You would deny packets *of those specific protocols* terminating at the router's interface, but since utilities like traceroute do not use those four protocols, there would be no effect on them. The only one of the four protocols anyone seems to worry about denying *at the router's interface* is PIM, but as long as PIM support is present in the IOS and actually being used, you're not vulnerable. Similarly, if PIM support is NOT present in the IOS, you're not vulnerable. The only time PIM is a problem is if it is present in the IOS but not "turned on" in which case, you might as well block it!
As for Cisco's level of support for this problem - I really do not see the issue. They released a workaround that can be applied immediately with little to no ill effect for the vast majority of their users, AND they provided a more permanent fix in the form of code that is not vulnerable. Exactly what does anyone think is missing? On Tue, 2003-07-29 at 04:01, Ghaith Nasrawi wrote: > Olivir has suggested here to deny packets terminating on the router. I'm just > wondering if that would deny traceroute commands passing through these > routers?? > > As for Wesley, don't you believe that cisco should be responsible on providing > a high quality of support to its customers since they paid $$$$$$$$$$$$$ > > > ./Ghaith > =============== > > Today is the tomorrow you worried about yesterday > > > > > > -----Original Message----- > From: Noonan, Wesley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 29, 2003 12:27 AM > To: '[EMAIL PROTECTED]'; 'Ghaith Nasrawi' > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Cisco Workaround > > I've got to agree with David here. There is no reason that Cisco, or any > other large company should be expected to provide workarounds that address > the distinct minority of their install base. They should focus on the > majority of situations. The workaround they recommended did precisely that. > I know of no one that is actually using any of the protocols listed in the > workaround. That's not to say that someone isn't, but that someone is simply > the very small minority. > > If companies had to worry about stuff like that and make sure that their > solutions fit every situation without any problems, they would never manage > to develop anything. > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ > Senior QA Rep. > BMC Software, Inc. > (713) 918-2412 > [EMAIL PROTECTED] > http://www.bmc.com > > > -----Original Message----- > From: David Gillett [mailto:[EMAIL PROTECTED] > Sent: Monday, July 28, 2003 10:40 > To: 'Ghaith Nasrawi' > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Cisco Workaround > > They have. They've been amazingly responsive about providing fixed > code versions for some frighteningly-old equipment. The *Workaround* > is just a quick and dirty fix for those who need some time to schedule > the code upgrade installations. > > David Gillett > > > > -----Original Message----- > > From: Ghaith Nasrawi [mailto:[EMAIL PROTECTED] > > Sent: July 25, 2003 08:33 > > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: RE: Cisco Workaround > > > > > > Well, my question is; what the hell if I was using any of these > > protocols?? Didn't cisco think of that?? They should have suggested a > > more decent solution. > > > > > > ./Ghaith > > =============== > > > > Today is the tomorrow you worried about yesterday > > > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, July 23, 2003 6:48 PM > > To: Alvaro Gordon-Escobar > > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Re: Cisco Workaround > > > > Alvaro, > > > > No. The protocol blocked by the access-list is protocol 53 > > not protocol > > > > TCP or protocol UDP port 53. > > > > If you need further info, let me know, > > > > -James > > > > > > > > At 09:15 7/23/2003, Alvaro Gordon-Escobar wrote: > > >will this access list modification prevent my internal DNS > > server from > > >updates to it self from my telco's DNS server? > > > > > >access-list 101 deny 53 any any > > >access-list 101 deny 55 any any > > >access-list 101 deny 77 any any > > >access-list 101 deny 103 any any > > >!--- insert any other previously applied ACL entries here > > >!--- you must permit other protocols through to allow normal > > >!--- traffic -- previously defined permit lists will work > > >!--- or you may use the permit ip any any shown here > > >access-list 101 permit ip any any > > > > > >Thanks in advance > > > > > >~alvaro Escobar > > > > > >------------------------------------------------------------- > > ---------- > > ---- > > >------------------------------------------------------------- > > ---------- > > ----- > > > > > > -------------------------------------------------------------- > > ---------- > > --- > > -------------------------------------------------------------- > > ---------- > > ---- > > > > > > -------------------------------------------------------------- > > ------------- > > -------------------------------------------------------------- > > -------------- > > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- -- James V. Fields --------------------------------------------------------------------------- ----------------------------------------------------------------------------
