> Andrew Koch wrote: > > PS: I made some sysctl tweaks on the linux machine to behave a little > > more nice but still i see a bug here. > > We did the same while waiting for the SMU. The SMU should not be needed > for 4.3.2 - the "arp learning local" interface command should be built-in, > so hopefully you are good to go. > > Our biggest concern over this incident was receiving malicious ARPs on > transit and peering links that have routes to large swaths of the network. > If the route goes away, the ARP will be retained for long periods and the > router will black-hole traffic until that clears. Cisco PSIRT evaluated > the concern but evaluated it as a fairly concern.
After insisting that learning out of subnet ARP entries was a sever Bug
we today got this reponse:
"[...] as I explained before the default (intended) behaviour for IOS-XR
(till this moment ) is to accept out-of-subnet ARP requests."
So okay - IOS-XR is "Broken by Design" and its intendet to be like this. Just
to continue:
"Please be informed that, IOS-XR behaviour will be changed starting
with 5.1.2 and 5.2.0 to have "arp learning local" as a default
behaviour."
Okay - So we "Broke it by Design" and you may be a happy customer that
we fix it for you 2 years later. Huh?
3.x was okay - 4.1 was okay - 4.3 broke it and now 5.1/5.2 fixes it.
Flo
--
Florian Lohoff [email protected]
signature.asc
Description: Digital signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
