 Feedback
|
Table Of Contents
Determining Your Software Release
Upgrading to a New Software Release
Determining Which Software Images (Feature Sets) Support a Specific Feature
Determining Which Features Are Supported in a Specific Software Image (Feature Set)
New Hardware Features in Release 12.3(7)YB
New Software Features in Release 12.3(7)YB
New Software Features in Release 12.3(7)YB
Open Cisco IOS Caveats - Release 12.3(7)YB1
Resolved Cisco IOS Caveats - Release 12.3(7)YB1
Open Cisco IOS Caveats - Release 12.3(7)YB
Resolved Cisco IOS Caveats - Release 12.3(7)YB
Cisco IOS Software Documentation Set
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for ANI Suppression and MGCP NAS LAPB/TA Autodetect with Cisco IOS Release 12.3(7)YB on Cisco AS5350 and Cisco AS5400
August 8, 2007Cisco IOS Release 12.3(7)YB1OL-7513-02These release notes for the ANI Suppression and MGCP NAS LAPB/TA Autodetect on Cisco AS5350 and Cisco AS5400 platforms describe the enhancements provided in the Cisco IOS 12.3(7)YB releases. These release notes are updated as needed.
For a list of the software caveats that apply to Cisco IOS Release 12.3(7)YB, see the "Caveats" section. See also Caveats for Cisco IOS Release 12.3T, which is updated for every maintenance release and is located on Cisco.com and the Documentation CD-ROM.
Use these release notes with Cross-Platform Release Notes for Cisco IOS Release 12.3 T located on Cisco.com and the Documentation CD-ROM.
Cisco recommends that you view the field notices for this release to see if your software or hardware platforms are affected. If you have an account on Cisco.com, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html. If you do not have a Cisco.com login account, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html.
Contents
These release notes describe the following topics:
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
Inheritance Information
Cisco IOS Release 12.3(7)YB1, an early deployment release, is based on Cisco IOS Release 12.3(7)T, which in turn is based on Cisco IOS Release 12.3. See Table 1 for more information.
All features in Cisco IOS Release 12.3(7)T are in Cisco IOS Release 12.3(7)YB1.
Table 1 References for the Cross-Platform Release Notes for Cisco IOS Release 12.3 T and Cisco IOS Release 12.3(7)T
•
•
To view information about the topics in the left column, click Cross-Platform System Requirements at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123reqs.htm
•
•
•
To view information about the topics in the left column.
For Cisco IOS Release 12.3 T, go to:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123newf.htm
Scroll down and click New Software Features in Cisco IOS Release 12.3(7)T, or MIBs, or Important Notes.
•
•
•
To view information about the topics in the left column, go to:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123docs.htm
System Requirements
This section describes the system requirements for Cisco IOS Release 12.3(7)YB and includes the following sections:
Memory Requirements
Hardware Supported
See the following link for information about supported hardware for the Cisco AS5350 and Cisco AS5400:
•
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/as5350/index.htm
•
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/as5400/index.htm
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.Software Supported
•
–
–
•
Determining Your Software Release
To determine the version of Cisco IOS software running on the Cisco VG 224 analog gateway, log in to the gateway and enter the show version EXEC command:
Router> show versionCisco Internetwork Operating System SoftwareIOS (tm) 5350 Software (C5350-JS-M), Version 12.3(7)YB, RELEASE SOFTWARE (fc1)Copyright (c) 2005 by cisco Systems, Inc.Image text-base: 0x6000895C, data-base: 0x61900000Upgrading to a New Software Release
For general information about upgrading to a new software release, see Cisco IOS Upgrade Ordering Instructions located at: http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm.
Feature Set Tables
The feature set tables have been removed from the Cisco IOS Release 12.3-based release notes to improve the usability of the release notes documentation. The feature-to-image mapping that was provided by the feature set tables is available through Cisco Feature Navigator.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or by feature set (software image). Under the release section, you can compare Cisco IOS software releases side by side to display both the features unique to each software release and the features that the releases have in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://tools.cisco.com/RPF/register/register.do
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
For frequently asked questions about Cisco Feature Navigator, see the FAQs at the following URL:
http://www.cisco.com/support/FeatureNav/FNFAQ.html
Determining Which Software Images (Feature Sets) Support a Specific Feature
To determine which software images (feature sets) in Cisco IOS Release 12.3T support a specific feature, go to the Cisco Feature Navigator home page, enter your Cisco.com login, and perform the following steps.
Step 1
Step 2
Step 3
Note
Repeat this step to add additional features. A maximum of 20 features can be chosen for a single search.
Step 4
Step 5
Step 6
Step 7
Determining Which Features Are Supported in a Specific Software Image (Feature Set)
To determine which features are supported in a specific software image (feature set) in Cisco IOS Release 12.3T, go to the Cisco Feature Navigator home page, enter your Cisco.com login, and perform the following steps.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
New and Changed Information
New Hardware Features in Release 12.3(7)YB
There are no new hardware features.
New Software Features in Release 12.3(7)YB
The following new software features are supported in the Cisco IOS 12.3(7)YB releases.
New Software Features in Release 12.3(7)YB
•
Calling Number Suppression for L2TP Setup
The Calling Number Suppression for L2TP Setup feature provides the ability to suppress all or some part of the calling number field in the Layer 2 Tunneling Protocol (L2TP) setup process through RADIUS attribute functionality. The Calling Number Suppression for L2TP Setup feature allows you to make part or all of the calling number anonymous. This document tells you how to configure the Calling Number Suppression for L2TP Setup feature on your RADIUS server.
MGCP NAS Package LAPB-TA
The Media Gateway Control Protocol (MGCP) network access server (NAS) Package Link Access Procedure, Balanced (LAPB)-terminal adapter (TA) feature implements autodetection for the MGCP NAS package, as supported in Cisco IOS Release12.3(9) under ISDN serial interfaces. This document tells you how to configure autodetection, which allows asynchronous traffic, such as PPP carried over an ISDN line with the LAPB protocol, to be terminated at a Cisco media gateway.
For more information about these features, see the following link:
http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3_7yb/gtnaspkg.pdf
Limitations and Restrictions
For more information about limitations and restrictions in Cisco IOS Release 12.3(7)YB, see the following documentation:
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/taclinks.htm
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only selected severity 3 caveats are included in the caveats document.
This section contains open and resolved caveats for the current Cisco IOS maintenance release.
All caveats in Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T are also in Cisco IOS Release 12.3(7)YB.
For information on caveats in Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T, see Caveats for Cisco IOS Release 12.3 T. These documents lists severity 1 and severity 2 caveats and only selected severity 3 caveats, and are located on Cisco.com and the Documentation CD-ROM.
Caveat numbers, brief descriptions, and workarounds for Release 12.3(7)YB1 and follow on releases are listed in this section.
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.plThe following sections contain caveat information specific to the Cisco IOS 12.3(7)YB releases:
•
•
•
•
Open Cisco IOS Caveats - Release 12.3(7)YB1
•
Symptoms: On a Cisco AS5400 or AS5350 configured for MGCP NAS Package, autodetected LAPB-TA calls will have intermittent ping failures when doing a ping sweep from 60 to 2020 bytes.
Conditions: Gateway must be configured for MGCP NAS Package and terminating a LAPB-TA autodetected call.
Workaround: There is no workaround.
Resolved Cisco IOS Caveats - Release 12.3(7)YB1
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
•
Symptoms: Call Tracker records do not give a unique disconnect string for VPDN disconnects.
Conditions: For data/modem calls which experience a disconnect initiated by the VPDN subsystem, a unique disconnect code is given, but not a unique disconnect string. The VPDN subsystem is required to initiate the disconnect the frequency is medium. This is only an issue in call tracker call records if call tracker is enabled.
Work around: To differentiate the disconnect reasons the call tracker disconnect code can be used, instead of the verbose string.
•
Symptoms: On a Cisco AS5400 or Cisco AS5350 the calltracker stat for rx bytes can be approximately twice the expected value for modem calls.
Workaround: There is no workaround.
•
Symptoms: Calltracker record does not display the user bit rate for V.110 calls.
Conditions: MGCP NAS configured, Calltracker enabled for V.110 calls.
Workaround: There is no workaround.
•
Symptoms: Calltracker disconnect text displays "no vty" as the disconnect reason.
Condition: MGCP NAS, CallTracker and autodetection configured. This is possible only for autodetected lap (x.75), V.120 and sync PPP calls. The disconnect reason is wrong if VTYs are available and the true reason is usually LCP timeout.
Workaround: There is no workaround. The stat bug does not impact functionality.
•
Symptoms: Outbound synchPPP calls placed by a Cisco AS5400 or Cisco AS5350 configured for MGCP NAS Package will fail.
Conditions: This failure will only happen for outbound synchPPP calls place by a gateway configured for MGCP NAS Package
Workaround: There is no workaround.
•
Symptoms: Show xcsp port info is incorrect for a 5400 configured for MGCP NAS Package.
Workaround: There is no workaround.
•
Symptoms: On an AS5x platform using 12.4(2)T IOS configured for MGCP NAS Package a V.110 call will fail if the rate is 24k, 28.8k or 38.4k
Workaround: There is no workaround.
•
On a Cisco AS5x platform using Cisco IOS Release 12.4(2)T configured for MGCP NAS Package. A 14.4k V.110 call will fail due to Cisco IOS trying to configure the SPE with the wrong rate (16k).
Conditions: You will see a NAK when this occurs and the call will fail:
%NP_EST-6-CTRL_NAK_RSP: (NP address 2/0/0/255), Msg ID=0xF201, Result=INVALID_PARAMETER_VALUE, Data format=Binary, Data len=40, Data=00 0A 00 DD 10 00 F2 01 00 07 00 00 80 01 00 00 80 13 00 08 80 3A 3E 80 00 00 00 00 80 02 00 08 80 03 00 00 80 04 00 02Workaround: There is no workaround.
•
Symptoms: On a Cisco AS5400 or AS5350 configured for MGCP NAS Package there is a slight possibility that calltracker can display active call records for calls that have already disconnected. This occurs when the guard timer disconnect calls and calltracker is not notified of the disconnect.
Conditions: This will cause a very slow memory leak.
Workaround: Disable Call Tracker or use only for debugging and profiling.
•
Symptoms: On a Cisco AS5400 or Cisco AS5350 configured for MGCP NAS Package running in a mixed call environment (v.120, syncPPP, v.110,lapb-ta, modem) there is a slight possibility for a traceback to be seen in the gateway logs. This is non-impacting to the gateway and does not impact functionality. The traceback will usually end with 00000000 00000000 00000000 00000000 00000000 00000000.
Workaround: There is no workaround
•
Symptoms: On a Cisco AS5400 or Cisco AS5350 configured for MGCP NAS Package a crash will occur if you remove the existing MGCP from the controller while active autodetected calls are on the box. The probability of someone doing this is very rare and this crash should not happen under normal operating conditions.
Workaround: Delay removing existing from the controller until all calls on the controller have been released.
•
Symptoms: A Cisco AS5400 or AS5350 can crash due to rapid disconnects of autodetected call when the gateway is configured for MGCP NAS package.
Workaround: Disable V.120 autodetection on all interfaces.
•
Symptoms: If the call agent clears a channel while the channel is autodetecting, xcsp immediately clears the call, but the serial autodetect module does not clear until the autodetect timer expires (10 seconds). XCSP failed to call the serial autodetect reset in this case. This caused between 6 and 10 subsequent calls on the same channel would all fail.
Workaround: There is no workaround.
Open Cisco IOS Caveats - Release 12.3(7)YB
•
Symptoms: The Signalling field in calltracker record when the show calltracker active command is entered for all ISDN autodetect calls is always seen as LLC instead of AUTO. This is observed on the Cisco AS5400.
Conditions: The behavior is observed when ISDN autodetect calls are made.
Workaround: There is no workaround.
•
Symptoms: Lapbta sessions do not disconnect with a calltracker reason when a giant frame is received. If a giant frame is received by the lapb layer, a disconnect is not initiated for X.75 TA calls.
Conditions: MGCP NAS or ISDN autodetected lapb calls.
Work around: Just let the user (TA) hang up. The session will stop passing data and the user will hang up. This will cause the call disconnect with a call tracker reason indicating giants were received. Also, set the client TA max frame size to a maximum of 1500 bytes to eliminate giant frames.
•
Symptoms: There is no apparent symptom to the user.
Conditions: The MIB modifications need approval and approval requires the MIB to compile using the SMIC MIB compiler. The existing MIB does not compile, so the changes added do not compile. The MIB compiles using the Cisco IOS MIB compiler.
Work Around: None needed. Changes to the call tracker MIB function as expected. However, the MIB has not been approved yet.
•
Symptoms: Call Tracker records do not give a unique disconnect string for VPDN disconnects.
Conditions: For data/modem calls which experience a disconnect initiated by the VPDN subsystem, a unique disconnect code is given, but not a unique disconnect string. The VPDN subsystem is required to initiate the disconnect with the frequency set at medium. This is only an issue in call tracker call records if call tracker is enabled.
Work around: To differentiate the disconnect reasons the call tracker disconnect code can be used, instead of the verbose string.
•
Symptoms: A Cisco AS5400 or AS5350 Access Server running 12.3(7)T6 IOS configured with MGCP NAS package might not handle modem calls correctly if a burst of modem calls (greater than 12) come in on the same T1/E1 line. This is a very rare condition and will not occur unless the timing of how the calls are handle is just right.
Conditions: To determine if you are experiencing this issue you can stop the modem calls and issue a show call calltracker active. If calltracker shows an active modem call when no modem calls are present on the access sever then you could be experiencing this issue.
Workaround: There is no workaround.
•
Symptoms: Calltracker record does not display the user bit rate for V.110 calls.
Conditions: MGCP NAS configured, Calltracker enabled. V.110 calls.
Work Around: There is no workaround.
•
Symptoms: There is no apparent symptom visible to the user
Conditions: With all xcsp debugs enabled, MGCP NAS and modem calls, debugs show the helper function is_xcsp() returning FALSE during an xcsp controlled call.
Work Around: None required, the anomaly does not affect the modem call.
•
Symptoms: When a modem call disconnects on a Cisco AS5400 or Cisco AS5350 configured for MGCP NAS Package the NAS code will report Modem Reset. The NAS code should be Admin Close.
Conditions: The gateway configured to use MGCP NAS Package.
Workaround: There is no workaround. This issue does not impact the call functionality.
•
Symptoms: When placing modem calls to a Cisco AS5400 or Cisco AS5350 configured for MGCP NAS package, when the call is disconnected via the absolute timeout the NAS reason code is incorrect.
The NAS reason code will list Modem hang-up when it should list Admin close.
Conditions: The gateway should be configured for MGCP NAS package.
Workaround: There is no workaround; this issue does not impact functionality.
•
Symptoms: Calltracker disconnect text displays no vty as the disconnect reason.
Conditions: MGCP NAS, CallTracker and autodetection configured. This is possible only for autodetected lap (x.75), V.120 and sync PPP calls. The disconnect reason is wrong if VTYs are available and the true reason is usually LCP timeout.
Work Around: There is no workaround. The stat bug does not impact functionality.
•
Symptoms: When making MGCP NAS package autodetection calls on a Cisco AS5400 or Cisco AS5350 intermittently pm7366_rx_intr: Spurious interrupt messages will appear when the following debugs are enabled:
debug freedmdebug serial interfacedebug serial eventConditions: The gateway must be configured for MGCP NAS package.
Workaround: There is no workaround.
•
Symptoms: On a Cisco AS5400 or Cisco AS5350 configured for the MGCP NAS package, autodetected LAPB-TA calls will have intermittent ping failures when doing a ping sweep from 60 to 2020 bytes.
Conditions: The gateway must be configured for MGCP NAS package and must be able to terminate a LAPB-TA autodetected call.
Workaround: There is no workaround.
•
Symptoms: There are no apparent symptoms to impact the user.
Conditions: Static analysis run on the YB branch finds 50 or so warnings in feature-related subsystems.
Work Around: There is no workaround.
•
Symptoms: When the user enables calltracker for MGCP NAS data calls, the rx byte count in the calltracker record will not be accurate under certain conditions.
Conditions: The cause is not know yet, but the frequency is medium when calltracker is enabled under MGCP NAS.
Work Around: There is no workaround.
•
Symptoms: show mgcp nas dump displays the default bearer cap instead of the bearer cap of the last call.
Conditions: This stat is accurate during an active MGCP NAS data call. However, once the call disconnects, it is only accurate for some call types. The failing cases display the default bearer cap once the call disconnects.
Work Around: Enable Calltracker.
•
Symptoms: On a Cisco AS5400 or Cisco AS5350 the following message will appear on the console when answering a V.110 call:
mgcp_parse_v110_asynch_parms: proc_buff=nonemgcp_parse_v110_asynch_parms: proc_buff=1mgcp_parse_v110_asynch_parms: proc_buff=8Workaround: There is no workaround; this issue does not impact the call functionality.
•
Symptoms: On a Cisco AS5400 or Cisco AS5350 the command show mgcp nas dump will intermittently display negative values for the byte count.
Conditions: show mgcp nas dump is only relevant for a gateway configured to use the MGCP NAS package.
Workaround: There is no workaround; this issue does not impact the call functionality. The issue is with the reporting of the byte statistics.
•
Symptoms: Outbound synchPPP calls placed by a CISCO AS5400 or Cisco AS5350 configured for MGCP NAS Package will fail.
Conditions: This failure will only happen for outbound synchPPP calls place by a gateway configured for MGCP NAS Package
Workaround: There is no workaround.
Resolved Cisco IOS Caveats - Release 12.3(7)YB
•
Workaround: The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0ipv6 traffic-filter nofragments in!ipv6 access-list nofragmentsdeny ipv6 any <my address1> undetermined-transportdeny ipv6 any <my address2> fragmentspermit ipv6 any anyThis must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
Caveat Advisories
The following advisories are associated with 12.3(7)YB1:
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Additional References
The following sections describe the documentation available for the Cisco AS5350 and Cisco AS5400 platforms . Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com in pdf or html form.
Use these release notes with the documents listed in the following sections:
Release-Specific Documents
The following documents are specific to Release 12.3 and apply to Cisco IOS Release 12.3(7)YB. They are located on Cisco.com:
•
•
•
Platform-Specific Documents
Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco AS5350 and Cisco AS5400 platforms are available on Cisco.com at the following location:
http://www.cisco.com/en/US/products/hw/routers/tsd_products_support_category_home.html
Feature Modules
Feature modules describe new features supported by Cisco IOS Release 12.3 and Cisco IOS Release 12.3(7)YB, and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only.
Cisco Feature Navigator
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image. Cisco Feature Navigator is available 24 hours a day, 7 days a week.
To use Cisco Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Cisco Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. Cisco IOS Software Documentation is available in html or pdf form.
Select your release and click the command references, configuration guides, or any other Cisco IOS documentation you need
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feed-back, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Use this document in conjunction with the documents listed in the "Additional References" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007, Cisco Systems, Inc. All rights reserved
