Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
--- Begin Message --- Drew Weaver wrote on 05/08/2021 19:20: Yes, in my research I noticed that OS image age has nothing to do with it. Newer images with different trains have it enabled, older images in totally other trains as well. Also even though it appears to emulate VTY simply configuring the transports doesn't disable it. I mostly mentioned it because when I did some Googling I noticed it is referenced as being included in IOS XE. It should be forcibly removed entirely in my opinion. looping back on this, Cisco have opened a couple of bug IDs (CSCwa57951 and CSCwa91505), and have (re-)published a blog entry here: https://blogs.cisco.com/security/router-spring-cleaning-no-mop-required-again tl;dr: fixes will appear in ios XE 17.9(1). Until then, "no mop enabled" will be required on a per-interface basis. Thanks to all in Cisco for getting this on the dev+fix radar! Nick --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
By the way anyone trying to actually reproduce/test this just use Debian 10 because they have the DECnet for Linux tools in a deb already and it wouldn't compile on an RPM based system. -Drew -Original Message- From: cisco-nsp On Behalf Of Drew Weaver Sent: Friday, August 6, 2021 12:18 PM To: 'a...@djlab.com' ; 'cisco-nsp' Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) Yes, Plus consider the fact that if you do a 'show users' it shows up as a VTY connection and if you set transports on your configuration interfaces (console) it ignores that and still works. -Drew -Original Message- From: cisco-nsp On Behalf Of Randy (K6RP) Sent: Friday, August 6, 2021 12:13 PM To: cisco-nsp Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) For something that is answering by default, where brutes cannot be blocked or ratelimited by CoPP or MLS kbobs? Control plane DDoS anyone? What other surprises are in it's codes? I'm sure a (hopefully) whitehat would have fun with this one. --- ~Randy (K6RP) On 08/06/2021 9:00 am, Drew Weaver wrote: > AAA was unconfigured as I was testing on a lab router. > > Whether or not it provides unauthorized access depends on whether you > expect anyone that has something connected to that router to have > access to the console or not. > > At the very least it provides an opportunity and a vector. > > It doesn't seem to log anything when you use it, too. > > -Original Message- > From: Oliver Boehmer (oboehmer) > Sent: Friday, August 6, 2021 11:48 AM > To: Gert Doering ; Lukas Tribus > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) > > > On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote: > > I'm no longer putting in hundreds of hours to fight losing > battles, > > which earlier in my carrier I did: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_s > ecurity_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DC > VE-2D2014-2D3347=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiM > M=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=C7uP5I5FPqc4m2MQRUF_ > ir9MYgYPqlHPppfTRkcOuGU=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk& > e= > > Ensuring that MOP is dead and stays buried might actually be worth > a > PSIRT effort - any feature that is on-by-default and enables > unauthorized > access to a device should be worth the fight. > > +1, and worth a PSIRT case right away. > But it doesn't provide unauthorized access, does it? Drew's test > showed a password prompt (not sure what the AAA config looked like).. > > oli > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m > ailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A > _CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mN > GBoAt2x7IibB5wtqmMT0eB8-LONI5uB814=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDo > LtGb8d0N1I= archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi > permail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV > fiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mNGBoAt2x > 7IibB5wtqmMT0eB8-LONI5uB814=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCfl > F8M= ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDoLtGb8d0N1I= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCflF8M= ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=Kze-nkxcdJWnYbND1rBSuvGfJui-MR5_7Eu6PnlGR2I=0de2sd7YXD5wlULWOKCcZW2izjcefVOtmtZ2yfooXqE= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=Kze-nkxcdJWnYbND1rBSuvGfJui-MR5_7Eu6PnlGR2I=bCoD7EIDzcJkkDM0mdxFnGTp7HkE9RlOekA6KXoyeus= ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
Yes, Plus consider the fact that if you do a 'show users' it shows up as a VTY connection and if you set transports on your configuration interfaces (console) it ignores that and still works. -Drew -Original Message- From: cisco-nsp On Behalf Of Randy (K6RP) Sent: Friday, August 6, 2021 12:13 PM To: cisco-nsp Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) For something that is answering by default, where brutes cannot be blocked or ratelimited by CoPP or MLS kbobs? Control plane DDoS anyone? What other surprises are in it's codes? I'm sure a (hopefully) whitehat would have fun with this one. --- ~Randy (K6RP) On 08/06/2021 9:00 am, Drew Weaver wrote: > AAA was unconfigured as I was testing on a lab router. > > Whether or not it provides unauthorized access depends on whether you > expect anyone that has something connected to that router to have > access to the console or not. > > At the very least it provides an opportunity and a vector. > > It doesn't seem to log anything when you use it, too. > > -Original Message- > From: Oliver Boehmer (oboehmer) > Sent: Friday, August 6, 2021 11:48 AM > To: Gert Doering ; Lukas Tribus > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) > > > On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote: > > I'm no longer putting in hundreds of hours to fight losing > battles, > > which earlier in my carrier I did: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_s > ecurity_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DC > VE-2D2014-2D3347=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiM > M=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=C7uP5I5FPqc4m2MQRUF_ > ir9MYgYPqlHPppfTRkcOuGU=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk& > e= > > Ensuring that MOP is dead and stays buried might actually be worth > a > PSIRT effort - any feature that is on-by-default and enables > unauthorized > access to a device should be worth the fight. > > +1, and worth a PSIRT case right away. > But it doesn't provide unauthorized access, does it? Drew's test > showed a password prompt (not sure what the AAA config looked like).. > > oli > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m > ailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A > _CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mN > GBoAt2x7IibB5wtqmMT0eB8-LONI5uB814=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDo > LtGb8d0N1I= archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi > permail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV > fiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mNGBoAt2x > 7IibB5wtqmMT0eB8-LONI5uB814=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCfl > F8M= ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDoLtGb8d0N1I= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCflF8M= ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
For something that is answering by default, where brutes cannot be blocked or ratelimited by CoPP or MLS kbobs? Control plane DDoS anyone? What other surprises are in it's codes? I'm sure a (hopefully) whitehat would have fun with this one. --- ~Randy (K6RP) On 08/06/2021 9:00 am, Drew Weaver wrote: AAA was unconfigured as I was testing on a lab router. Whether or not it provides unauthorized access depends on whether you expect anyone that has something connected to that router to have access to the console or not. At the very least it provides an opportunity and a vector. It doesn't seem to log anything when you use it, too. -Original Message- From: Oliver Boehmer (oboehmer) Sent: Friday, August 6, 2021 11:48 AM To: Gert Doering ; Lukas Tribus Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote: > I'm no longer putting in hundreds of hours to fight losing battles, > which earlier in my carrier I did: > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_security_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DCVE-2D2014-2D3347=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=C7uP5I5FPqc4m2MQRUF_ir9MYgYPqlHPppfTRkcOuGU=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk= Ensuring that MOP is dead and stays buried might actually be worth a PSIRT effort - any feature that is on-by-default and enables unauthorized access to a device should be worth the fight. +1, and worth a PSIRT case right away. But it doesn't provide unauthorized access, does it? Drew's test showed a password prompt (not sure what the AAA config looked like).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
AAA was unconfigured as I was testing on a lab router. Whether or not it provides unauthorized access depends on whether you expect anyone that has something connected to that router to have access to the console or not. At the very least it provides an opportunity and a vector. It doesn't seem to log anything when you use it, too. -Original Message- From: Oliver Boehmer (oboehmer) Sent: Friday, August 6, 2021 11:48 AM To: Gert Doering ; Lukas Tribus Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote: > I'm no longer putting in hundreds of hours to fight losing battles, > which earlier in my carrier I did: > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_security_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DCVE-2D2014-2D3347=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=C7uP5I5FPqc4m2MQRUF_ir9MYgYPqlHPppfTRkcOuGU=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk= Ensuring that MOP is dead and stays buried might actually be worth a PSIRT effort - any feature that is on-by-default and enables unauthorized access to a device should be worth the fight. +1, and worth a PSIRT case right away. But it doesn't provide unauthorized access, does it? Drew's test showed a password prompt (not sure what the AAA config looked like).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
--- Begin Message --- On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote: > I'm no longer putting in hundreds of hours to fight losing battles, > which earlier in my carrier I did: > https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140828-CVE-2014-3347 Ensuring that MOP is dead and stays buried might actually be worth a PSIRT effort - any feature that is on-by-default and enables unauthorized access to a device should be worth the fight. +1, and worth a PSIRT case right away. But it doesn't provide unauthorized access, does it? Drew's test showed a password prompt (not sure what the AAA config looked like).. oli --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
Hi, On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote: > I'm no longer putting in hundreds of hours to fight losing battles, > which earlier in my carrier I did: > https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140828-CVE-2014-3347 Ensuring that MOP is dead and stays buried might actually be worth a PSIRT effort - any feature that is on-by-default and enables unauthorized access to a device should be worth the fight. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
On Fri, 6 Aug 2021 at 09:59, James Bensley wrote: > > What is right or technically correct is not always the priority. > > This is the job we do, right? (it's the job I do anyway). We find a > way to convince the powers that be, that this is a massive security > risk for example, or for example that our financial exposure because > of this exact feature is 1.21 gigawatts. Not let the uneducated powers > that be tell me it's fine to keep this feature they don't understand > :) I need the AM's to focus on the problems that actually do affect the business case (which doesn't always work either), a specific default that I don't like is not that. What I can do is have TAC file an enhancement request, which is pretty much useless without internal pressure. If you are working for a shop so big that you can throw enhancement requests at them without blinking great, but that depends on how much you are spending I guess. I'm no longer putting in hundreds of hours to fight losing battles, which earlier in my carrier I did: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140828-CVE-2014-3347 cheers, lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
On Thu, 5 Aug 2021 at 22:47, Lukas Tribus wrote: > > On Thu, 5 Aug 2021 at 21:49, Nick Hilliard wrote: > > It has the appearance of a feature which is kept alive because some > > customer with a huge spend demands it in general-deployment release > > trains (this is idle speculation and may be completely wrong btw). > > More precisely, who (which employee) should be doing this, there is no > ROI for pushing such a change, but there is a (tiny) possibility of > blowback, in a company that is not exactly a stranger to layoffs. > > I don't think there are a lot of rewards for employees for fixing old > lingering software problems, if any, *especially* in IOS. It's > different if a specific BU is responsible for the code, but generic > code from decades ago, the BU responsible for the code path today > probably handles a million other things, some of them presumably do > actually make money. > > > What is right or technically correct is not always the priority. This is the job we do, right? (it's the job I do anyway). We find a way to convince the powers that be, that this is a massive security risk for example, or for example that our financial exposure because of this exact feature is 1.21 gigawatts. Not let the uneducated powers that be tell me it's fine to keep this feature they don't understand :) Cheers, James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
Hi, On Thu, Aug 05, 2021 at 10:40:20PM +0200, Lukas Tribus wrote: > code from decades ago, the BU responsible for the code path today > probably handles a million other things, some of them presumably do > actually make money. Yeah, like invent new license madness... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
On Thu, 5 Aug 2021 at 21:49, Nick Hilliard wrote: > It has the appearance of a feature which is kept alive because some > customer with a huge spend demands it in general-deployment release > trains (this is idle speculation and may be completely wrong btw). More precisely, who (which employee) should be doing this, there is no ROI for pushing such a change, but there is a (tiny) possibility of blowback, in a company that is not exactly a stranger to layoffs. I don't think there are a lot of rewards for employees for fixing old lingering software problems, if any, *especially* in IOS. It's different if a specific BU is responsible for the code, but generic code from decades ago, the BU responsible for the code path today probably handles a million other things, some of them presumably do actually make money. What is right or technically correct is not always the priority. lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
Drew Weaver wrote on 05/08/2021 18:20: It should be forcibly removed entirely in my opinion. Whatever about it being removed, it definitely shouldn't be enabled by default, and there should be a command to disable it completely on all interfaces. It has the appearance of a feature which is kept alive because some customer with a huge spend demands it in general-deployment release trains (this is idle speculation and may be completely wrong btw). Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
Yes, in my research I noticed that OS image age has nothing to do with it. Newer images with different trains have it enabled, older images in totally other trains as well. Also even though it appears to emulate VTY simply configuring the transports doesn't disable it. I mostly mentioned it because when I did some Googling I noticed it is referenced as being included in IOS XE. It should be forcibly removed entirely in my opinion. -Original Message- From: Nick Hilliard Sent: Wednesday, August 4, 2021 5:09 PM To: Drew Weaver Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) Drew Weaver wrote on 04/08/2021 16:43: > Sorry for the noise if you are all aware of what MOP is but if you > aren't aware of what it is and use Cisco products (especially in a > multi-tenant environment) it may be a good idea to read about it and > evaluate any impact it may or may not have on your environment. MOP is one of those services that seems to disappear and reappear on various cisco software versions and trains, almost at random. It would be interesting to know how much of the old DECnet stack is needed to keep this particular fossil alive. It leaks link-local frames. This is harmful. We don't like it at IXPs. "no mop enabled" disables it on a per interface basis - this is possibly the only cisco command that uses "enabled" instead of "enable" for this context, i.e. this is very ancient. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
Drew Weaver wrote on 04/08/2021 16:43: Sorry for the noise if you are all aware of what MOP is but if you aren't aware of what it is and use Cisco products (especially in a multi-tenant environment) it may be a good idea to read about it and evaluate any impact it may or may not have on your environment. MOP is one of those services that seems to disappear and reappear on various cisco software versions and trains, almost at random. It would be interesting to know how much of the old DECnet stack is needed to keep this particular fossil alive. It leaks link-local frames. This is harmful. We don't like it at IXPs. "no mop enabled" disables it on a per interface basis - this is possibly the only cisco command that uses "enabled" instead of "enable" for this context, i.e. this is very ancient. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
Was finally able to build the tools. test@server:~# moprc -v -i eno1 00:0f:35:2b:xx:xx Maintenance Version: 3.0.0 Console connected (press CTRL/D when finished) Password: % Password: timeout expired! Password: LAB> You guys might already be aware of this and how nothing is logged at all when it is being used but I wasn't so that is why I am sharing. -Original Message- From: cisco-nsp On Behalf Of Drew Weaver Sent: Wednesday, August 4, 2021 11:44 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] TIL: Maintenance Operations Protocol (MOP) Hello, Sorry for the noise if you are all aware of what MOP is but if you aren't aware of what it is and use Cisco products (especially in a multi-tenant environment) it may be a good idea to read about it and evaluate any impact it may or may not have on your environment. Have a nice day =) -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=zQa94pcCjC_yZWa5aY25d-GmF_zJcpPx6NljzJjmLsQ=Dj-SYiDBF8iXH4hEKYK6n_kIBcLJzN71YePGy_p5Ljs= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=zQa94pcCjC_yZWa5aY25d-GmF_zJcpPx6NljzJjmLsQ=DmTHuOfSwL93svIlfL8uM4noCjBEc3oGDVEQjOyuHWA= ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/