Guest

Cisco Carrier Routing System

Field Notice: FN - 62649 - IOS-XR CRS, XR12K - Certificate of Software Authenticate Expiry is January 18, 2007 - IOS-XR Refresh (Download) is Required for All New Image Installations


Revised January 17, 2007

January 12, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

Comments

IOS-XR

All releases and SMUs are affected

Problem Description

All IOS-XR releases including PIEs and SMUs downloaded from CCO before January 12, 2007 were signed with a Certificate of Authentication that expires on January 18, 2007. Any attempt to perform an 'install add' for any of these images, PIEs or SMUs after Jan 18, 2007 will fail.

This affects the CRS-1 and the XR12k Platforms.

  1. IOS-XR Software images, PIEs/SMUs already installed on the router are not impacted, and this issue will not have any impact on network services. No further action is necessary on an active router.

  2. All locally stored or archived images/SMUs (.pie files), which have been downloaded before January 12, 2007, will need to be replaced with fresh copies from CCO.

Note:

-VM images for Turbobooting a system are not affected.

-ROMMON files are not affected.

Background

Background Questions and Answers:

Q1) What are Certificates used for, and why do they have an expiry date?

A1) Certificates are needed in order to validate that an image has come from a trusted source (Cisco), so security is maintained. Every Certificate has a valid starting and ending period. This is needed for checking image usefulness, and for the ability to stamp image security events, such as compromise and corruption.

Q2) When will IOS-XR Software with the new certificate be available?

A2) All IOS-XR releases including SMUs on CCO have been reposted with the new certificate and are currently available (as of January 12, 2007).

Note: IOS-XR image (with the new certificate) re-posting to CCO occurred between January 9th and January 12th, 2007. The following Releases have posting dates that are shown correctly.

3.2.3

3.2.4

3.2.6

3.3.0

3.3.1

The re-posting dates for the following two releases are not shown correctly on CCO. These releases include the updated certificate, and they are fine to download:

3.3.2 - Posting date shown is October 31, 2006. Actual re-certified image posting was on January 11, 2007.

3.4.0 - Posting date shown is October 31, 2006. Actual re-certified image posting was on January 11, 2007.

The SMU posting dates shown on CCO are all correct. They were all re-posted with the updated certificates between January 10 and January 12, 2007.

Q3) Can an older IOS-XR software image which was downloaded before January 12, 2007 be upgraded with a new PIE/SMU (reload or non-reload) posted on or after January 12, 2007?

A3) Yes. A PIE/SMU image downloaded on January 12, 2007 or later will have a new certificate, which will install correctly.

Q4) What changes were made on the reposted IOS-XR images?

A4) The image itself has not been recompiled, just re-signed with the new certificate. The certificate and therefore MD5 hash of the file will change. The code itself and the filename will not change.

Q5) Are the certificates built into the PIE/SMU at compile time, or are they added as a wrapper to the pre-compiled object code?

A5) The Certificate is added to the image/pie after the build is done. The binary remains untouched and is not recompiled.

Q6) Is there any way to identify the validity date of a file's certificate outside of using IOS XR?

A6) No - the show install pie-info command from an IOS-XR based router can be used to validate the certificate expiry date. Apart from that, use the MD5 hash or byte difference to confirm the identity of the file. There is byte difference between old and re-certified pies. Issue the cmp -l command to view the differences.

Q7) Is there any impact to a platform running IOS-XR, which has been installed with PIEs/SMUs files downloaded before January 12, 2007?

A7) No. The certificate check is only conducted during an install add operation. PIEs and SMUs added with the install add operation before the expiry date can still be activated/deactivated/removed. Reloading or using the install rollback operation won't have any impact.

Q8) Is there any change in the certificate generation/expiry process moving forward?

A8) There will now be an annual certificate re-generation for all new IOS-XR software, and each validity period will last for 4-5 years from the annual generation of the certificate.

Q9) When will the new certificate expire?

A9) Any image downloaded on January 12, 2007 or later will expire on November 3, 2011 or later.

Problem Symptoms

Example of error messages which occur during the install add operation when the certificate is expired:

RP/0/RP0/CPU0:CRS(admin)#install add /tftp://172.333.1.1/hfr-mpls-p.pie-3.3.1 
Install operation 35 ' 
(admin) install add /tftp://172.333.1.1/hfr-mpls-p.pie-3.3.1' started by user 'cisco' via CLI at 12:09:08 PST Wed Jan 31 2007. 
The install operation will continue asynchronously. 
RP/0/RP0/CPU0:Jan 31 12:09:18.403 : instdir[199]: 
%INSTALL-INSTMGR-3-INSTALL_OPERATION_USER_ERROR : User error occurred during install operation 35. See 'show install log 35' for more information. 
RP/0/RP0/CPU0:Jan 31 12:09:18.411 : instdir[199]: 
%INSTALL-INSTMGR-6-INSTALL_OPERATION_FAILED : Install operation 35 failed 
Error: Cannot proceed with the add operation because the code signing 
Error: certificate has expired. 
Error: Suggested steps to resolve this: 
Error: - check the system clock using 'show clock' (correct with 'clock 
Error: set' if necessary). 
Error: - check the pie file was built within the last 5 years using 'show

Workaround/Solution

Solution:

  1. IOS-XR Software images, PIEs/SMUs already installed on the router are not impacted, and this issue will not have any impact on network services. No further action is necessary on an active router.

  2. Prior to "installing" any IOS-XR Software image/SMU (.pie files) on the router, download and install the latest version of Software from CCO (which will contain a new certificate). All images downloaded on January 12, 2007 or later have a new certificate.

  3. Replace all locally stored or archived images/SMUs (.pie files) with fresh copies from CCO.

CCO IOS-XR Software Selector (registered customers only)

CCO IOS-XR SMU Downloads (registered customers only)

Contact TAC or Advanced Services for any assistance needed to obtain the appropriate PIEs/SMUs.

How To Identify Software Levels

How to identify the expiration date of the pie/SMU:

Note: IOS-XR images downloaded after January 12, 2007 will have the November 3, 2011 or later expiry date.

Note: Please use the show install pie-info command from a router running 3.3.0 or later to view the expiry date. File size, MD5, and checksum changes can be used to identify new images for routers using IOS-XR Releases earlier than 3.3.0.

RP/0/RP0/CPU0:CRS(admin)#show install pie-info /tftp://172.333.1.1/comp-hfr-mini.pie-3.3.1 

Contents of pie file 'tftp://172.333.1.1/comp-hfr-mini.pie-3.3.1': 
Expiry date : Jan 18, 2007 18:55:56 PST 
Uncompressed size : 181111534 

comp-hfr-mini-3.3.1 
hfr-rout-3.3.1 
hfr-lc-3.3.1 
hfr-fwdg-3.3.1 
hfr-admin-3.3.1 
hfr-base-3.3.1 
hfr-os-mbi-3.3.1 

How to identify installed active PIEs for refreshing/re-downloading:

RP/0/RP1/CPU0:CRS8#show install active 

Node 0/RP0/CPU0 [RP] [SDR: Owner] 
Boot Image: /disk0/hfr-os-mbi-3.3.1.CSCsf23465-1.0.0/mbihfr-rp.vm 
Active Packages: 
disk0:hfr-diags-3.3.1.CSCsf07452-1.0.0 
disk0: hfr-diags-3.3.1 
disk0:hfr-mgbl-3.3.1 
disk0:hfr-mpls-3.3.1 
disk0:hfr-base-3.3.1.CSCsg40006-1.0.0 
disk0:comp-hfr-3.3.1.CSCsf23465-1.0.0 
disk0:comp-hfr-mini-3.3.1 

How to identify installed active SMUs for refreshing/re-downloading:

RP/0/RP1/CPU0:CRS8#show install active 

Node 0/RP0/CPU0 [RP] [SDR: Owner] 
Boot Image: /disk0/hfr-os-mbi-3.3.1.CSCsf23465-1.0.0/mbihfr-rp.vm 
Active Packages: 
disk0:hfr-diags-3.3.1.CSCsf07452-1.0.0 
disk0:hfr-diags-3.3.1 
disk0:hfr-mgbl-3.3.1 
disk0:hfr-mpls-3.3.1 
disk0:hfr-base-3.3.1.CSCsg40006-1.0.0 
disk0:comp-hfr-3.3.1.CSCsf23465-1.0.0 
disk0:comp-hfr-mini-3.3.1 

Revision History

Revision

Date

Comment

1.2

17-JAN-2007

Changed the word "Turbobacking" to "Turbobooting" in the Problem Description section.

Completely rewrote the Q & A in the Background section.

Added "to view the expiry date. File size, MD5, and checksum changes can be used to identify new images for routers using IOS-XR Releases earlier than 3.3.0." to the second note in the How to Identify Software Levels section.

1.1

15-JAN-2007

Added IOS-XR to the Products Affected table.

1.0

12-JAN-2007

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.