgmtEth0/0/CPU0/0 off 0 30 1 not elected 192.168.3.1 Loopback1 on 1 30 1 this system 192.168.4.1 Loopback3 on 1 30 1 this system 192.168.5.1 POS0/4/0/0 on 1 30 1 this system 192.0.2.1 POS0/4/0/1 on 1 30 1 this system Interfaces running PIMv2 will show on under the PIM column. Interfaces without PIM configured will show "off" under the PIM column. Cisco IOS XR does not support PIMv1. PIM is not enabled by default on Cisco IOS XR. Additional information about PIM on Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5845/products_configuration_guide_cha… Devices Configured for Pragmatic General Multicast (PGM) +------------------------------------------------------- A router that is configured to process PGM packets will have the interface configuration statement "ip pgm router", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include ip pgm ip pgm router or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode ip pgm router or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pgm router Routers that do not have PGM configured are not vulnerable to the PGM exploit. PGM is not enabled by default. Additional information about PGM is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configurati… Cisco IOS XR does not support PGM and is not affected by PGM packets that exploit this vulnerability. Devices Configured for URL Rendezvous Directory (URD) +---------------------------------------------------- A router that is configured to process URD packets will have the interface configuration statement "ip urd" or "ip urd proxy", which can be seen by issuing the command "show running-config" as shown in the following examples: router#show running-config | include ip urd ip urd or router#show running-config | include ip urd ip urd proxy or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-mode ip urd or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip pim sparse-dense-mode ip urd proxy or router#show running-config interface FastEthernet1/0 ip address 192.0.2.1 255.255.255.0 ip urd Routers that do not have URD configured are not vulnerable to the URD exploit. URD is not enabled by default. Additional information about URD is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configurati… Cisco IOS XR does not support URD and is not affected by URD packets that exploit this vulnerability. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCec71950 - Crafted IP Option may cause DoS or code execution CVSS Base Score: 10 - - Access Vector: Remote - - Access Complexity: Low - - Authentication: Not Required - - Confidentiality Impact: Complete - - Integrity Impact: Complete - - Availability Impact: Complete - - Impact Bias: Normal CVSS Temporal Score: 8.3 - - Exploitability: Functional - - Remediation Level: Official Fix - - Report Confidence: Confirmed CSCeh52410 - Crafted IP Option may cause ipv4-io DoS or code execution CVSS Base Score: 10 - - Access Vector: Remote - - Access Complexity: Low - - Authentication: Not Required - - Confidentiality Impact: Complete - - Integrity Impact: Complete - - Availability Impact: Complete - - Impact Bias: Normal CVSS Temporal Score: 8.3 - - Exploitability: Functional - - Remediation Level: Official Fix - - Report Confidence: Confirmed Impact ====== Cisco IOS +-------- Successful exploitation of the vulnerability on Cisco IOS may result in a reload of the device or execution of arbitrary code. Repeated exploitation could result in a sustained DoS attack. Cisco IOS XR +----------- Successful exploitation of the vulnerability on Cisco IOS XR may result in the ipv4_io process restarting or execution of arbitrary code. Repeated exploitation could result in a CRS-1 Node or XR 12000 Line Card reload and sustained DoS attack. Software Version and Fixes ========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper… Note: There are three IOS security advisories and one field notice being published on January 24, 2007. Each advisory lists only the releases which fix the issue described in the advisory. A combined software table is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of January 24, 2007. Links for the advisories and field notice are listed here. * http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… * http://www.cisco.com/warp/customer/770/fn62613.shtml Requests for software rebuilds to include the change for Daylight Savings Time (DST) that will be implemented in March 2007 should be directed through the Technical Assistance Center (TAC), and this advisory should be used as reference. +---------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+--------------------------| | Affected | | | | 12.0-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.0 | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0DA | Vulnerable; migrate to | | | 12.2(10)DA5 or later | |------------+--------------------------| | 12.0DB | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.0DC | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.0S | 12.0(27)S3 | 12.0(28)S | |------------+--------------------------| | 12.0SC | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.0SL | Vulnerable; migrate to | | | 12.0(28)S or later | |------------+--------------------------| | 12.0SP | Vulnerable; migrate to | | | 12.0(28)S or later | |------------+--------------------------| | 12.0ST | Vulnerable; migrate to | | | 12.0(28)S or later | |------------+--------------------------| | 12.0SX | 12.0(25) | 12.0(30)SX | | | SX11 | | |------------+------------+-------------| | 12.0SY | | 12.0(27)SY | |------------+------------+-------------| | 12.0SZ | | 12.0(30)SZ | |------------+--------------------------| | 12.0T | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | | 12.0(28)W5 | | | 12.0W | (32c); | | | | available | | | | 31-Jan-07 | | |------------+------------+-------------| | 12.0WC | 12.0(5) | | | | WC15 | | |------------+--------------------------| | 12.0WT | Vulnerable; contact TAC | |------------+--------------------------| | 12.0XA | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XB | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XC | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XD | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XE | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.0XF | Not vulnerable | |------------+--------------------------| | 12.0XG | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XH | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XI | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XJ | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XK | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XL | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XM | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XN | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XQ | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XR | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XS | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.0XV | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.0XW | Vulnerable; migrate to | | | 12.0(5)WC15 or later | |------------+--------------------------| | Affected | | | | 12.1-Based | Rebuild | Maintenance | | Release | | | |------------+--------------------------| | 12.1 | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1AA | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | | Vulnerable; for | | | c3750-ME, migrate to | | 12.1AX | 12.2(25)EY or later. For | | | c2970 and 3750, migrate | | | to 12.2(25)SE or later. | |------------+--------------------------| | 12.1AY | Vulnerable; migrate to | | | 12.1(22)EA8 | |------------+--------------------------| | 12.1AZ | Vulnerable; migrate to | | | 12.1(22)EA8 | |------------+--------------------------| | 12.1CX | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1DA | Vulnerable; migrate to | | | 12.2(10)DA5 or later | |------------+--------------------------| | 12.1DB | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.1DC | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.1E | | 12.1(23)E | |------------+------------+-------------| | 12.1EA | 12.1(22) | | | | EA8 | | |------------+------------+-------------| | 12.1EB | | 12.1(23)EB | |------------+--------------------------| | 12.1EC | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | | 12.1(19) | | | | EO6, | | | | available | | | 12.1EO | 31-Jan-07 | | | |------------+-------------| | | 12.1(20) | | | | EO3 | | |------------+--------------------------| | 12.1EU | Vulnerable; migrate to | | | 12.2(25)EWA or later | |------------+--------------------------| | 12.1EV | Vulnerable; migrate to | | | 12.2(26)SV1 or later | |------------+--------------------------| | 12.1EW | Vulnerable; migrate to | | | 12.2(18)EW3 or later | |------------+--------------------------| | 12.1EX | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1EY | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1EZ | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1T | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XA | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XB | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XC | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XD | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XE | Vulnerable; migrate to | | | 12.1(23)E or later | |------------+--------------------------| | 12.1XF | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XG | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XH | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XI | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XJ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XL | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XM | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XP | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XQ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XR | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XS | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XT | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XU | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XV | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1XW | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XX | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XY | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1XZ | Vulnerable; migrate to | | | 12.2(37)or later | |------------+--------------------------| | 12.1YA | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YB | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YC | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YD | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YE | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YF | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YH | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YI | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.1YJ | Vulnerable; migrate to | | | 12.1(22)EA8 | |------------+--------------------------| | Affected | | | | 12.2-Based | Rebuild | Maintenance | | Release | | | |------------+------------+-------------| | 12.2 | 12.2(34a) | 12.2(37) | |------------+--------------------------| | 12.2B | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.BC | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2BW | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2BY | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2BZ | Vulnerable; migrate to | | | 12.3(7)XI8 or later | |------------+--------------------------| | 12.2CX | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2CY | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2CZ | Vulnerable; contact TAC | |------------+--------------------------| | | 12.2(10) | | | | DA5 | | |12.2DA |------------+-------------| | | 12.2(12) | | | | DA10 | | |------------+--------------------------| | 12.2DD | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2DX | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2EU | Vulnerable; migrate to | | | 12.2(25)EWA5 or later | |------------+--------------------------| | | 12.2(18) | | | | EW3 | | |12.2EW |------------+-------------| | | 12.2(20) | 12.2(25)EW | | | EW4 | | |------------+------------+-------------| | 12.2EWA | 12.2(20) | 12.2(25)EWA | | | EWA4 | | |------------+------------+-------------| | 12.2EX | | 12.2(25)EX | |------------+--------------------------| | 12.2EY | All 12.2EY releases are | | | fixed | |------------+--------------------------| | 12.2EZ | All 12.2EZ releases are | | | fixed | |------------+--------------------------| | 12.2FX | All 12.2FX releases are | | | fixed | |------------+--------------------------| | 12.2FY | All 12.2FY releases are | | | fixed | |------------+--------------------------| | 12.2FZ | All 12.2FZ releases are | | | fixed | |------------+--------------------------| | 12.2IXA | All 12.2IXA releases are | | | fixed | |------------+--------------------------| | 12.2IXB | All 12.2IXB releases are | | | fixed | |------------+--------------------------| | 12.2IXC | All 12.2IXC releases are | | | fixed | |------------+--------------------------| | 12.2JA | Vulnerable; migrate to | | | 12.3(8)JA or later | |------------+--------------------------| | 12.2JK | Vulnerable; migrate to | | | 12.4(4)T or later | |------------+--------------------------| | 12.2MB | Vulnerable; migrate to | | | 12.2(25)SW1 or later | |------------+--------------------------| | 12.2MC | 12.2(15)MC2h | |------------+--------------------------| | 12.2S | | 12.2(25)S | |------------+------------+-------------| | 12.2SB | | 12.2(28)SB | |------------+--------------------------| | 12.2SBC | All 12.2SBC releases are | | | fixed | |------------+--------------------------| | 12.2SE | | 12.2(25)SE | |------------+--------------------------| | 12.2SEA | All 12.2SEA releases are | | | fixed | |------------+--------------------------| | 12.2SEB | All 12.2SEB releases are | | | fixed | |------------+--------------------------| | 12.2SEC | All 12.2SEC releases are | | | fixed | |------------+--------------------------| | 12.2SED | All 12.2SED releases are | | | fixed | |------------+--------------------------| | 12.2SEE | All 12.2SEE releases are | | | fixed | |------------+--------------------------| | 12.2SEF | All 12.2SEF releases are | | | fixed | |------------+--------------------------| | 12.2SEG | All 12.2SEG releases are | | | fixed | |------------+--------------------------| | 12.2SG | All 12.2SG releases are | | | fixed | |------------+--------------------------| | 12.2SGA | All 12.2SGA releases are | | | fixed | |------------+--------------------------| | 12.2SO | 12.2(18) | | | | SO7 | | |------------+--------------------------| | 12.2SRA | All 12.2SRA releases are | | | fixed | |------------+--------------------------| | 12.2SRB | All 12.2SRB releases are | | | fixed | |------------+--------------------------| | 12.2SU | Vulnerable; migrate to | | | 12.3(14)T or later | |------------+--------------------------| | 12.2SV | | 12.2(23)SV | |------------+------------+-------------| | 12.2SW | 12.2(25) | | | | SW1 | | |------------+--------------------------| | 12.2SX | Vulnerable; migrate to | | | 12.2(17d)SXB11a or later | |------------+--------------------------| | 12.2SXA | Vulnerable; migrate to | | | 12.2(17d)SXB11a or later | |------------+--------------------------| | 12.2SXB | 12.2(17d) | | | | SXB11a | | |------------+------------+-------------| | 12.2SXD | 12.2(18) | | | | SXD7a | | |------------+--------------------------| | 12.2SXE | All 12.2SXE releases are | | | fixed | |------------+--------------------------| | 12.2SXF | All 12.2SXF releases are | | | fixed | |------------+--------------------------| | 12.2SY | Vulnerable; migrate to | | | 12.2(17d)SXB11a or later | |------------+--------------------------| | 12.2SZ | Vulnerable; migrate to | | | 12.2(25)S or later | |------------+--------------------------| | 12.2T | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2TPC | Vulnerable; contact TAC | |------------+--------------------------| | 12.2XA | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XB | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XC | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2XD | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XE | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XF | Vulnerable; migrate to | | | 12.3(9a)BC or later | |------------+--------------------------| | 12.2XG | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XH | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XI | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XJ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XK | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XL | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XM | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XN | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XQ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XR | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XS | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XT | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XU | Vulnerable; migrate to | | | 12.3(12) or later | |------------+--------------------------| | 12.2XV | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2XW | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YA | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YB | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YC | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YD | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YE | Vulnerable; migrate to | | | 12.2(25)S or later | |------------+--------------------------| | 12.2YF | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YG | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YH | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YJ | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YK | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YL | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YM | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YN | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YO | Not vulnerable | |------------+--------------------------| | 12.2YP | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YQ | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YR | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YS | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YT | Vulnerable; migrate to | | | 12.3(8) or later | |------------+--------------------------| | 12.2YU | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YV | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YW | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2YX | Vulnerable; migrate to | | | 12.3(14)T or later | |------------+--------------------------| | 12.2YY | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2YZ | Vulnerable; migrate to | | | 12.2(25)S or later | |------------+--------------------------| | 12.2ZA | Vulnerable; migrate to | | | 12.2(17d)SXBa or later | |------------+--------------------------| | 12.2ZB | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2ZC | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2ZD | Vulnerable; contact TAC | |------------+--------------------------| | 12.2ZE | Vulnerable; migrate to | | | 12.3(8) or laer | |------------+--------------------------| | 12.2ZF | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | | Vulnerable; for SOHO9x, | | 12.2ZG | migrate to 12.3(8)YG2 or | | | later. For c83x, migrate | | | to 12.3(2)XA3 or later | |------------+--------------------------| | 12.2ZH | Vulnerable; contact TAC | |------------+--------------------------| | 12.2ZJ | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.2ZL | Vulnerable; contact TAC | |------------+--------------------------| | 12.2ZN | Vulnerable; migrate to | | | 12.3(4)T13 or later | |------------+--------------------------| | 12.2ZP | Vulnerable; migrate to | | | 12.3(8)XY or later | |------------+--------------------------| | Affected | | | | 12.3-Based | Rebuild | Maintenance | | Release | | | |------------+------------+-------------| | 12.3 | | 12.3(8) | |------------+--------------------------| | 12.3B | Vulnerable; migrate to | | | 12.3(8)T7 or later | |------------+--------------------------| | 12.3BC | | 12.3(9a)BC | |------------+--------------------------| | 12.3BW | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.3JA | | 12.3(8)JA | |------------+--------------------------| | 12.3JEA | All 12.3JEA releases are | | | fixed | |------------+--------------------------| | 12.3JEB | All 12.3JEA releases are | | | fixed | |------------+--------------------------| | 12.3JK | 12.3(2)JK2 | 12.3(8)JK | |------------+------------+-------------| | 12.3JX | 12.3(7)JX6 | 12.3(11)JX | |------------+------------+-------------| | 12.3T | 12.3(4)T13 | 12.3(8)T | |------------+------------+-------------| | 12.3TPC | 12.3(4) | | | | TPC11b | | |------------+------------+-------------| | 12.3XA | 12.3(2)XA6 | | |------------+--------------------------| | 12.3XB | Vulnerable; migrate to | | | 12.3(8)T or later | |------------+--------------------------| | 12.3XC | Vulnerable; contact TAC | |------------+--------------------------| | 12.3XD | Vulnerable; migrate to | | | 12.3(8)T7 or later | |------------+--------------------------| | 12.3XE | Vulnerable; contact TAC | |------------+--------------------------| | 12.3XF | Vulnerable; migrate to | | | 12.3(11)T or later | |------------+--------------------------| | 12.3XG | Vulnerable; contact TAC | |------------+--------------------------| | 12.3XH | Vulnerable; migrate to | | | 12.3(11)T or later | |------------+--------------------------| | 12.3XI | 12.3(7)XI8 | | |------------+--------------------------| | 12.3XJ | Vulnerable; migrate to | | | 12.3(8)XW or later | |------------+--------------------------| | 12.3XK | Vulnerable; migrate to | | | 12.3(14)T or later | |------------+--------------------------| | 12.3XQ | Vulnerable; migrate to | | | 12.4(1) or later | |------------+--------------------------| | 12.3XR | All 12.3XR releases are | | | fixed | |------------+--------------------------| | 12.3XS | All 12.3XS releases are | | | fixed | |------------+--------------------------| | 12.3XU | All 12.3XU releases are | | | fixed | |------------+--------------------------| | 12.3XW | All 12.3XW releases are | | | fixed | |------------+--------------------------| | 12.3XX | All 12.3XX releases are | | | fixed | |------------+--------------------------| | 12.3XY | All 12.3XR releases are | | | fixed | |------------+--------------------------| | 12.3YA | All 12.3YA releases are | | | fixed | |------------+--------------------------| | 12.3YD | All 12.3YD releases are | | | fixed | |------------+--------------------------| | 12.3YF | All 12.3YF releases are | | | fixed | |------------+--------------------------| | 12.3YG | All 12.3YG releases are | | | fixed | |------------+--------------------------| | 12.3YH | All 12.3YH releases are | | | fixed | |------------+--------------------------| | 12.3YI | All 12.3YI releases are | | | fixed | |------------+--------------------------| | 12.3YJ | All 12.3YJ releases are | | | fixed | |------------+--------------------------| | 12.3YK | All 12.3YK releases are | | | fixed | |------------+--------------------------| | 12.3YM | All 12.3YM releases are | | | fixed | |------------+--------------------------| | 12.3YQ | All 12.3YQ releases are | | | fixed | |------------+--------------------------| | 12.3YS | All 12.3YS releases are | | | fixed | |------------+--------------------------| | 12.3YT | All 12.3YT releases are | | | fixed | |------------+--------------------------| | 12.3YU | All 12.3YU releases are | | | fixed | |------------+--------------------------| | 12.3YX | All 12.3YX releases are | | | fixed | |------------+--------------------------| | 12.3YZ | All 12.3YZ releases are | | | fixed | |------------+--------------------------| | Affected | | | | 12.4-Based | Rebuild | Maintenance | | Release | | | |---------------------------------------| | All 12.4 releases are fixed | +---------------------------------------+ +---------------------------------------+ | Cisco IOS XR Version | SMU ID | |-----------------------------+---------| | 3.2.2 for CRS-1 | AA01482 | |-----------------------------+---------| | 3.2.3 for CRS-1 | AA01483 | |-----------------------------+---------| | 3.2.4 for CRS-1 | AA01484 | |-----------------------------+---------| | 3.2.6 for CRS-1 | AA01727 | |-----------------------------+---------| | 3.3.x for CRS-1 and XR12000 | Fixed | |-----------------------------+---------| | 3.4.x for CRS-1 and XR12000 | Fixed | +---------------------------------------+ Workarounds =========== Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070124-crafted-ip-option.s… IP Options Selective Drop +------------------------ The IP Options Selective Drop feature allows Cisco routers to mitigate the effects of IP options by dropping packets containing them or by not processing (ignoring) IP options in a packet. The most effective workaround is using the "drop" option of this global configuration command: "ip options drop". This command will drop all IP packets containing IP options that are both destined to the router itself or transiting through the router before they are processed, preventing exploitation locally and downstream. The IP Options Selective Drop feature is available beginning in Cisco IOS software version 12.0(23)S for 12000, 12.0(32)S for 10720, and 12.3(4)T, 12.2(25)S, and 12.2(27)SBC for other hardware platforms. Please note that deploying this command will drop legitimate packets containing IP options as well. Protocols this may impact include RSVP (used by Microsoft NetMeeting), MPLS TE, MPLS OAM, DVMRP, IGMPv3, IGMPv2, and legitimate PGM. Note: The "ignore" option of the global command "ip options ignore", available only on the Cisco 12000 router beginning in 12.0(23)S, is NOT a workaround for this issue. Additional information about IP Options Selective Drop feature is available at http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_gui… Transit Access Control Lists (ACLs) +---------------------------------- Configure an interface ACL that blocks traffic of these types: * Echo (Ping) ICMP type 8 * Timestamp ICMP type 13 * Information Request ICMP type 15 * Address Mask Request ICMP Type 17 * Protocol Independent Multicast (PIM) IP protocol 103 * Pragmatic General Multicast (PGM) IP protocol 113 * URL Rendezvous Directory (URD) TCP port 465 The Internet Control Message Protocol is an integral part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite that is used to report error conditions and provide diagnostic information. Filtering ICMP messages may impact this error condition and diagnostic reporting including "ping" and Windows traceroute which uses ICMP ping. If the device is configured to process PIM, PGM, or URD, blocking those packets will prevent legitimate operation of the protocols. Since the source IP address of these packets can be easily spoofed, the affected traffic should be blocked on all of the device's IPv4 interfaces. The following ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters: access-list 150 deny icmp any any echo access-list 150 deny icmp any any information-request access-list 150 deny icmp any any timestamp-request access-list 150 deny icmp any any mask-request access-list 150 deny tcp any any eq 465 access-list 150 deny 103 any any access-list 150 deny 113 any any access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in These ACL statements should be deployed at the network edge as part of a transit access list which will protect the router where the ACL is configured as well as other devices behind it. Further information about transit ACLs is available in the white paper "Transit Access Control Lists: Filtering at Your Edge", available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0… The following Cisco IOS XR ACL is specifically designed to block attack traffic and should be applied to all IPv4 interfaces of the device and should include topology-specific filters: ipv4 access-list ios-xr-transit-acl 10 deny icmp any any echo 20 deny icmp any any information-request 30 deny icmp any any timestamp-request 40 deny icmp any any mask-request 50 deny tcp any any eq 465 60 deny 103 any any 70 deny 113 any any 80 permit ip any any interface POS 0/2/0/ ipv4 access-group ios-xr-transit-acl ingress Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapt… Infrastructure ACLs +------------------ Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access list which will protect all devices with IP addresses in the infrastructure IP address range. Cisco IOS +-------- access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES echo access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES information-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 access-list 150 deny 103 any INFRASTRUCTURE_ADDRESSES access-list 150 deny 113 any INFRASTRUCTURE_ADDRESSES access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in Cisco IOS XR +----------- ipv4 access-list ios-xr-infrastructure-acl 10 deny icmp any INFRASTRUCTURE_ADDRESSES echo 20 deny icmp any INFRASTRUCTURE_ADDRESSES information-request 30 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request 40 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request 50 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 60 deny 103 any INFRASTRUCTURE_ADDRESSES 70 deny 113 any INFRASTRUCTURE_ADDRESSES 80 permit ip any any interface POS 0/2/0/2 ipv4 access-group ios-xr-infrastructure-acl ingress The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0… Information about configuring access lists on Cisco IOS XR is available at http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapt… Receive ACLs +----------- For distributed platforms, receive ACLs may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the 7500, and 12.0(31)S for the 10720. The receive ACL protects the device from harmful traffic before the traffic can impact the route processor. A receive ACL is designed to protect only the device on which it is configured. On the 12000, transit traffic is never affected by a receive ACL. Because of this, the destination IP address "any" used in the example ACL entries below only refer to the router's own physical or virtual IP addresses. On the 7500 and 10720, transit traffic with IP options set will be subject to the receive ACL and permitted or denied accordingly. Receive ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "GSR: Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny all unwanted packets and is available at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0… The following receive path ACL is designed specifically to block this attack traffic: access-list 101 deny icmp any any echo access-list 101 deny icmp any any information-request access-list 101 deny icmp any any timestamp-request access-list 101 deny icmp any any mask-request access-list 101 deny tcp any any eq 465 access-list 101 deny 103 any any access-list 101 deny 113 any any access-list 101 permit ip any any ! ip receive access-list 101 Control Plane Policing +--------------------- The Control Plane Policing (CoPP) feature may be used to mitigate this vulnerability. In the following example, any packets that can exploit the vulnerability are denied while all other IP traffic is permitted. Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. This applies to all platforms except the 12000 where only attack packets destined for the router itself will be dropped. access-list 100 permit icmp any any echo access-list 100 permit icmp any any information-request access-list 100 permit icmp any any timestamp-request access-list 100 permit icmp any any mask-request access-list 100 permit tcp any any eq 465 access-list 100 permit 103 any any access-list 100 permit 113 any any access-list 100 deny ip any any ! class-map match-all drop-options-class match access-group 100 ! ! policy-map drop-options-policy class drop-options-class drop ! control-plane service-policy input drop-options-policy Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different: policy-map drop-options-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop Because of the way routers process packets with IP options, CoPP will be applied to attack packets destined for the router itself and packets transiting through the router to other destination IP addresses. In the following example, only packets with IP options that can exploit the vulnerability and that are destined for the router or that transit through the router are denied while all other IP traffic is permitted. ip access-list extended drop-affected-options permit icmp any any echo option any-options permit icmp any any information-request option any-options permit icmp any any timestamp-request option any-options permit icmp any any mask-request option any-options permit pim any any option any-options permit 113 any any option any-options permit tcp any any eq 465 option any-options deny ip any any ! class-map match-all drop-options-class match access-group name drop-affected-options ! ! policy-map drop-opt-policy class drop-options-class drop ! control-plane service-policy input drop-opt-policy Please note that in the 12.2S Cisco IOS train, the policy-map syntax is different: policy-map drop-opt-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. ACL support for filtering IP options requires named ACLs. ACL support for filtering IP options is not available in 12.0S or 12.2SX. Please note that PGM packets typically use the "Router Alert" Option, and dropping PGM packets with IP options will affect legitimate PGM packets. In the above CoPP examples, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804f… and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_gui… Additional information for filtering IP Options with access lists can be found at http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_gui… Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2007-Jan-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFFt5cO8NUAbBmDaxQRAs6NAJsEXc4RCzhHI1n+Dxjmizm6mzIzmACbBr3H /ox3OGmd1I41UMn3iOM8qHc= =RlTo -----END PGP SIGNATURE-----

15 years, 5 months

Cisco Security Advisory: IPv6 Routing Header Vulnerability

by Cisco Systems Product Security Incident Response Team

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: IPv6 Routing Header Vulnerability Advisory ID: cisco-sa-20070124-IOS-IPv6 http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml Revision 1.0 For Public Release 2007 January 24 1600 UTC (GMT) - ----------------------------------------------------------------------- Summary ======= Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS. Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used. This vulnerability was initially reported by a customer and further trigger vector was discovered during developing the fix for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml. Affected Products ================= Devices running Cisco IOS and having IPv6 enabled on, at least, one of their interface may be affected by this vulnerability. Vulnerable Products +------------------ To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product running IOS release 12.4(9.10): Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(9.10), INTERIM SOFTWARE Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Mon 29-May-06 04:42 by prod_rel_team Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable to the issue described in this Advisory. In particular Cisco IOS XR, Cisco PIX Appliance and Cisco MDS 9000 Series devices are not affected by this vulnerability. Details ======= This vulnerability can be triggered only when Cisco IOS processes specifically crafted IPv6 Type 0 Routing headers, which are used for source routing. Source routing is when an originator node explicitly specifies the exact path that a packet must take to reach the destination. Source routing is enabled by default on Cisco IOS if IPv6 is configured on the device. In order to trigger this vulnerability the packet must be destined to any of the IPv6 addresses defined on the device. The exact packet type is not relevant (e.g., TCP, ICMP, UDP) as the vulnerability is on the IP layer. For this reason care must be taken when implementing a workaround as this vulnerability can be triggered by a spoofed packet. IPv6 multicast packets can not be used to trigger this vulnerability. In addition to Type 0 Routing headers, IPv6 also supports Type 2 Routing that is used in Mobile IPv6 implementation. Type 2 Routing headers can not be used to trigger the vulnerability described in this Advisory. A router running vulnerable Cisco IOS software will process Type 0 Routing headers only if the destination address in the IPv6 packet is one of the IPv6 addresses defined on any of the interfaces. The address may be either a global (i.e., routable), loopback or link local address. Link local addresses are not supposed to be routable and they are valid only among directly connected devices. A device may also be susceptible in scenarios where IPv6 packets are tunneled over IPv4 networks provided that the IPv6 destination address (after de-encapsulation) is one of the IPv6 addresses defined on the device. This is independent of the exact encapsulation method used (e.g., MPLS, GRE or IPv6-in-IPv4). This vulnerability is documented in Cisco Bug IDs CSCsd40334 and CSCsd58381. Vulnerability Scoring Details +---------------------------- Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. Cisco Bug IDs: CSCsd40334 - IPv6 packet can cause crash CVSS Base Score: 10 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 8.3 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCsd58381 - IPv6 routing header limitation CVSS Base Score: 10 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 8.3 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed Impact ====== Successful exploitation of the vulnerability listed in this Advisory can corrupt some memory structures. In most cases this will cause the affected device to crash and repeated exploitation could result in a sustained DoS attack. However, due to memory corruption, there is a potential to execute an arbitrary code. In the event of a successful remote code execution, device integrity will have been completely compromised. Software Version and Fixes ========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html. Please note: There are 3 IOS security advisories and one field notice being published on Jan 24th, 2007. Each advisory only lists the releases which fix the issue described in the advisory. A combined software table is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of January 24th, 2007. The advisories and field notice published on January 24 are listed here. * http://www.cisco.com/warp/public/707/cisco-air-20070124-IOS-ipv6.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.sh… * http://www.cisco.com/warp/public/770/fn62613.shtml Requests for software rebuilds to include the change for Daylight Savings Time (DST) that will be implemented in March 2007 should be directed through the Technical Assistance Center (TAC) and this advisory should be used as reference. +-----------------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |------------------------------+----------------------------------------------| | Affected 12.0-Based Release | Rebuild | Maintenance | |------------------------------+----------------------------------------------| | 12.0 | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0DA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0DB | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0DC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0S | 12.0(32)S3 | | |------------------------------+----------------------------------------------| | 12.0SC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0SL | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0SP | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0ST | Vulnerable; migrate to 12.0(32)S3 or later | |------------------------------+----------------------------------------------| | 12.0SX | Vulnerable for only 12.0(30)SX; contact TAC | |------------------------------+----------------------------------------------| | 12.0SY | | 12.0(32)SY | |------------------------------+----------------------------------------------| | 12.0SZ | Vulnerable; migrate to 12.0(32)S3 or later | |------------------------------+----------------------------------------------| | 12.0T | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0W | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0WC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0WT | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XB | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XD | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XE | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XF | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XG | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XH | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XI | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XJ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XK | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XL | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XM | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XN | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XQ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XR | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XS | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XV | Not vulnerable | |------------------------------+----------------------------------------------| | 12.0XW | Not vulnerable | |------------------------------+----------------------------------------------| | Affected 12.1-Based Release | Rebuild | Maintenance | |------------------------------+----------------------------------------------| | 12.1 | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1AA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1AX | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1AY | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1AZ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1CX | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1DA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1DB | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1DC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1E | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EB | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EO | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EU | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EV | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EW | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EX | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EY | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1EZ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1T | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XB | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XD | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XE | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XF | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XG | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XH | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XI | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XJ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XL | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XM | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XP | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XQ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XR | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XS | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XT | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XU | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.1XV | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.1XW | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XX | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XY | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1XZ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1YA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1YB | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.1YC | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.1YD | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.1YE | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1YF | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1YH | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1YI | Not vulnerable | |------------------------------+----------------------------------------------| | 12.1YJ | Not vulnerable | |------------------------------+----------------------------------------------| | Affected 12.2-Based Release | Rebuild | Maintenance | |------------------------------+----------------------------------------------| | 12.2 | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2B | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2BC | Vulnerable; migrate to 12.3(17b)BC3 or later | |------------------------------+----------------------------------------------| | 12.2BW | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2BY | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2BZ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2CX | Vulnerable; migrate to 12.3(17b)BC3 or later | |------------------------------+----------------------------------------------| | 12.2CY | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2CZ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2DA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2DD | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2DX | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2EU | Vulnerable; migrate to 12.2(25)EWA6 or later | |------------------------------+----------------------------------------------| | 12.2EW | Vulnerable; migrate to 12.2(25)EWA6 or later | |------------------------------+----------------------------------------------| | 12.2EWA | 12.2(25)EWA6 | | |------------------------------+----------------------------------------------| | 12.2EX | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2EY | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2EZ | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------------------------+----------------------------------------------| | 12.2FX | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2FY | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2FZ | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2IXA | Vulnerable; migrate to 12.2(18)IXB or later | |------------------------------+----------------------------------------------| | 12.2IXB | All 12.2IXB releases are fixed | |------------------------------+----------------------------------------------| | 12.2IXC | All 12.2IXC releases are fixed | |------------------------------+----------------------------------------------| | 12.2JA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2JK | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2MB | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2MC | 12.2(15)MC2h | | |------------------------------+---------------------+------------------------| | 12.2S | 12.2(25)S11 | 12.2(30)S | |------------------------------+---------------------+------------------------| | 12.2SB | 12.2(28)SB2 | 12.2(31)SB | |------------------------------+---------------------+------------------------| | 12.2SBC | 12.2(27)SBC4 | | |------------------------------+----------------------------------------------| | 12.2SEA | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------------------------+----------------------------------------------| | 12.2SEB | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------------------------+----------------------------------------------| | 12.2SEC | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------------------------+----------------------------------------------| | 12.2SED | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------------------------+----------------------------------------------| | 12.2SEE | 12.2(25)SEE1 | | |------------------------------+---------------------+------------------------| | 12.2SEF | 12.2(25)SEF1 | | |------------------------------+----------------------------------------------| | 12.2SEG | All 12.2SEG releases are fixed | |------------------------------+----------------------------------------------| | 12.2SG | 12.2(25)SG1 | 12.2(31)SG | |------------------------------+----------------------------------------------| | 12.2SGA | All 12.2SGA releases are fixed | |------------------------------+----------------------------------------------| | 12.2SO | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2SRA | All 12.2SRA releases are fixed | |------------------------------+----------------------------------------------| | 12.2SRB | All 12.2SRB releases are fixed | |------------------------------+----------------------------------------------| | 12.2SU | Vulnerable; migrate to 12.3(14)T7 or later | |------------------------------+----------------------------------------------| | 12.2SV | 12.2(25)SV3 | 12.2(26)SV | |------------------------------+---------------------+------------------------| | 12.2SW | 12.2(25)SW7 | | |------------------------------+----------------------------------------------| | 12.2SX | Vulnerable; migrate to 12.2(18)SXD7a or | | | later | |------------------------------+----------------------------------------------| | 12.2SXA | Vulnerable; migrate to 12.2(18)SXD7a or | | | later | |------------------------------+----------------------------------------------| | 12.2SXB | Vulnerable; migrate to 12.2(18)SXD7a or | | | later | |------------------------------+----------------------------------------------| | 12.2SXD | 12.2(18)SXD7a | | |------------------------------+---------------------+------------------------| | 12.2SXE | 12.2(18)SXE6 | | |------------------------------+---------------------+------------------------| | 12.2SXF | 12.2(18)SXF5 | | |------------------------------+----------------------------------------------| | 12.2SY | Vulnerable; migrate to 12.2(18)SXD7a or | | | later | |------------------------------+----------------------------------------------| | 12.2SZ | Vulnerable; migrate to 12.2(25)S11 or later | |------------------------------+----------------------------------------------| | 12.2T | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2TPC | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2XA | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XB | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XC | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2XD | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XE | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2XF | Vulnerable; migrate to 12.3(17b)BC3 or later | |------------------------------+----------------------------------------------| | 12.2XG | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XH | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XI | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XJ | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XK | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XL | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XM | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XN | | 12.2(31)XN | |------------------------------+----------------------------------------------| | 12.2XQ | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XR | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2XS | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XT | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XU | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XV | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2XW | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2YA | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2YB | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2YC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2YD | Vulnerable; migrate to 12.3(11)T10 or later | |------------------------------+----------------------------------------------| | 12.2YE | Vulnerable; migrate to 12.2(25)S11 or later | |------------------------------+----------------------------------------------| | 12.2YF | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2YG | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2YH | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2YJ | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2YK | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2YL | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YM | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YN | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YO | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2YP | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2YQ | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YR | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YT | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2YU | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YV | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YW | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YX | Vulnerable; migrate to 12.3(14)T7 or later | |------------------------------+----------------------------------------------| | 12.2YY | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2YZ | Vulnerable; migrate to 12.2(25)S11 or later | |------------------------------+----------------------------------------------| | 12.2ZA | Vulnerable; migrate to 12.2(18)SXD7a or | | | later | |------------------------------+----------------------------------------------| | 12.2ZB | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2ZC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2ZD | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZE | Vulnerable; migrate to 12.3(18) or later | |------------------------------+----------------------------------------------| | 12.2ZF | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2ZG | Not vulnerable | |------------------------------+----------------------------------------------| | 12.2ZH | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZJ | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2ZL | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.2ZN | Vulnerable; migrate to 12.3(4)T13 or later | |------------------------------+----------------------------------------------| | 12.2ZP | Not vulnerable | |------------------------------+----------------------------------------------| | Affected 12.3-Based Release | Rebuild | Maintenance | |------------------------------+---------------------+------------------------| | 12.3 | 12.3(17b) | 12.3(18) | |------------------------------+----------------------------------------------| | 12.3B | Vulnerable; migrate to 12.3(11)T10 or later | |------------------------------+----------------------------------------------| | 12.3BC | 12.3(17b)BC3 | | |------------------------------+----------------------------------------------| | 12.3BW | Vulnerable; migrate to 12.3(11)T10 or later | |------------------------------+----------------------------------------------| | 12.3JA | Not vulnerable | |------------------------------+----------------------------------------------| | 12.3JEA | All 12.3JEA releases are fixed | |------------------------------+----------------------------------------------| | 12.3JEB | All 12.3JEA releases are fixed | |------------------------------+----------------------------------------------| | 12.3JK | Not vulnerable | |------------------------------+----------------------------------------------| | 12.3JX | Not vulnerable | |------------------------------+----------------------------------------------| | | 12.3(4)T13 | | | |---------------------+------------------------| | 12.3T | 12.3(11)T10 | | | |---------------------+------------------------| | | 12.3(14)T7 | | |------------------------------+----------------------------------------------| | 12.3TPC | Not vulnerable | |------------------------------+----------------------------------------------| | 12.3XA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XB | Vulnerable; migrate to 12.3(11)T10 or later | |------------------------------+----------------------------------------------| | 12.3XC | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XD | Vulnerable; migrate to 12.3(11)T10 or later | |------------------------------+----------------------------------------------| | 12.3XE | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XF | Vulnerable; migrate to 12.3(11)T10 or later | |------------------------------+----------------------------------------------| | 12.3XG | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XH | Vulnerable; migrate to 12.3(11)T10 or later | |------------------------------+----------------------------------------------| | 12.3XI | 12.3(7)XI8a | 12.3(7)XI9 | |------------------------------+----------------------------------------------| | 12.3XJ | Vulnerable; migrate to 12.3(14)YX2 or later | |------------------------------+----------------------------------------------| | 12.3XK | Vulnerable; migrate to 12.3(14)T7 or later | |------------------------------+----------------------------------------------| | 12.3XQ | Vulnerable; migrate to 12.4(8) or later | |------------------------------+----------------------------------------------| | 12.3XR | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3XS | Vulnerable; migrate to 12.4(8) or later | |------------------------------+----------------------------------------------| | 12.3XU | Vulnerable; migrate to 12.4(2)T4 or later | |------------------------------+----------------------------------------------| | 12.3XW | Vulnerable; migrate to 12.3(14)YX2 or later | |------------------------------+----------------------------------------------| | 12.3XX | Vulnerable; migrate to 12.4(8) or later | |------------------------------+----------------------------------------------| | 12.3XY | Not vulnerable | |------------------------------+----------------------------------------------| | 12.3YA | Vulnerable; contact TAC | |------------------------------+----------------------------------------------| | 12.3YD | Vulnerable; migrate to 12.4(2)T4 or later | |------------------------------+----------------------------------------------| | 12.3YF | Vulnerable; migrate to 12.3(14)YX2 or later | |------------------------------+----------------------------------------------| | 12.3YG | Vulnerable; migrate to 12.4(2)T4 or later | |------------------------------+----------------------------------------------| | 12.3YH | Vulnerable; migrate to 12.4(2)T4 or later | |------------------------------+----------------------------------------------| | 12.3YI | Vulnerable; migrate to 12.4(2)T4 or later | |------------------------------+----------------------------------------------| | 12.3YJ | Vulnerable; migrate to 12.4(6)T1 or later | |------------------------------+----------------------------------------------| | 12.3YK | Vulnerable; migrate to 12.4(4)T2 or later | |------------------------------+----------------------------------------------| | 12.3YM | 12.3(14)YM8 | | |------------------------------+----------------------------------------------| | 12.3YQ | Vulnerable; migrate to 12.4(6)T1 or later | |------------------------------+----------------------------------------------| | 12.3YS | Vulnerable; migrate to 12.4(4)T2 or later | |------------------------------+----------------------------------------------| | 12.3YT | Vulnerable; migrate to 12.4(4)T2 or later | |------------------------------+----------------------------------------------| | 12.3YU | Vulnerable; migrate to 12.4(2)XB2 or later | |------------------------------+----------------------------------------------| | 12.3YX | 12.3(14)YX2 | | |------------------------------+---------------------+------------------------| | 12.3YZ | 12.3(11)YZ1 | | |------------------------------+---------------------+------------------------| | Affected 12.4-Based Release | Rebuild | Maintenance | |------------------------------+---------------------+------------------------| | | 12.4(3d) | | | |---------------------+------------------------| | 12.4 | 12.4(5b) | | | |---------------------+------------------------| | | 12.4(7a) | 12.4(8) | |------------------------------+----------------------------------------------| | 12.4MR | Not vulnerable | |------------------------------+----------------------------------------------| | 12.4SW | All 12.4SW releases are fixed | |------------------------------+----------------------------------------------| | | 12.4(2)T4 | | | |---------------------+------------------------| | 12.4T | 12.4(4)T2 | | | |---------------------+------------------------| | | 12.4(6)T1 | 12.4(9)T | |------------------------------+----------------------------------------------| | 12.4XA | Vulnerable; migrate to 12.4(6)T1 or later | |------------------------------+----------------------------------------------| | 12.4XB | 12.4(2)XB2 | | |------------------------------+---------------------+------------------------| | 12.4XC | 12.4(4)XC5 | | |------------------------------+---------------------+------------------------| | 12.4XD | 12.4(4)XD2 | | |------------------------------+----------------------------------------------| | 12.4XE | All 12.4XE releases are fixed | |------------------------------+----------------------------------------------| | 12.4XG | All 12.4XG releases are fixed | |------------------------------+----------------------------------------------| | 12.4XJ | All 12.4XJ releases are fixed | |------------------------------+----------------------------------------------| | 12.4XP | All 12.4XP releases are fixed | |------------------------------+----------------------------------------------| | 12.4XT | All 12.4XT releases are fixed | +-----------------------------------------------------------------------------+ Workarounds =========== The workaround consists of filtering packets that contain Type 0 Routing header(s). Special attention must be paid not to filter packets with Type 2 Routing headers as that would break Mobile IPv6 deployment. Depending on what Cisco IOS software release is used and if Mobile IPv6 is deployed or not we have the following workarounds. As any packet type can be used to trigger this vulnerability the care must be taken when implementing a workaround to account for a spoofed packet. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070124-IOS-IPv6.shtml Mobile IPv6 is not deployed +-------------------------- For IOS releases before 12.3(4)T the workaround is to use ACLs to filter all packets that contain Routing headers. This method can not distinguish between Type 0 and Type 2 Routing headers so it is not suitable if Mobile IPv6 is deployed. The following example shows how to configure such ACLs. Router(config)#ipv6 access-list deny-sourcerouted Router(config-ipv6-acl)#deny ipv6 any <myaddress1> routing Router(config-ipv6-acl)#deny ipv6 any <myaddress2> routing Router(config-ipv6-acl)#permit ipv6 any any Router(config-ipv6-acl)#exit Router(config)#interface Ethernet0 Router(config-if)#ipv6 traffic-filter deny-sourcerouted in In this example <myaddressX> is an IPv6 address. One example of such address is 2600:dead:beef:cafe:0:1:0:1111. The ACL must be applied to all interfaces and all IPv6 addresses that are configured. If an interface has more than one IPv6 address configured then all addresses must be covered by the ACLs. This also includes all loopback and "link local" addresses for each interface. The alternative of enumerating all IPv6 addresses is to use statement "deny ipv6 any any routing". While that simplifies the resulting ACL it will also filter all transit IPv6 traffic with Routing headers 0 and 2. The example where all configured IPv6 addresses are enumerated will not affect transit traffic. This comment is applicable to all other examples in this Advisory. Starting from the IOS release 12.2(15)T a new command "ipv6 source-route" was introduced. If applied, it will block any IPv6 packet with any IPv6 routing headers (both types 0 and 2). The configuration is given in the following example. Router(config)#no ipv6 source-route This is a global command and it applies to all interfaces. The command is applicable on all defined IPv6 addresses, including the link local and loopback address, and on all interfaces. Mobile IPv6 is deployed +---------------------- There is no workaround if you are running a Cisco IOS release prior to 12.4(2)T. In IOS 12.4(2)T a new keyword "routing-type" is added to IPv6 ACLs. It can be used to selectively permit or deny specific routing types. Router(config)#ipv6 access-list deny-sourcerouted Router(config-ipv6-acl)#deny ipv6 any <myaddress1> routing-type 0 Router(config-ipv6-acl)#permit ipv6 any any Router(config)#interface Ethernet0 Router(config-if)#ipv6 source-route Router(config-if)#ipv6 traffic-filter deny-sourcerouted in The filter must be applied to all interfaces that have IPv6 configured. Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was initially reported to Cisco by Arnaud Ebalard from EADS Corporate Research Center. An additional vector to trigger it was discovered internally while fixing the vulnerability. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | 1.0 | 2007-January-24 | Initial public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ----------------------------------------------------------------------- All contents are Copyright 1992-2007 Cisco Systems, Inc. All rights reserved. - ----------------------------------------------------------------------- Updated: Jan 24, 2007 Document ID: 72372 - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFt4q78NUAbBmDaxQRAnmUAKCddmt7R/tv6za5p5uaXzv3nJGAXQCeIh+Q VY3aC/IEoqWog0b4v3ji+is= =lzrx -----END PGP SIGNATURE-----

15 years, 5 months

Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service

by Cisco Systems Product Security Incident Response Team

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service Advisory ID: cisco-sa-20070124-crafted-tcp http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml Revision 1.0 For Public Release 2007 January 24 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition. This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability. Cisco has made free software available to address this vulnerability for affected customers. This issue is documented as Cisco bug ID CSCek37177. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml Affected Products ================= Vulnerable Products +------------------ This issue affects all Cisco devices running Cisco IOS software. To be affected, devices must be configured to process Internet Protocol version 4 (IPv4) packets and receive TCP packets. Devices which run only Internet Protocol version 6 (IPv6) are not affected. This vulnerability is present in all unfixed versions of Cisco IOS software, including versions 9.x, 10.x, 11.x and 12.x. To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product running Cisco IOS release 12.2(14)S16 with an installed image name of C7200-IS-M: Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16, RELEASE SOFTWARE (fc1) The release train label is "12.2". The next example shows a product running IOS release 12.3(7)T12 with an image name of C7200-IK9S-M: Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS Banners is available at: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper… Products Confirmed Not Vulnerable +-------------------------------- Cisco products that do not run IOS are unaffected by this vulnerability. Cisco IOS-XR is not affected. No other Cisco products are currently known to be affected by this vulnerability. Details ======= TCP is the transport layer protocol designed to provide connection-oriented, reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt Cisco IOS devices that are configured to receive TCP packets are exposed to this issue. This Advisory does not apply to traffic that is transiting the device. Certain crafted packets destined to an IPv4 address assigned to a physical or virtual interface on a Cisco IOS device may cause the device to leak a small amount of memory. Over time, such a memory leak may lead to memory exhaustion and potentially degraded service. Although this is an issue with TCP, it is not required to complete the TCP 3-way handshake in order for the memory leak to be triggered. Therefore, TCP packets with a spoofed source address may trigger the leak. The following document contains additional information on how to identify if your router is suffering from a memory leak in Processor memory: http://www.cisco.com/warp/public/63/mallocfail.shtml#tshoot2 Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks: http://intellishield.cisco.com/security/alertmanager/cvss Cisco Bug IDs: CSCek37177 CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed Impact ====== Successful exploitation of the vulnerability may result in a small amount of processor memory to leak, which may lead to degraded service. This issue will not resolve over time, and will require a device reset to recover the leaked memory. This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the device will not trigger this issue. Software Version and Fixes ========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html +------------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+-----------------------------------------------------------| | Affected | | | | 12.0-Based | Rebuild | Maintenance | | Release | | | |------------+-----------------------------------------------------------| | 12.0 | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0DA | Vulnerable; migrate to 12.2(10)DA5 or later | |------------+-----------------------------------------------------------| | 12.0DB | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.0DC | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | | 12.0(31)S6 | | |12.0S |----------------------------+------------------------------| | | 12.0(32)S4 | | |------------+-----------------------------------------------------------| | 12.0SC | Vulnerable; migrate to 12.3(13a)BC6 or later | |------------+-----------------------------------------------------------| | 12.0SL | Vulnerable; migrate to 12.0(31)S6 or later | |------------+-----------------------------------------------------------| | 12.0SP | Vulnerable; migrate to 12.0(31)S6 or later | |------------+-----------------------------------------------------------| | 12.0ST | Vulnerable; migrate to 12.0(31)S6 or later | |------------+-----------------------------------------------------------| | 12.0SX | 12.0(25)SX11 | | |------------+----------------------------+------------------------------| | 12.0SY | | 12.0(32)SY | |------------+-----------------------------------------------------------| | 12.0SZ | Vulnerable; migrate to 12.0(31)S6 or later | |------------+-----------------------------------------------------------| | 12.0T | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0W | Not vulnerable | |------------+-----------------------------------------------------------| | 12.0WC | 12.0(5)WC15 | | |------------+-----------------------------------------------------------| | 12.0WT | Not vulnerable | |------------+-----------------------------------------------------------| | 12.0XA | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XB | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XC | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XD | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XE | Vulnerable; migrate to 12.1(26)E7 or later | |------------+-----------------------------------------------------------| | 12.0XF | Not vulnerable | |------------+-----------------------------------------------------------| | 12.0XG | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XH | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XI | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XJ | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XK | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XL | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XM | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XN | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XQ | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XR | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XS | Vulnerable; migrate to 12.1(26)E7 or later | |------------+-----------------------------------------------------------| | 12.0XV | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.0XW | Not vulnerable | |------------+-----------------------------------------------------------| | Affected | | | | 12.1-Based | Rebuild | Maintenance | | Release | | | |------------+-----------------------------------------------------------| | 12.1 | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1 AA | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1 AX | Vulnerable; migrate to 12.2(25)EY4 or later | |------------+-----------------------------------------------------------| | 12.1 AY | Vulnerable; migrate to 12.1(22)EA8 or later | |------------+-----------------------------------------------------------| | 12.1 AZ | Vulnerable; migrate to 12.1(22)EA8 or later | |------------+-----------------------------------------------------------| | 12.1 CX | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1 DA | Vulnerable; migrate to 12.2(10)DA5 or later | |------------+-----------------------------------------------------------| | 12.1 DB | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.1 DC | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | | 12.1(26)E7 | | |12.1E |----------------------------+------------------------------| | | 12.1(27b)E1 | | |------------+----------------------------+------------------------------| | 12.1EA | 12.1(22)EA8 | | |------------+-----------------------------------------------------------| | 12.1EB | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.1EC | Vulnerable; migrate to 12.3(13a)BC6 or later | |------------+-----------------------------------------------------------| | | 12.1(19)EO6; available on | | | 12.1EO | 31-Jan-07 | | | |----------------------------+------------------------------| | | 12.1(20)EO3 | | |------------+-----------------------------------------------------------| | 12.1EU | Vulnerable; migrate to 12.2(25)EWA6 or later | |------------+-----------------------------------------------------------| | 12.1EV | Vulnerable; migrate to 12.2(27)SV4 or later | |------------+-----------------------------------------------------------| | 12.1EW | Vulnerable; migrate to 12.2(25)EWA6 or later | |------------+-----------------------------------------------------------| | 12.1EX | Vulnerable; migrate to 12.1(26)E7 or later | |------------+-----------------------------------------------------------| | 12.1EY | Vulnerable; migrate to 12.1(26)E7 or later | |------------+-----------------------------------------------------------| | 12.1EZ | Vulnerable; migrate to 12.1(26)E7 or later | |------------+-----------------------------------------------------------| | 12.1T | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XA | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XB | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XC | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XD | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XE | Vulnerable; migrate to 12.1(26)E7 or later | |------------+-----------------------------------------------------------| | 12.1XF | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XG | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XH | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XI | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XJ | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XL | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XM | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XP | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XQ | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XR | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XS | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XT | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XU | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XV | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1XW | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XX | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XY | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1XZ | Vulnerable; migrate to 12.2(37) or later | |------------+-----------------------------------------------------------| | 12.1YA | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YB | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YC | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YD | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YE | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YF | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YH | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YI | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.1YJ | Vulnerable; migrate to 12.1(22)EA8 or later | |------------+-----------------------------------------------------------| | Affected | | | | 12.2-Based | Rebuild | Maintenance | | Release | | | |------------+----------------------------+------------------------------| | 12.2 | | 12.2(37) | |------------+-----------------------------------------------------------| | 12.2B | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2BC | Vulnerable; migrate to 12.3(13a)BC6 or later | |------------+-----------------------------------------------------------| | 12.2BW | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2BY | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2BZ | Vulnerable; migrate to 12.3(7)XI8 or later | |------------+-----------------------------------------------------------| | 12.2CX | Vulnerable; migrate to 12.3(13a)BC6 or later | |------------+-----------------------------------------------------------| | 12.2CY | Vulnerable; migrate to 12.3(13a)BC6 or later | |------------+-----------------------------------------------------------| | 12.2CZ | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | | 12.2(10)DA5 | | |12.2DA |----------------------------+------------------------------| | | 12.2(12)DA10 | | |------------+-----------------------------------------------------------| | 12.2DD | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2DX | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2EU | Vulnerable; migrate to 12.2(25)EWA6 or later | |------------+-----------------------------------------------------------| | 12.2EW | Vulnerable; migrate to 12.2(25)EWA6 or later | |------------+-----------------------------------------------------------| | 12.2EWA | 12.2(25)EWA6 | | |------------+----------------------------+------------------------------| | 12.2EX | 12.2(25)EX1 | | |------------+----------------------------+------------------------------| | 12.2EY | 12.2(25)EY4 | | |------------+-----------------------------------------------------------| | 12.2EZ | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------+-----------------------------------------------------------| | 12.2FX | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------+-----------------------------------------------------------| | 12.2FY | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------+-----------------------------------------------------------| | 12.2FZ | All 12.2FZ releases are fixed | |------------+-----------------------------------------------------------| | 12.2IXA | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2IXB | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2IXC | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2JA | Vulnerable; migrate to 12.3(8)JA2 or later | |------------+-----------------------------------------------------------| | 12.2JK | Vulnerable; migrate to 12.4(4)T4 or later | |------------+-----------------------------------------------------------| | 12.2MB | Vulnerable; migrate to 12.2(25)SW8 or later | |------------+-----------------------------------------------------------| | 12.2MC | Vulnerable; migrate to 12.3(11)T11 or later | |------------+-----------------------------------------------------------| | 12.2S | 12.2(25)S12; Available | | | | 12-Feb-07 | | |------------+----------------------------+------------------------------| | 12.2SB | 12.2(28)SB2 | 12.2(31)SB | |------------+----------------------------+------------------------------| | 12.2SBC | 12.2(27)SBC5 | | |------------+----------------------------+------------------------------| | 12.2SE | | 12.2(35)SE | |------------+-----------------------------------------------------------| | 12.2SEA | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------+-----------------------------------------------------------| | 12.2SEB | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------+-----------------------------------------------------------| | 12.2SEC | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------+-----------------------------------------------------------| | 12.2SED | Vulnerable; migrate to 12.2(25)SEE1 or later | |------------+-----------------------------------------------------------| | 12.2SEE | 12.2(25)SEE1 | | |------------+----------------------------+------------------------------| | 12.2SEF | 12.2(25)SEF1 | | |------------+-----------------------------------------------------------| | 12.2SEG | All 12.2SEG releases are fixed | |------------+-----------------------------------------------------------| | 12.2SG | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2SGA | All 12.2SGA releases are fixed | |------------+-----------------------------------------------------------| | 12.2SO | 12.2(18)SO7 | | |------------+-----------------------------------------------------------| | 12.2SRA | All 12.2SRA releases are fixed | |------------+-----------------------------------------------------------| | 12.2SRB | All 12.2SRB releases are fixed | |------------+-----------------------------------------------------------| | 12.2SU | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | | 12.2(27)SV4 | | | |----------------------------+------------------------------| | 12.2SV | 12.2(28)SV1 | | | |----------------------------+------------------------------| | | 12.2(29)SV1 | | |------------+----------------------------+------------------------------| | 12.2SW | 12.2(25)SW8 | | |------------+-----------------------------------------------------------| | 12.2SX | Vulnerable; migrate to 12.2(18)SXD7a or later | |------------+-----------------------------------------------------------| | 12.2SXA | Vulnerable; migrate to 12.2(18)SXD7a or later | |------------+-----------------------------------------------------------| | 12.2SXB | Vulnerable; migrate to 12.2(18)SXD7a or later | |------------+-----------------------------------------------------------| | 12.2SXD | 12.2(18)SXD7a | | |------------+----------------------------+------------------------------| | 12.2SXE | 12.2(18)SXE6 | | |------------+----------------------------+------------------------------| | 12.2SXF | 12.2(18)SXF5 | | |------------+-----------------------------------------------------------| | 12.2SY | Vulnerable; migrate to 12.2(18)SXD7a or later | |------------+-----------------------------------------------------------| | 12.2SZ | Vulnerable; migrate to 12.2(25)S12 or later; Available | | | 12-Feb-07 | |------------+-----------------------------------------------------------| | 12.2T | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2TPC | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2XA | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XB | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XC | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2XD | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XE | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XF | Vulnerable; migrate to 12.3(13a)BC6 or later | |------------+-----------------------------------------------------------| | 12.2XG | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XH | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XI | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XJ | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XK | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XL | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XM | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XN | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XQ | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XR | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XS | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XT | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XU | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XV | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2XW | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YA | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YB | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YC | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YD | Vulnerable; migrate to 12.3(11)T11 or later | |------------+-----------------------------------------------------------| | 12.2YE | Vulnerable; migrate to 12.2(25)S12 or later; Available | | | 12-Feb-07 | |------------+-----------------------------------------------------------| | 12.2YF | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YG | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YH | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YJ | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YK | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YL | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YM | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YN | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YO | Not vulnerable | |------------+-----------------------------------------------------------| | 12.2YP | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YQ | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YR | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YS | Not vulnerable | |------------+-----------------------------------------------------------| | 12.2YT | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2YU | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YV | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YW | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YX | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | 12.2YY | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2YZ | Vulnerable; migrate to 12.2(25)S12 or later; Available | | | 12-Feb-07 | |------------+-----------------------------------------------------------| | 12.2ZA | Vulnerable; migrate to 12.2(18)SXD7a or later | |------------+-----------------------------------------------------------| | 12.2ZB | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2ZC | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2ZD | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2ZE | Vulnerable; migrate to 12.3(19) or later | |------------+-----------------------------------------------------------| | 12.2ZF | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2ZG | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2ZH | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2ZJ | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2ZL | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.2ZN | Vulnerable; migrate to 12.3(4)T13 or later | |------------+-----------------------------------------------------------| | 12.2ZP | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | Affected | | | | 12.3-Based | Rebuild | Maintenance | | Release | | | |------------+----------------------------+------------------------------| | 12.3 | 12.3(10f) | 12.3(19) | |------------+-----------------------------------------------------------| | 12.3B | Vulnerable; migrate to 12.3(11)T11 or later | |------------+-----------------------------------------------------------| | | 12.3(13a)BC6 | | |12.3BC |----------------------------+------------------------------| | | 12.3(17a)BC2 | | |------------+-----------------------------------------------------------| | 12.3BW | Vulnerable; migrate to 13.3(11)T11 or later | |------------+-----------------------------------------------------------| | 12.3JA | 12.3(8)JA2 | | |------------+-----------------------------------------------------------| | 12.3JEA | All 12.3JEA releases are fixed | |------------+-----------------------------------------------------------| | 12.3JEB | All 12.3JEB releases are fixed | |------------+-----------------------------------------------------------| | 12.3JK | 12.3(2)JK2 | | |------------+----------------------------+------------------------------| | 12.3JX | 12.3(7)JX4 | 12.3(11)JX | |------------+----------------------------+------------------------------| | | 12.3(4)T13 | | |12.3T |----------------------------+------------------------------| | | 12.3(11)T11 | | |------------+-----------------------------------------------------------| | 12.3TPC | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3XA | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3XB | Vulnerable; migrate to 12.3(11)T11 or later | |------------+-----------------------------------------------------------| | 12.3XC | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3XD | Vulnerable; migrate to 12.3(11)T11 or later | |------------+-----------------------------------------------------------| | 12.3XE | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3XF | Vulnerable; migrate to 12.3(11)T11 or later | |------------+-----------------------------------------------------------| | 12.3XG | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3XH | Vulnerable; migrate to 12.3(11)T11 or later | |------------+-----------------------------------------------------------| | 12.3XI | 12.3(7)XI8 | | |------------+-----------------------------------------------------------| | 12.3XJ | Vulnerable; migrate to 12.3(14)YX2 or later | |------------+-----------------------------------------------------------| | 12.3XK | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | 12.3XQ | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | 12.3XR | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3XS | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | 12.3XU | Vulnerable; migrate to 12.4(2)T5 or later | |------------+-----------------------------------------------------------| | 12.3XW | Vulnerable; migrate to 12.3(14)YX2 or later | |------------+-----------------------------------------------------------| | 12.3XX | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | 12.3XY | Vulnerable; migrate to 12.4(8) or later | |------------+-----------------------------------------------------------| | 12.3YA | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3YD | Vulnerable; migrate to 12.4(2)T5 or later | |------------+-----------------------------------------------------------| | 12.3YF | Vulnerable; migrate to 12.3(14)YX2 or later | |------------+-----------------------------------------------------------| | 12.3YG | Vulnerable; migrate to 12.4(2)T5 or later | |------------+-----------------------------------------------------------| | 12.3YH | Vulnerable; migrate to 12.4(2)T5 or later | |------------+-----------------------------------------------------------| | 12.3YI | Vulnerable; migrate to 12.4(2)T5 or later | |------------+-----------------------------------------------------------| | 12.3YJ | Vulnerable; migrate to 12.3(14)YQ8 or later | |------------+-----------------------------------------------------------| | 12.3YK | Vulnerable; migrate to 12.4(4)T4 or later | |------------+-----------------------------------------------------------| | 12.3YM | 12.3(14)YM8 | | |------------+----------------------------+------------------------------| | 12.3YQ | 12.3(14)YQ8 | | |------------+-----------------------------------------------------------| | 12.3YS | Vulnerable; migrate to 12.4(4)T4 or later | |------------+-----------------------------------------------------------| | 12.3YT | Vulnerable; migrate to 12.4(4)T4 or later | |------------+-----------------------------------------------------------| | 12.3YU | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.3YX | 12.3(14)YX2 | | |------------+----------------------------+------------------------------| | 12.3YZ | 12.3(11)YZ1 | | |------------+----------------------------+------------------------------| | Affected | | | | 12.4-Based | Rebuild | Maintenance | | Release | | | |------------+----------------------------+------------------------------| | | 12.4(3e) | | |12.4 |----------------------------+------------------------------| | | 12.4(7b) | 12.4(8) | |------------+----------------------------+------------------------------| | 12.4MR | 12.4(6)MR1 | | |------------+-----------------------------------------------------------| | 12.4SW | All 12.4SW releases are fixed | |------------+-----------------------------------------------------------| | | 12.4(2)T5 | | | |----------------------------+------------------------------| | 12.4T | 12.4(4)T4 | | | |----------------------------+------------------------------| | | 12.4(6)T3 | 12.4(9)T | |------------+-----------------------------------------------------------| | 12.4XA | Vulnerable; migrate to 12.4(6)T3 | |------------+-----------------------------------------------------------| | 12.4XB | Vulnerable; contact TAC | |------------+-----------------------------------------------------------| | 12.4XC | 12.4(4)XC3 | | |------------+----------------------------+------------------------------| | 12.4XD | 12.4(4)XD4 | | |------------+-----------------------------------------------------------| | 12.4XE | All 12.4XE releases are fixed | |------------+-----------------------------------------------------------| | 12.4XG | All 12.4XG releases are fixed | |------------+-----------------------------------------------------------| | 12.4XJ | All 12.4XJ releases are fixed | |------------+-----------------------------------------------------------| | 12.4XP | All 12.4XP releases are fixed | |------------+-----------------------------------------------------------| | 12.4XT | All 12.4XT releases are fixed | +------------------------------------------------------------------------+ Workarounds =========== Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070124-crafted-tcp.shtml Note: Configuring VTY access-class filters is not an effective mitigation strategy for this vulnerability. Infrastructure ACLs (iACL) +------------------------- Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range. A sample access list for devices running Cisco IOS is below: !--- Permit TCP services from trust hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK !--- Deny TCP packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/warp/public/707/iacl.html Receive ACLs (rACL) +------------------ For distributed platforms, Receive ACLs may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the 7500, and 12.0(31)S for the 10720. The Receive ACL protects the device from harmful traffic before the traffic can impact the route processor. Receive ACLs are designed to only protect the device on which it is configured. On the 12000, transit traffic is never affected by a receive ACL. Because of this, the destination IP address "any" used in the example ACL entries below only refer to the router's own physical or virtual IP addresses. On the 7500 and 10720, transit traffic with IP options set will be subject to the Receive ACL and permitted or denied accordingly. Receive ACLs are considered a network security best practice, and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The white paper entitled "GSR: Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny all unwanted packets: http://www.cisco.com/warp/public/707/racl.html The following is the receive path ACL written to permit this type of traffic from trusted hosts: !--- Permit tcp services from trusted hosts allowed to the RP. access-list 151 permit tcp TRUSTED_ADDRESSES MASK any !--- Deny tcp services from all other sources to the RP. access-list 151 deny tcp any any !--- Permit all other traffic to the RP. access-list 151 permit ip any any !--- Apply this access list to the 'receive' path. ip receive access-list 151 Control Plane Policing (CoPP) +---------------------------- The Control Plane Policing (CoPP) feature may be used to mitigate this vulnerability. In the following example, only TCP traffic from trusted hosts and with 'receive' destination IP addresses is permitted to reach the route processor (RP). All other 'transit' IP traffic is unaffected. It should be noted that dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically assigned IP addresses from connecting to the Cisco IOS device. access-list 152 deny tcp TRUSTED_ADDRESSES MASK any access-list 152 permit tcp any any access-list 152 deny ip any any ! class-map match-all permit-tcp-class match access-group 152 ! ! policy-map permit-tcp-policy class permit-tcp-class drop ! control-plane service-policy input permit-tcp-policy In the above CoPP example, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action are not affected by the policy-map drop function. Please note that in the 12.2S and 12.0S Cisco IOS trains the policy-map syntax is different: policy-map permit-tcp-policy class class permit-tcp-class police 32000 1500 1500 conform-action drop exceed-action drop CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper… Anti-spoofing +------------ The Unicast Reverse Path Forwarding (Unicast RPF or uRPF) feature helps to mitigate problems that are caused by spoofed IP source addresses. It is available on Cisco routers and firewalls. For further details, please refer to: http://www.cisco.com/en/US/partner/products/ps6441/products_command_referen… By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands. router(config)# ip cef router(config)# interface interface # router(config-if)# ip verify unicast source reachable-via rx BGP and BTSH/GTSM +---------------- Depending on your release of software, it may be possible to protect your BGP sessions from this memory leak. With the introduction of CSCee73956, Cisco IOS has improved support for BTSH (BGP TTL Security Hack) to reduce, if not eliminate a risk of a memory leak due to this vulnerability. This functionality is also known as GTSM (Generalized TTL Security Mechanism) and documented in RFC 3682. This section refers to GTSM as applied to eBGP sessions only. Releases of Cisco IOS that contain CSCee73956 are protected from this attack against the BGP port (TCP port 179) only. Other ports should be protected accordingly. BTSH is not supported for iBGP sessions. BTSH was first introduced in Cisco IOS in 12.0(27)S, 12.3(7)T and 12.2(25)S. Note that the BTSH feature prior to CSCee73956 will not protect against this vulnerability. For more information on BTSH, please see: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/12… Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered by Cisco during our internal testing process. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce(a)cisco.com * first-teams(a)first.org * bugtraq(a)securityfocus.com * vulnwatch(a)vulnwatch.org * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * full-disclosure(a)lists.grok.org.uk * comp.dcom.sys.cisco(a)newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | | | Initial | | 1.0 | 2007-January-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.… This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFFt3qK8NUAbBmDaxQRAlmUAJ4orT3YO8RntAsyzsx8C/JL/q7QoQCfRcaq 83G2Nzt3qRHKu3ZD/6I6gck= =OTe7 -----END PGP SIGNATURE-----

15 years, 5 months

Fwd: New APNIC IPv4 address ranges

by Nurani Nimpuno

Dear colleagues, Please note the announcement below regarding the new IPv4 APNIC address ranges. Kind regards, Nurani --------------------------------------------------------------------- Nurani Nimpuno email: nurani(a)apnic.net External Relations Manager sip: nurani(a)voip.apnic.net APNIC phone: +61 7 3858 3100 http://www.apnic.net Begin forwarded message: > -------- Original Message -------- > Subject: [Apnic-announce] New APNIC IPv4 address ranges > Date: Thu, 18 Jan 2007 16:00:03 +1000 > From: helpdesk(a)apnic.net > Reply-To: apnic-talk(a)apnic.net > To: apnic-announce(a)apnic.net > > > > Dear colleagues > > APNIC received the following IPv4 address blocks from IANA in Jan > 2007 and will be making allocations from these ranges in the near > future: > > 116/8 APNIC > 117/8 APNIC > 118/8 APNIC > 119/8 APNIC > 120/8 APNIC > > APNIC has made this announcement to enable the Internet community > to update network configurations, such as routing filters, where > required. > > Routability testing of new prefixes will commence on Friday > January 19 2007. The daily report will be published at the usual > URL: > > http://www.ris.ripe.net/debogon/debogon.html > > For more information on the resources administered by APNIC, > please see: > > http://www.apnic.net/db/ranges.html > > For information on the minimum allocation sizes within address > ranges administered by APNIC, please see: > > http://www.apnic.net/db/min-alloc.html > > > Kind regards > Guangliang > > ________________________________________________________________ > Guangliang Pan email: helpdesk(a)apnic.net > Resources Services Manager sip: helpdesk(a)voip.apnic.net > APNIC phone: +61 7 3858 3188 > http://www.apnic.net/ fax: +61 7 3858 3199 > ________________________________________________________________ >

15 years, 5 months

Weekly Routing Table Report

by Routing Analysis Role Account

This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats(a)lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith <pfs(a)cisco.com>. Routing Table Report 04:00 +10GMT Sat 20 Jan, 2007 Analysis Summary ---------------- BGP routing table entries examined: 208300 Prefixes after maximum aggregation: 112624 Deaggregation factor: 1.85 Unique aggregates announced to Internet: 101475 Total ASes present in the Internet Routing Table: 24172 Origin-only ASes present in the Internet Routing Table: 21051 Origin ASes announcing only one prefix: 10192 Transit ASes present in the Internet Routing Table: 3121 Transit-only ASes present in the Internet Routing Table: 78 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 32 Max AS path prepend of ASN (20858) 18 Prefixes from unregistered ASNs in the Routing Table: 4 Unregistered ASNs in the Routing Table: 7 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 27 Number of addresses announced to Internet: 1660997452 Equivalent to 99 /8s, 0 /16s and 207 /24s Percentage of available address space announced: 44.8 Percentage of allocated address space announced: 63.6 Percentage of available address space allocated: 70.5 Total number of prefixes smaller than registry allocations: 106510 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 46255 Total APNIC prefixes after maximum aggregation: 18724 APNIC Deaggregation factor: 2.47 Prefixes being announced from the APNIC address blocks: 43822 Unique aggregates announced from the APNIC address blocks: 19170 APNIC Region origin ASes present in the Internet Routing Table: 2827 APNIC Region origin ASes announcing only one prefix: 793 APNIC Region transit ASes present in the Internet Routing Table: 422 Average APNIC Region AS path length visible: 3.6 Max APNIC Region AS path length visible: 16 Number of APNIC addresses announced to Internet: 276302048 Equivalent to 16 /8s, 120 /16s and 8 /24s Percentage of available APNIC address space announced: 86.4 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 121/8, 122/7, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 102695 Total ARIN prefixes after maximum aggregation: 60728 ARIN Deaggregation factor: 1.69 Prefixes being announced from the ARIN address blocks: 75619 Unique aggregates announced from the ARIN address blocks: 28899 ARIN Region origin ASes present in the Internet Routing Table: 11274 ARIN Region origin ASes announcing only one prefix: 4311 ARIN Region transit ASes present in the Internet Routing Table: 1039 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 21 Number of ARIN addresses announced to Internet: 313853056 Equivalent to 18 /8s, 181 /16s and 4 /24s Percentage of available ARIN address space announced: 69.3 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks 24/8, 63/8, 64/5, 72/6, 76/8, 96/6, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 43136 Total RIPE prefixes after maximum aggregation: 28202 RIPE Deaggregation factor: 1.53 Prefixes being announced from the RIPE address blocks: 39854 Unique aggregates announced from the RIPE address blocks: 26576 RIPE Region origin ASes present in the Internet Routing Table: 9058 RIPE Region origin ASes announcing only one prefix: 4785 RIPE Region transit ASes present in the Internet Routing Table: 1465 Average RIPE Region AS path length visible: 4.0 Max RIPE Region AS path length visible: 32 Number of RIPE addresses announced to Internet: 286553764 Equivalent to 17 /8s, 20 /16s and 118 /24s Percentage of available RIPE address space announced: 77.6 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-43007 RIPE Address Blocks 62/8, 77/8, 78/7, 80/5, 88/6, 193/8, 194/7, 212/7 and 217/8 LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 13696 Total LACNIC prefixes after maximum aggregation: 4015 LACNIC Deaggregation factor: 3.41 Prefixes being announced from the LACNIC address blocks: 11682 Unique aggregates announced from the LACNIC address blocks: 7207 LACNIC Region origin ASes present in the Internet Routing Table: 759 LACNIC Region origin ASes announcing only one prefix: 248 LACNIC Region transit ASes present in the Internet Routing Table: 135 Average LACNIC Region AS path length visible: 4.2 Max LACNIC Region AS path length visible: 20 Number of LACNIC addresses announced to Internet: 36298752 Equivalent to 2 /8s, 41 /16s and 224 /24s Percentage of available LACNIC address space announced: 54.1 LACNIC AS Blocks 26592-26623, 27648-28671, plus ERX transfers LACNIC Address Blocks 189/8, 190/8, 200/7 AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 2515 Total AfriNIC prefixes after maximum aggregation: 954 AfriNIC Deaggregation factor: 2.64 Prefixes being announced from the AfriNIC address blocks: 1788 Unique aggregates announced from the AfriNIC address blocks: 1150 AfriNIC Region origin ASes present in the Internet Routing Table: 175 AfriNIC Region origin ASes announcing only one prefix: 55 AfriNIC Region transit ASes present in the Internet Routing Table: 33 Average AfriNIC Region AS path length visible: 3.6 Max AfriNIC Region AS path length visible: 15 Number of AfriNIC addresses announced to Internet: 5369600 Equivalent to 0 /8s, 81 /16s and 239 /24s Percentage of available AfriNIC address space announced: 16.0 AfriNIC AS Blocks 36864-37887 & ERX transfers AfriNIC Address Blocks 41/8, 196/8 APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4134 1269 8655 268 CHINANET-BACKBONE 4755 1091 383 75 Videsh Sanchar Nigam Ltd. Aut 9583 1023 99 66 Sify Limited 9498 929 467 64 BHARTI BT INTERNET LTD. 23577 774 34 702 KRNIC 4766 760 4944 312 Korea Telecom (KIX) 17488 584 36 20 Hathway IP Over Cable Interne 1221 570 1697 441 Telstra Pty Ltd 7545 564 126 74 TPG Internet Pty Ltd 18101 511 103 27 Reliance Infocom Ltd Internet 17676 503 10935 66 Softbank BB Corp. 9443 442 111 74 Primus Telecommunications 4812 434 759 68 China Telecom (Shanghai) 4802 361 86 150 Wantree Development 17974 357 129 14 PT TELEKOMUNIKASI INDONESIA 17557 353 35 171 Pakistan Telecom 17849 353 33 93 Telecommunications Technology 4837 333 4071 146 chinanet IDC center beijing n 2907 332 1749 309 SINET Japan 7474 312 212 239 SingTel Optus Pty Ltd ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 7018 1548 6145 994 AT&T WorldNet Services 2386 1109 586 735 AT&T Data Communications Serv 4323 1066 820 299 Time Warner Telecom 6197 1022 645 500 BellSouth Network Solutions, 18566 986 272 8 Covad Communications 701 938 6692 751 UUNET Technologies, Inc. 174 934 6789 865 Cogent Communications 11492 910 99 14 Cable One 1239 827 2730 577 Sprint 19262 792 2570 184 Verizon Global Networks 20115 787 686 412 Charter Communications 7011 722 214 448 Citizens Utilities 209 717 3750 566 Qwest 22773 716 1744 42 Cox Communications, Inc. 721 708 21837 285 DLA Systems Automation Center 852 609 1093 394 Telus Advanced Communications 5668 568 161 19 CenturyTel Internet Holdings, 19916 568 49 54 OLM LLC 855 558 250 73 Canadian Research Network 6198 548 519 256 BellSouth Network Solutions, RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 702 547 1912 426 UUNET - Commercial IP service 3301 305 1199 287 TeliaNet Sweden 3320 298 4993 249 Deutsche Telekom AG 24863 298 45 25 LINKdotNET AS number 8220 271 474 262 COLT Telecommunications 6746 269 95 246 Dynamic Network Technologies, 680 257 2044 251 DFN-IP service G-WiN 3215 233 2136 96 France Telecom Transpac 8708 233 283 220 Romania Data Systems S.A. 1257 216 1069 172 SWIPnet Swedish IP Network 3269 211 2375 74 TELECOM ITALIA 30890 211 18 91 SC Kappa Invexim SRL 3246 207 354 197 Song Networks 5416 205 13 13 BATELCO-BH 8551 192 193 28 Bezeq International 20858 189 34 3 This AS will be used to conne 3300 177 171 89 AUCS Communications Services 3352 177 1767 31 Ibernet, Internet Access Netw 12479 176 578 6 Uni2 Autonomous System 786 171 1779 171 The JANET IP Service LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 849 2015 203 UniNet S.A. de C.V. 11830 482 299 19 Instituto Costarricense de El 11172 391 107 81 Servicios Alestra S.A de C.V 16814 329 20 8 NSS, S.A. 22047 307 206 11 VTR PUNTO NET S.A. 14117 259 16 13 Telefonica del Sur S.A. 6471 256 74 31 ENTEL CHILE S.A. 7303 231 103 33 Telecom Argentina Stet-France 6147 224 182 20 Telefonica Del Peru 6503 217 170 92 AVANTEL, S.A. 11556 212 105 7 Cable-Wireless Panama 10481 181 72 8 Prima S.A. 21826 157 21 36 INTERCABLE 7910 149 10 33 ANDINET ON LINE 23216 147 19 43 RAMtelecom Telecomunicaciones 18822 145 9 10 TELEFONICA MANQUEHUE 19169 141 9 24 Telconet 19429 140 84 35 E.T.B. 14522 135 21 8 SatNet S.A. 7738 116 442 21 Telecomunicacoes da Bahia S.A AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 3741 290 868 232 The Internet Solution 8452 222 60 6 TEDATA 15475 154 84 4 Nile Online 6713 144 135 11 Itissalat Al-MAGHRIB 2018 138 309 113 Tertiary Education Network 5536 123 8 15 Internet Egypt Network 33783 106 6 4 EEPAD TISP TELECOM & INTERNET 2905 85 176 74 The Internetworking Company o 24835 85 48 6 RAYA Telecom - Egypt 2561 60 6 2 Egyptian Universities Network 15706 55 12 4 Sudatel Internet Exchange Aut 23889 50 13 15 MAURITIUS TELECOM 5713 41 294 34 Telkom SA Ltd 12455 39 6 3 Jambonet Autonomous system 33774 38 12 22 AS Number for Telecom Algeria 16637 33 21 25 Johnnic e-Ventures 33766 33 2 1 Nyala Communications Pty Ltd 8524 30 2 6 AUCEGYPT Autonomous System 33776 27 2 5 Starcomms Nigeria Limited 10798 23 1 14 Standard Bank of South Africa Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4755 1091 1016 Videsh Sanchar Nigam Ltd. Aut 4134 1269 1001 CHINANET-BACKBONE 18566 986 978 Covad Communications 9583 1023 957 Sify Limited 11492 910 896 Cable One 9498 929 865 BHARTI BT INTERNET LTD. 4323 1066 767 Time Warner Telecom 22773 716 674 Cox Communications, Inc. 8151 849 646 UniNet S.A. de C.V. 19262 792 608 Verizon Global Networks 17488 584 564 Hathway IP Over Cable Interne 5668 568 549 CenturyTel Internet Holdings, 6197 1022 522 BellSouth Network Solutions, 19916 568 514 OLM LLC 7545 564 490 TPG Internet Pty Ltd 855 558 485 Canadian Research Network 18101 511 484 Reliance Infocom Ltd Internet 15270 498 464 PaeTec.net -a division of Pae 11830 482 463 Instituto Costarricense de El 4766 760 448 Korea Telecom (KIX) List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 23456 UNALLOCATED 203.10.62.0/24 1221 Telstra Pty Ltd 24410 UNALLOCATED 203.119.28.0/24 4134 CHINANET-BACKBONE 24409 UNALLOCATED 203.119.29.0/24 9808 Guangdong Mobile Com 65313 PRIVATE 203.184.140.0/24 9304 Hutchison Telecom (H Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 7.1.1.0/24 1239 Sprint 116.0.0.0/24 12654 RIPE NCC RIS Project 116.50.0.0/21 12654 RIPE NCC RIS Project 116.255.0.0/16 12654 RIPE NCC RIS Project 117.0.0.0/24 12654 RIPE NCC RIS Project 117.50.0.0/21 12654 RIPE NCC RIS Project 117.255.0.0/16 12654 RIPE NCC RIS Project 118.0.0.0/24 12654 RIPE NCC RIS Project 118.50.0.0/21 12654 RIPE NCC RIS Project 118.255.0.0/16 12654 RIPE NCC RIS Project 119.0.0.0/24 12654 RIPE NCC RIS Project 119.50.0.0/21 12654 RIPE NCC RIS Project 119.255.0.0/16 12654 RIPE NCC RIS Project 120.0.0.0/24 12654 RIPE NCC RIS Project 120.50.0.0/21 12654 RIPE NCC RIS Project 120.255.0.0/16 12654 RIPE NCC RIS Project 132.0.0.0/10 721 DLA Systems Automation Center 137.0.0.0/13 721 DLA Systems Automation Center 158.0.0.0/13 721 DLA Systems Automation Center 172.33.1.0/24 7018 AT&T WorldNet Services 180.190.0.0/16 24003 JUBILANT ORGANOSYS LTD., INDI 192.0.10.0/24 9498 BHARTI BT INTERNET LTD. 192.44.0.0/24 5501 Fraunhofer Gesellschaft 192.44.0.0/19 702 UUNET - Commercial IP service 192.70.164.0/24 25689 National Research Council of 192.153.136.0/21 721 DLA Systems Automation Center 192.172.0.0/19 721 DLA Systems Automation Center Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:10 /10:13 /11:32 /12:117 /13:230 /14:412 /15:811 /16:9126 /17:3652 /18:5948 /19:12921 /20:14539 /21:12987 /22:16561 /23:17804 /24:111456 /25:626 /26:448 /27:360 /28:66 /29:39 /30:90 /31:0 /32:33 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 18566 969 986 Covad Communications 11492 896 910 Cable One 9583 852 1023 Sify Limited 7018 848 1548 AT&T WorldNet Services 2386 831 1109 AT&T Data Communications Serv 6197 795 1022 BellSouth Network Solutions, 23577 760 774 KRNIC 7011 626 722 Citizens Utilities 9498 587 929 BHARTI BT INTERNET LTD. 4766 569 760 Korea Telecom (KIX) 19916 563 568 OLM LLC 4755 500 1091 Videsh Sanchar Nigam Ltd. Aut 15270 466 498 PaeTec.net -a division of Pae 855 456 558 Canadian Research Network 18101 444 511 Reliance Infocom Ltd Internet 5668 437 568 CenturyTel Internet Holdings, 1239 412 827 Sprint 17488 407 584 Hathway IP Over Cable Interne 33588 400 422 Bresnan Communications, LLC. 6517 388 414 Yipes Communications, Inc. Number of /24s announced per /8 block (Global) ---------------------------------------------- 4:9 7:1 8:62 9:1 12:1661 13:1 15:15 16:3 17:3 18:5 20:36 24:871 25:1 32:55 38:276 40:56 41:61 44:2 47:10 52:4 55:1 56:3 57:24 58:295 59:376 60:199 61:953 62:1037 63:1901 64:3183 65:2312 66:3130 67:708 68:640 69:1722 70:416 71:133 72:1137 73:1 74:138 75:61 76:20 80:819 81:778 82:641 83:346 84:494 85:799 86:435 87:460 88:268 89:754 90:2 91:139 97:1 116:1 117:1 118:1 119:1 120:1 121:129 122:66 123:25 124:551 125:753 128:311 129:219 130:112 131:315 132:49 133:9 134:183 135:44 136:180 137:113 138:190 139:54 140:522 141:135 142:365 143:211 144:266 145:67 146:321 147:138 148:365 149:189 150:114 151:118 152:90 153:119 154:5 155:245 156:166 157:168 158:167 159:147 160:99 161:101 162:227 163:162 164:451 165:239 166:244 167:281 168:493 169:121 170:378 171:15 172:1 189:73 190:351 192:5737 193:3638 194:2913 195:2206 196:920 198:3784 199:3283 200:4610 201:959 202:7129 203:7261 204:3958 205:2095 206:2407 207:2895 208:2405 209:3563 210:2317 211:880 212:1306 213:1422 214:391 215:39 216:4103 217:1180 218:356 219:267 220:854 221:368 222:289 End of report Report Website: http://thyme.apnic.net

15 years, 5 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

apops January 2007