Cisco IOS stolen?

Discussion in 'Cisco' started by Karsten Fischer, May 16, 2004.

  1. Program ended abnormally on 17/05/2004 17:42, Due to a catastrophic Barry
    Margolin error:
    Not really. Even without access to the source code, there were exploits
    published to crash routers when sending malformed packets (SNMP, Telnet, etc...)
    Now with access to the source code, anyone can look for the traditional buffer
    overflows, improper bounds checking and other "standard" programming pitfalls,
    compile the code, run it through a debugger, etc... Now, we might even see
    viruses for IOS popup.

    The scarier part is that it's a realy recent source tree that was leaked.
    Unlike the Windows NT/2000 code leak of last month, where the code was three
    years old and most of the holes already plugged, these holes are fresh and
    chances are that most of them are still there and were also there in earlier
    Francois Labreque, May 18, 2004
    1. Advertisements

  2. Karsten Fischer

    Dave Katz Guest

    Yes, this was the strategy of many of the router startups in the late
    90s. Lots of white papers on breakthrough hardware architectures, and
    they were going to use gated. There's only one left that I know of,
    and it's on life support.

    IEng made a bunch of money selling source patches (essentially rewrites)
    to gated because the code was not ready for primetime.

    Juniper got a gated license in its very early days because it was
    easier to start from something than from nothing. However, I believe
    the only routing protocol we didn't rewrite from scratch was BGP, and
    that's because Dennis had done a lot of work on it when he was at ANS.
    There's very little of even the infrastructure code left.

    Building a routing protocol implementation that is stable, scalable,
    and robust is not easy; if it were, everybody would do it.

    Having said all that, and having been intimately familiar with the
    cisco routing protocol implementations at some time in the past, I
    think the benefits of seeing the source code is somewhat overblown.
    There is very little "secret sauce" in there; it's mostly basic data
    structure manipulation and a whole lot of intricate code to implement
    those data structures. Further, it's all within the context of the
    IOS scheduler and services, so even if you wanted to simply port it
    wholesale it would be quite difficult. And nobody in their right mind
    would actually want to replicate a system the way IOS is constructed
    if they had it to do over. It has all the quirks and foibles of
    software developed by a large number of people over 20 years, and is
    basically impossible to "fix" without a wholesale rewrite (witness the
    inability to really delete subinterfaces; the interface stuff is so
    incestuous throughout the system that it can't be undone once it's
    there. Having written that code, I'm a bit chagrined...)

    Anybody who can look at it and make sense of it all should probably
    apply for a job over on Tasman, particularly since nobody else will
    touch them with a ten foot pole.
    Dave Katz, May 18, 2004
    1. Advertisements

  3. Karsten Fischer

    Dave Katz Guest

    When I was there they were stamping out 2500s like they were candy bars.
    Not much hardware acceleration in those puppies. (Like, none.)
    Dave Katz, May 18, 2004
  4. Again, only on some higher-end platforms.
    =?ISO-8859-2?Q?=A3ukasz_Bromirski?=, May 18, 2004
  5. Karsten Fischer

    Hansang Bae Guest

    IMO, IOS itself is no longer "the critical" piece for Cisco. We
    recently had several major issues with IOS. And the developers provided
    engineering specials for us to patch the problem. Listening to them
    speak for several months on daily conference calls have taught me a lot
    about IOS. It seems to me that a bunch of people over time worked on
    the code and each person/team patched on top of existing code.

    The "legacy" code really does bite you each and every time.

    If I were into conspiracy theory, I would say that Cisco released the
    IOS so that other companies would spin their wheels trying to make sense
    of it all! :)



    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    Hansang Bae, May 18, 2004
  6. When's that, 10 years ago?

    But even 2501's had fast switching.
    Barry Margolin, May 18, 2004
  7. Huh? Packet filtering was added to the fast switching path at least 10
    years ago.
    Barry Margolin, May 18, 2004
  8. AFAIK, the "fast switching path" only means that the router forwards the
    packets during interrupts instead of using a classic process ("IP
    Input"). On all platforms (except GSR, 6500 and all routers based on
    PXF, and maybe the NPE-G1), the ACL processing is done by the CPU.
    Christophe Fillot, May 18, 2004
  9. Hello, Barry!
    You wrote on Tue, 18 May 2004 01:30:05 -0400:

    BM> When's that, 10 years ago?

    BM> But even 2501's had fast switching.

    Barry, I think reading "Inside of Cisco IOS Software Architecture" is overdue.
    What does fast switching have to do with forwarding in hardware?

    With best regards,
    Andrey Tarasov, May 18, 2004
  10. By `hardware' I do undestand things like PXF architecture (so we're
    starting from NSE-1 and 7000 series), not the way that just optimizes
    how CPU handles passing or not passing packets. The 17xx, 26xx, 36xx
    and 37xx boxes do all the things in software, only the VPN and ATM
    acceleration works "by hardware" if the proper AIM/NM is installed.

    Someone pointed the Inside of Cisco IOS Software Architecture book.
    It's really good lecture, if You're interested.

    And, another thing - most of "hardware" platforms, including Sup720
    for example, will switch over to software processing if the ACL
    will grow over some number of ACEs. That's nasty thing if You hit
    it on quite loaded box.
    =?ISO-8859-2?Q?=A3ukasz_Bromirski?=, May 18, 2004
  11. This occurs when the TCAM becomes full...
    Christophe Fillot, May 18, 2004
  12. Karsten Fischer

    Dave Katz Guest

    Fast switching is software.
    Dave Katz, May 18, 2004
  13. Whatever the reason is, the software functionality has to be
    implemented to handle such cases. So, it's in the source files.
    =?ISO-8859-2?Q?=A3ukasz_Bromirski?=, May 18, 2004
  14. Karsten Fischer

    AnyBody43 Guest

    AnyBody43, May 18, 2004
  15. Karsten Fischer

    Julio Arruda Guest

    Uninformed guess here, but...
    Wasn't fast-switching just a nice way to say that the packet forwarding
    piece was invoked under the interrupt-service routine ?
    Unlike the "process switching" that was scheduled by the scheduler to
    occur every "n" ticks ?
    And CEF wasn't not just something to do with pre-populating the
    forwarding cache with the information (where fast-switch was based in
    cache-miss ?) Of course, the lookup process in GSRs and etc have some hw
    to do it, but CEF doesn't "depend" in hardware forwarding, right ?
    Julio Arruda, May 18, 2004
  16. The name Huawei comes to mind.

    And, IIRC, 3Com is doing business with them now.
    Geoffrey Welsh, May 24, 2004
  17. Karsten Fischer

    Gert Doering Guest

    But that's only true for a very small part of the hardware platforms IOS
    runs on (7500, 7600, 10k, GSR). On the remaining boxes, *everything* is
    done in the IOS - a 7200 PA-FE-TX is not very much different from a
    off-the-shelf Windows PC PCI network card, built around a PCI bus and a
    DEC 2114x network chip...

    Gert Doering, Jun 4, 2004
  18. Karsten Fischer

    Gert Doering Guest

    No part of "fast switching" happens "in hardware" (dCEF does).

    Fast switching is a higly optimized code path in the IRQ handler.

    Gert Doering, Jun 4, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.