Table Of Contents
Release Notes for Cisco 1700 Series Routers for Cisco IOS Release 12.3(4)XQ1
Determining the Software Version
Upgrading to a New Software Release
New Software Features in Release 12.3(4)XQ
MGCP-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager
Hookflash and DTMF Relay Transfer
Cisco Survivable Remote Site Telephony 3.1
New Software Features in Release 12.3(4)T
Resolved Caveats - Release 12.3(4)XQ1
Cisco IOS Software Documentation Set
Cisco IOS Release 12.3 Documentation Set Contents
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco 1700 Series Routers for Cisco IOS Release 12.3(4)XQ1
February 16, 2005
Contents
•
Cisco Product Security Overview
•
•
System Requirements
This section describes the system requirements for Cisco IOS Release 12.3(4)XQ1 and includes the following sections:
•
•
Memory Requirements
Table 1 and Table 2 describe the memory requirements for the Cisco IOS feature sets supported by the Cisco IOS Release 12.3(4)XQ1 on the Cisco 1700 series routers.
Hardware Supported
Cisco IOS Release 12.3(4)XQ1 supports the following Cisco 1700 series routers:
•
•
•
•
•
•
•
The Cisco 1701, Cisco 1710, Cisco 1711, Cisco 1712, and Cisco 1721routers run only data images. The Cisco 1751, Cisco 1751-V, and Cisco 1760 routers run data or data-and-voice images, providing digital and analog voice support. The Cisco 1711 and Cisco 1712 routers run select IP Security (IPSec) Triple Data Encryption Standard (3DES) images only (the Cisco 1700 IOS IP/ADSL/IPX/AT/IBM/FW/IDS PLUS IPSEC 3DES, the Cisco 1700 IOS IP/ADSL/FW/IDS PLUS IPSEC 3DES, the Cisco 1700 IOS ADVANCED SECURITY, and the Cisco 1700 IOS ADVANCED ENTERPRISE SERVICES images).
For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 1700 series routers, which are available on Cisco.com at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1700/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Technical Documentation: Routers: Modular Access Routers: Cisco 1700 Series Routers: <platform_name>
Determining the Software Version
To determine which version of Cisco IOS software is currently running on your Cisco 1700 series router, log in to the router and enter the show version command. The following sample output from the show version command indicates the version number.
router> show versionCisco IOS Software, C1700 Software (C1700-Y7-MZ), Version 12.3(4)XQ, RELEASE SOFTWARE (fc1)Synched to technology version 12.3(7.3)TUpgrading to a New Software Release
For general information about upgrading to a new software release, refer to the Software Installation and Upgrade Procedures located at http://www.cisco.com/warp/public/130/upgrade_index.shtml.
Feature Set Tables
The Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features. Release 12.3(4)XQ1 includes the same feature sets supported by the Cisco 1700 series routers as Releases 12.3 and 12.3(4)T, and Release 12.3(4)XQ. There are no new features in Release 12.3(4)XQ1.
Caution
Table 3 through Table 5 list the feature and feature sets supported in the Cisco IOS Release 12.3(4)XQ1.
The tables use the following conventions:
•
•
•
Note
Table 3 Feature List by Cisco 1700 Legacy Feature Set for Cisco 1751, 1751-V, and 1760 Routers
FW/IDS PLUS IPSEC 3DESMGCP-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager
12.4(11)XJ
Yes
Yes
Yes
Hookflash and DTMF Relay Transfer
12.4(11)XJ
Yes
Yes
Yes
Warm Reload
12.4(11)XJ
Yes
Yes
Yes
Cisco CallManager Express 3.11
12.3(7)T
Yes
Yes
Yes
Cisco Survivable Remote Site Telephony 3.12
12.3(7)T
Yes
Yes
Yes
1 The Cisco CallManager Express 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco CallManager Express 3.1 with Cisco IOS Release 12.3(7)T on the Cisco 1751, 1751-V, and 1760 routers.
2 The Cisco Survivable Remote Site Telephony 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco Survivable Remote Site Telephony 3.1 with Cisco IOS Release 12.3(7)T the Cisco 1751, 1751-V, and 1760 routers.
Table 4 Feature List by Cisco 1700 Legacy Feature Set for Cisco 1721, 1751, 1751-V, and 1760 Routers
IBM PLUS
IDS PLUS IPSEC 3DESMGCP-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager
12.4(11)XJ
No
No
No
No
No
No
Hookflash and DTMF Relay Transfer
12.4(11)XJ
No
No
No
No
No
No
Warm Reload
12.4(11)XJ
Yes
Yes
Yes
Yes
Yes
Yes
Cisco CallManager Express 3.11
12.3(7)T
No
No
No
No
No
No
Cisco Survivable Remote Site Telephony 3.12
12.3(7)T
No
No
No
No
No
No
1 The Cisco CallManager Express 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco CallManager Express 3.1 with Cisco IOS Release 12.3(7)T on the Cisco 1751, 1751-V, and 1760 routers.
2 The Cisco Survivable Remote Site Telephony 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco Survivable Remote Site Telephony 3.1 with Cisco IOS Release 12.3(7)T the Cisco 1751, 1751-V, and 1760 routers.
Table 5, Part 1 Feature List by Cross-Platform Feature Set for Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Routers
MGCP-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager
12.4(11)XJ
Yes
Yes
No
Yes
No
Hookflash and DTMF Relay Transfer
12.4(11)XJ
Yes
Yes
No
Yes
No
Warm Reload
12.4(11)XJ
Yes
Yes
Yes
Yes
Yes
Cisco CallManager Express 3.11
12.3(7)T
Yes
Yes
No
Yes
No
Cisco Survivable Remote Site Telephony 3.12
12.3(7)T
Yes
Yes
No
Yes
No
1 The Cisco CallManager Express 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco CallManager Express 3.1 with Cisco IOS Release 12.3(7)T on the Cisco 1751, 1751-V, and 1760 routers.
2 The Cisco Survivable Remote Site Telephony 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco Survivable Remote Site Telephony 3.1 with Cisco IOS Release 12.3(7)T on the Cisco 1751, 1751-V, and 1760 routers.
Table 5, Part 2 Feature List by Cross-Platform Feature Set for Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Routers
MGCP-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager
12.4(11)XJ
No
Yes
Yes
Hookflash and DTMF Relay Transfer
12.4(11)XJ
No
Yes
Yes
Warm Reload
12.4(11)XJ
Yes
Yes
Yes
Cisco CallManager Express 3.12
12.3(7)T
No
Yes
Yes
Cisco Survivable Remote Site Telephony 3.13
12.3(7)T
No
Yes
Yes
1 This image is supported only on Cisco 1751, 1751-V, and 1760 routers.
2 The Cisco CallManager Express 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco CallManager Express 3.1 with Cisco IOS Release 12.3(7)T on the Cisco 1751, 1751-V, and 1760 routers.
3 The Cisco Survivable Remote Site Telephony 3.1 feature is supported in Cisco IOS Release 12.3(7)T in addition to Cisco IOS Release 12.3(4) XQ. We recommend using Cisco Survivable Remote Site Telephony 3.1 with Cisco IOS Release 12.3(7)T on the Cisco 1751, 1751-V, and 1760 routers.
New and Changed Information
The following sections list the new software features for the Cisco 1700 series routers added in Release 12.3(4)XQ and included in Release 12.3(4)XQ1.
New Software Features in Release 12.3(4)XQ
The following sections describe the new software features supported by the Cisco 1700 series routers for Release 12.3(4)XQ.
MGCP-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager
The Media Gateway Control Protocol (MGCP)-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager feature provides MGCP service to remote-office media gateways that connect by means of ISDN BRI trunks to a centralized Cisco CallManager media gateway controller for the purpose of call processing. D-channel signal information is backhauled to the call manager through a TCP session.
If connection to the primary call manager fails, call processing reverts to a backup call manager until the connection to the primary call is restored. If connections to the primary call manager and all backup call managers fail, call processing reverts to H.323 on the media gateway. When a connection is restored, call processing reverts to the primary or other available call manager and to MGCP.
The MGCP-Controlled Backhaul of BRI Signaling in Conjunction with Cisco CallManager feature offers the following benefits:
•
•
•
Note
For more details, refer to the following URL:
Hookflash and DTMF Relay Transfer
The Hookflash and Dual Tone Multifrequency (DTMF) Relay Transfer feature provides a cost-effective way to transfer customer calls from first-level technical support to other agent groups for second-level support. The circuit between the transferrer and the transferee is released after the transferrer initiates the transfer and the remote switch connects the transferee and the transfer target.
The Hookflash and DTMF Relay Transfer feature is supported on Foreign Exchange Office (FXO) and T1 channel associated signaling (CAS) interface from this release forward.
Warm Reload
The Warm Reload feature allows users to reload their routers without reading images from storage. That is, the Cisco IOS image reboots without ROM monitor mode (ROMMON) intervention by restoring the read-write data from a previously saved copy in the RAM and by starting execution without copying the image from flash to RAM or without self-decompression of the image. Thus, the overall availability of the system improves because the time to reboot the router is significantly reduced.
For more details, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gtwrmrbt.htm
Cisco CallManager Express 3.1
Cisco CallManager Express (Cisco CME) is a call processing application in Cisco IOS software that enables Cisco routers to deliver key system or hybrid PBX functionality for enterprise branch offices or small businesses. Cisco CME is ideal for customers who have both data connectivity requirements and a need for a telephony solution in the same office. Cisco CME offers most of the core telephony features required in the small office, as well as many advanced features not available with traditional telephony solutions. The ability to deliver IP telephony and data routing by means of a single converged solution allows customers to optimize their operations and maintenance costs, resulting in a very cost-effective solution that meets office needs.
Note
For more details, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/cme31/index.htm
Cisco Survivable Remote Site Telephony 3.1
The Cisco Survivable Remote Site Telephony (SRST) feature provides Cisco CallManager with fallback support for Cisco IP phones that are attached to a Cisco router on your local network. Cisco SRST enables routers to provide call-handling support for Cisco IP phones when they lose connection to remote primary, secondary, or tertiary Cisco CallManager installations or when the WAN connection is down.
For more details, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/srs/srst31/index.htm
Note
New Software Features in Release 12.3(4)T
For information regarding the features supported in Cisco IOS Release 12.3(4)T, refer to the Cross-Platform Release Notes and New Feature Documentation links at the following location on Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Service & Support: Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cross-Platform Release Notes (Cisco IOS Release 12.3(4)T)
Important Notes
The following sections list the important notes that apply for the Cisco IOS Release 12.4(11)XJ.
Warm Reload
•
•
Caveats
Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Caveats in Cisco IOS Release 12.3(4)T are also in Release 12.3(4)XQ1. For information on caveats in Cisco IOS Release 12.3(4)T, refer to the Caveats for Cisco IOS Release 12.3(4)T document. This document lists severity 1 and 2 caveats; the documents is located on Cisco.com.
Note
Resolved Caveats - Release 12.3(4)XQ1
This section describes unexpected behavior that is fixed in Cisco IOS Release 12.3(4)XQ1. Only severity level 1 through level 3 are listed.
•
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0ipv6 traffic-filter nofragments in!ipv6 access-list nofragmentsdeny ipv6 any <my address1> undetermined-transportdeny ipv6 any <my address2> fragmentspermit ipv6 any anyThis must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
•
Cosmetic display CLI related issues.
When doing a "line-mode 2-wire ?" in ATM mode on WIC-1SHDSL-V2, the help text displays incorrect mapping between the line number & the pins used. When the DSL controller needs to be configured in 2-wire ATM mode, the line to be used has to be specified. In the help to choose the line, the pins used should be specified as:
line-one Line one (RJ-11 pins 2&5)line-zero Line zero (RJ-11 pins 3&4)Instead, the display shows the pins specified as:
line-one Line one (RJ-11 pins 3&4)line-zero Line zero (RJ-11 pins 2&5)Workaround: None.
•
Hardware flowcontrol failure in 1711->WIC-1AM transmit path.
When large bursts of data are transmitted by a 1711 router to a WIC-1AM line, packets may be dropped due to data overruns between the router async line and the modem's control processor. As a result, data throughput may be reduced and applications may fail.
Workaround: Configure generic traffic shaping on the async interface to throttle down the rate at which IOS transmits data to the modem. Note that this will impair the modem's transmission rate.
Example:
interface async 1fair-queuetraffic-shape rate 16000 8000•
IPv6 firewall TCP inspection increased sequence # verification.
A vulnerability in the TCP specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain a TCP stack are susceptible to this vulnerability. An advisory that describes this vulnerability for products that run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml. A companion advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS software.
•
Router may crash due to corrupted data in list with Cisco IOS-firewall.
A router may reload unexpectedly after it attempts to access a low memory address. This symptom is observed after ACLs have been updated dynamically or after the router has responded dynamically to an IDS signature.
Workaround: Disable IP Inspect and IDS.
•
Modifications needed to syn rst packet response.
A vulnerability in the TCP specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability. An advisory that describes this vulnerability for products that run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml. A companion advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS software.
•
ITS/CME: aberrant data may trigger reload.
When configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME), or Survivable Remote Site Telephony (SRST), Cisco IOS release 12.3 T may contain a vulnerability in processing certain malformed control protocol messages. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a DoS.
Cisco has made free software upgrades available to address this vulnerability for all affected customers. There are workarounds available to mitigate the effects of the vulnerability. Please see the advisory available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml.
•
CBAC inspection causes software-forced reload.
When the Cisco IOS Firewall CBAC is configured, the router may have a software-forced reload caused by one of the inspections processed. This symptom is observed when the router is part of a DMVPN hub-spoke with a Cisco VoIP phone solution deployed on it and the router is connected to the central office over the Internet. The Cisco VoIP phone runs the SKINNY protocol.
Workaround: None.
•
BGP error msg trackback.
A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
Cisco has made free software available to address this problem. Please see the advisory available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml.
•
Unable to telnet.
A specifically crafted TCP connection to a telnet or reverse telnet port of a Cisco device running Cisco IOS may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected. All other device services will operate normally.
User-initiated, specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions, however, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Please see the advisory available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In UserService (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
Related Documentation
The following sections describe the documentation available for the Cisco 1700 series routers. These documents consist of hardware and software installation guides, Cisco IOS configuration guides and command references, system error messages, feature modules, and other documents.
Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and http://www.cisco.com/univercd/home/index.htm.
Use these release notes with these documents:
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.3 and are located on Cisco.com and http://www.cisco.com/univercd/home/index.htm:
•
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Cross-Platform Release Notes
Note
•
•
As a supplement to the caveats listed in these release notes, see Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3 T, which contain caveats applicable to all platforms for all maintenance releases of Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T.
On Cisco.com at:
Products & Services: IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes: Release Notes for Cisco IOS Release 12.3, Part 5: Caveats
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Caveats
•
Platform-Specific Documents
These documents are available for the Cisco 1700 series routers:
On Cisco.com at:
Products and Solutions: Routers: Cisco 1700 Series Modular Access Routers
On http://www.cisco.com/univercd/home/index.htm at:
Product Documentation: Routers: Modular Access Routers: Cisco 1700 Series Routers
Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://tools.cisco.com/RPF/register/register.do
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Configuration Guides and Command References
Cisco IOS Release 12.3 Documentation Set Contents
Table 6 lists the contents of the Cisco IOS Release 12.3 software documentation set, which is available in electronic form and in printed form if ordered.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•
•
•
A current list of security advisories and notices for Cisco products is available at this URL:
If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:
•
•
Tip
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:
•
•
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Guest
