Guest

Cisco IOS Software Releases 12.3 T

Field Notice: FN - 61971 - AutoSecure Bogon Filter Potentially Causes Blackholing of Internet Traffic


Revised December 14, 2005

February 16, 2005

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

12.2(18)S - 7200

This feature was integrated into Cisco IOS Release 12.2(18)S

12.3(1) - 800,1700,1800,2600,2800,3600,3700,3800,7200, 7301

This feature was introduced.

12.3(8)T - 1828, 1838

Support for the roll-back functionality and system logging messages were added to Cisco IOS Release 12.3(8)T

12.3(M) - 1726,3637

-

Problem Description

When the IOS feature AutoSecure is used to lock down a router, a Bogon Filter list can be automatically created and applied to the Internet-facing router interface to block IP packets with spoofed source addresses.

A bogon is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Internet registry.

The bogon filter list created by AutoSecure is hard-coded into IOS, and hence, is out-of-date with current IANA address space allocations. When this filter list is applied, the potential exists for legitimate Internet traffic to be denied.

The effect will be noticed when Internet traffic sourced from these IP addresses is blocked by the out-of-date bogon filter (access-list), resulting in a traffic blackhole condition. This is further described in the Problem Symptoms section of this Field Notice.

Background

AutoSecure is a one-touch device lockdown process built into Cisco IOS Software that enables network operators to quickly secure a device without having thorough knowledge of all of the Cisco IOS security features.

AutoSecure applies best-practice recommendations from Cisco experts and the US National Security Agency (NSA).

AutoSecure generally applies proper settings to device parameters, creates filters, and enables and disables certain services to protect a router or switch's forwarding, control, and management planes.

AutoSecure, a command-line interface (CLI)-based tool, automates these tasks and eases configuration tasks, thus reduce errors.

Note: Cisco Secure Device Manager (SDM), a Web-based management tool embedded in Cisco routers, also includes a one-touch security lock-down and auditing feature accessible through a GUI.

By clicking one button, network administrations can check a configuration against an AutoSecure configuration for compliance.

One of the features incorporated into AutoSecure is the creation and deployment of a so-called bogon filter. Bogon IP packets are those found on the public Internet that claim to be sourced from IP addresses that are reserved (not yet allocated or delegated) by the Internet Assigned Numbers Authority (IANA) or a delegated Internet registry.

The bogon filter list created by AutoSecure is hard-coded into IOS, and hence, is out-of-date with current IANA address space allocations.

Cisco AutoSecure builds three extended-named ACLs for ingress filtering (anti-spoofing):

  • autosec_iana_reserved_block Denies all IANA reserved IP address blocks.

  • autosec_private_block Denies RFC 1918 private IP address blocks.

  • autosec_complete_bogon Denies multicast, class-E, and other IP addresses prohibited for source addresses and all addresses denied by first two ACLs listed here.

Note: Although the Cisco AutoSecure user interface refers to the third ACL as autosec_complete_block, in reality, the router creates it as autosec_complete_bogon.

AutoSecure is generally deployed in one of two modes, Interactive mode and Non-interactive mode. When deployed in non-interactive mode, AutoSecure simple creates the above access-lists but does not apply any of them to any of the device interfaces.

In this case, no customer issues should exist. However, when AutoSecure is deployed in the interactive mode, the network administrator is prompted with options to enable and disable different services and security features, including the application of one of the bogon filter list to the Internet interface of the router.

The following dialog is presented to the network administrator during the AutoSecure interactive session when the bogon filter is created and applied:

Securing Forwarding plane services.

Securing Forwarding plane services.. 

 Enabling CEF (it might have more memory requirements on some low end platforms) 
 Configuring the named acls for Ingress filtering 

 autosec_iana_reserved_block: This block may subject to 
 change by iana and for updated list visit 
 www.iana.org/assignments/ipv4-address-space. 

 1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8, 
 41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8, 
 72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8, 
 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 
 94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8, 
 103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8, 
 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 
 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 
 197/8, 201/8 

 autosec_private_block: 
 10/8, 172.16/12, 192.168/16 
 autosec_complete_block: 
 This is union of above two and 
 the addresses of source multicast, class E addresses 
 and addresses that are prohibited for use as source. 
 source multicast (224/4), class E(240/4), 0/8, 169.254/16, 
 192.0.2/24, 127/8. 

 Configuring Ingress filtering replaces the existing 
 acl on external interfaces, if any, with ingress 
 filtering acl. 

 Configure Ingress filtering on edge interfaces? [yes]: 

 [1] Apply autosec_iana_reserved_block acl on all edge interfaces 

 [2] Apply autosec_private_block acl on all edge interfaces 

 [3] Apply autosec_complete_bogon acl on all edge interfaces 
 Enter your selection [3]:

Note:  that specific notifications are provided to the network administrator during the above portion of the AutoSecure interactive session, indicating the bogon filter being created is likely out-of-date.

The network administrator is further instructed to visit the IANA web site for updated information. However, no mechanisms are provided through AutoSecure for updating these bogon filters.

Any modifications to these filters would need to be accomplished manually outside of the AutoSecure process. Additional details on these procedures are provided in the Workaround/Solution section of this Field Notice.

Problem Symptoms

When one of the bogon filters is applied to the Internet interface of the device, ingress traffic to that interface will be denied for all source IP addresses that fall within the prefix ranges covered by the bogon filter.

This symptom may occur immediately, or may not be seen upon initial deployment but rather may occur after some period of time.

The dependency is related solely upon the synchronization of the bogon filter that is hard-coded into IOS and the current state of IANA address allocations, and the traffic patterns of the customer's network.

For example, if a high percentage of a customer's traffic accesses resources within now-allocated, but previously reserved, IP address ranges, then that customer will experience a high degree of traffic loss.

How to identify you have a problem:

Any customer who has deployed either bogon filter autosec_iana_reserved_block or autosec_complete_bogon may be susceptible to problems.

There are two methods to identify whether either of these access-lists is applied on the device:

Command-line Interface (CLI)

CLI commands can be used to identify what access-lists are present on the device, and of those, which, if any, are applied to interfaces of the device.

Secure Device Manager (SDM)

The SDM graphical user interface (GUI) can be used to identify what access-lists are present on the device, and of those, which, if any, are applied to interfaces of the device.

Using the CLI:

  1. In enable mode, issue the show ip access-list command and note whether either bogon filter autosec_iana_reserved_block or autosec_complete_bogon currently exists on the device.

  2. If one of these access-lists exists, determine if either is currently applied to an interface on the device.

    In enable mode, issue the command show running-config | include access-group and note the output.

    If nothing is returned, no access-lists are currently applied to any interface. If results are returned, note the name of the access-list applied.

    For example:

    Router#show running-config | include access-group 
    
    ip access-group autosec_complete_bogon in 
    

    If either bogon filter autosec_iana_reserved_block or autosec_complete_bogon is displayed, the device is susceptible to problems.

  3. Determine which interface(s) have the access-list applied by issuing the show running-config command and reviewing the output, or by issuing the show ip interface | include Inbound command for each interface on the device.

    For example:

    Router#sh ip interface Serial0/0 | include Inbound 
    Inbound access list is autosec_complete_bogon
    

Using SDM:

SDM is a browser-based GUI management tool for the router, and includes many wizards to simplify router and security configuration. The SDM is included free of charge with many Cisco router platforms and is supported by the same software releases that support AutoSecure.

  1. Launch the SDM application in Internet Explorer.

  2. Click on Configure, then Interfaces and Connections, and then Edit Interface/Connections.

  3. Scroll down through the listed device interfaces and note the status reported in the Details section for Access Rule ? inbound. If either bogon filter autosec_iana_reserved_block or autosec_complete_bogon is displayed, the device is susceptible to problems.

Workaround/Solution

There are three workarounds for this issue:

Upgrade to release 12.2(30)S, 12.3(15), 12.4(1), 12.4(2)T, or later release, or follow one of the options below to remove the access-lists.

The network administrators should make the final determination as to the best solution for their particular situation.

The two approaches are:

Option 1: Delete the bogon filter entirely from the device. This will avoid any future problems with potential network reachability issues. However, this approach reduces the effectiveness of the full set of best practices for router security and leaves it susceptible to spoofed source attacks.

Option 2: Update the bogon filter as recommended in the Cisco AutoSecure documentation, and reapply the filter to the device.

This will alleviate any current network reachability issues and adhere to best practices for router security. However, this still leaves open the possibility for future issues as new address blocks are allocated. Future maintenance of this same nature will need to be ongoing.

Solutions:

After determining which of the above two options to take, the network administrator should decide whether to use the command line interface (CLI) or the Router and Security Device Manager (SDM) to make the desired changes to the device or devices.

Using the CLI for Option 1:

  1. Enter enable mode, then config mode.

    Router>enable 
    Password: 
    Router#config t 
    

    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#
  2. Enter interface config mode for the interface on which the bogon filter is applied.

    Router(config)#interface Serial0/0 
    Router(config-if)# 
    
  3. Remove the bogon filter from the interface (using the appropriate access-list name)

    Router(config-if)#no ip access-group autosec_complete_bogon in 
    
  4. Exit the interface config mode.

    Remove the bogon filter from the router configuration.

    Note: this step is optional.

    This will prevent someone from inadvertently reapplying the bogon filter in the future.

    Router(config-if)#exit 
    Router(config)#no ip access-list extended autosec_complete_bogon 
    Router(config)#no ip access-list extended autosec_iana_reserved_block 
    
  5. Exit config mode. Save the configuration to memory.

    Router(config)#exit 
    Router#copy running-config startup-config 
    

Using the CLI for Option 2:

  1. If Option 2 is selected, the network administrator will first need to determine the current status of allocated IP addresses. The latest information may be obtained at http://www.iana.org/assignments/ipv4-address-space and should be consulted on a periodic basis if this option is chosen.

  2. Determine which bogon filter entry to remove. Enter config mode.

    Remove the appropriate bogon filter entry.

    For example:

    Router#config t 
    

    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#ip access-list extended autosec_complete_bogon 
    Router(config-ext-nacl)#no deny ip 71.0.0.0 0.255.255.255 any 
    Router(config-ext-nacl)#exit 
    Router(config)# ip autosec_iana_reserved_block 
    Router(config-ext-nacl)#no deny ip 71.0.0.0 0.255.255.255 any 
    Router(config-ext-nacl)#exit 
    Router(config)# 
    
  3. Exit config mode.

    Save the configuration to memory.

    Router(config)#exit 
    Router#copy running-config startup-config 
    

Using SDM for Option 1:

  1. Launch the SDM application in Internet Explorer.

  2. Click on the Configure, then Interfaces and Connections, and then Edit Interface/Connections.

  3. Click on the interface to which the bogon filter autosec_iana_reserved_block or autosec_complete_bogon is applied.

  4. Double-click on the Access Rule - inbound line in the Details section. This will bring up the Interface Feature Edit Dialog box. Click on the Association tab.

  5. Within the Interface Feature Edit Dialog box, click on the drop-down for the Inbound Access Rule section and clear the access list, either autosec_iana_reserved_block or autosec_complete_bogon from the list. When prompted, click "Ok" to complete the change.

Note: It is not possible to completely delete the access-lists generated by AutoSecure from the device using SDM. SDM considers these access-lists as Externally Defined Rules. Externally Defined Rules cannot be directly deleted from within SDM.

In order to delete these access-lists from the device, the CLI method must be used. These access-lists may be modified, as shown in SDM Option 2 below.

Using SDM for Option 2:

SDM is a browser-based GUI management tool for the router, and includes many wizards to simplified router and security configuration.

The SDM is included free-of-charge with many Cisco router platforms and is supported by the same software releases that support AutoSecure.

  1. If Option 2 is selected, the network administrator will first need to determine the current status of allocated IP addresses.

    The latest information may be obtained at http://www.iana.org/assignments/ipv4-address-space and should be consulted on a periodic basis if this option is chosen.

  2. Launch the SDM application in Internet Explorer.

  3. Click on the Configure, then Interfaces and Connections, and then Edit Interface/Connections.

  4. Click on the interface to which the bogon filter autosec_iana_reserved_block or autosec_complete_bogon is applied.

  5. Double-click on the Access Rule inbound line in the Details section. This will bring up the Interface Feature Edit Dialog box. . Click on the Association tab.

  6. Within the Interface Feature Edit Dialog box, click on the drop-down for the Inbound Access Rule, which should already contain either autosec_iana_reserved_block or autosec_complete_bogon and choose Select and existing rule ACL. This will bring up the Select a Rule dialog box.

  7. From the Select a Rule dialog box, double-click on the access-list name, either autosec_iana_reserved_block or autosec_complete_bogon. This will bring up the Edit a rule dialog box.

  8. Scroll through the Edit a rule dialog box and locate the appropriate bogon filter rule to delete. Highlight this entry, and click on the Delete button. Click "Yes" when prompted to confirm deleting the rule entry.

  9. Make any additional rule changes as necessary.

  10. Click OK on the Edit a rule dialog box. When prompted, click "Ok" to complete the change.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsa55321 (registered customers only)

Autosecure bogon filters cause connectivity problems

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.