CISCO 0-day exploits

sronan at ronan-online.com sronan at ronan-online.com
Tue Feb 11 15:36:04 UTC 2020


Large operators have very little to gain from calling out the equipment suppliers. In my personal experience large operators are already getting custom code builds based on their exact requirements, which include disabling many of the “standard” features they don’t use.

Sent from my iPhone

> On Feb 11, 2020, at 9:48 AM, Ahmed Borno <amaged at gmail.com> wrote:
> 
> 
> Being realistic, as you mentioned, these vendors do not have the right incentive. 
> 
> Thats one thing that operators can do and maybe it should be a recurring theme at NANOG, calling out vendors to put some sanity and logic into how iACLs and CoPP are handled. They can do a lot if they cared to spend some $ on being creative, maybe a BoF for this specific topic. 
> 
> Creativity in the form of ways to avoid the fragile stacks and L3 packet of death, They can even separate the Mgmt plane from the Control plane if they are serious about it, they can enforce iACL on Mgmt interfaces, they can have logic to validate packets before they are processed, and to be fair, this needs to happen in the existing install base too, not only the new ones. I am trying to say that if they cant hire skilled programmers then they should show innovation around the most vulnerable part of their code...the trusting nature of protocols.
> 
> P.S: How many junior network engineers care to turn on authentication on L2 segments. 
> 
> ~A
> 
>> On Tue, Feb 11, 2020 at 6:24 AM Saku Ytti <saku at ytti.fi> wrote:
>> On Tue, 11 Feb 2020 at 16:09, Ahmed Borno <amaged at gmail.com> wrote:
>> 
>> > Sorry for the sad tone, i just wish network operators would find a way to challenge these vendors and call their less than optimal quality.
>> 
>> It's hard, TINA. We can talk about white label, but in the end of the
>> day, that box is just as proprietary as rest of them, because you
>> can't buy BRCM and make it open. It's like 90s of Linux, GPUs and NICs
>> were not supported, because vendors thought the specs were their
>> secret sauce.
>> When some vendor finally releases full specs on github including P4
>> compiler target for their chip and will sell chip on their web for 1
>> unit at x USD, we may start to see some real progress, we can start
>> building open source NOS with data-planes.
>> 
>> Maybe INTC could start the revolution with Tofino. Ship PCI cards with
>> Tofino and few 100GE ports (local switching support) and open it up
>> entirely. Maybe JNPR could ship Trio PCI cards, why not, it's not like
>> they have lot to lose, considering terrible market performance.
>> 
>> 
>> -- 
>>   ++ytti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200211/f685e00d/attachment.html>


More information about the NANOG mailing list