Regístrese ahora para una mejor cotización personalizada!

Noticias calientes

Router Spring Cleaning -No MOP Required - Again

Abr, 12, 2022 Hi-network.com

Way back in May 18, 2010, Dario Ciccarone of The Cisco Product Security Incident Response Team (PSIRT) published a blog post calledRouter Spring Cleaning -No MOP Required. It has since been archived, butthekey points of that blog are captured below:

When looking over the recommendations in the Cisco Guide to Harden Cisco IOS Devices, time and again people are puzzled by this line: "Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service."

And they come back to us with questions like, "What is MOP, why do I have to disable it, and is it even relevant if I'm not running DECnet?"

Well, the thing is, the MOP functionality is decoupled from the DECnet protocol stack, so even if your device isn't configured for DECnet,you will still be able to establish a MOP RC session to the device, as long as MOP hasn't been explicitly disabled.

So, some key points to note from all of this:

  • The MOP protocol (RC and remote load functionality) is still being shipped as part of Cisco IOS 15.x
  • MOP RC isenabled by defaulton ethernet interfaces (and yes, thatprocesses | includes FastEthernet and GigabitEthernet)
  • MOP (RC and dump/load) data packets are directly encapsulated on Ethernet L2 frames (Ethertype is 0x6002 for RC)
  • MOP packets can't be routed but can be bridged
  • There is a readily available MOP RC client for Linux
  • You do have to provide valid credentials for authentication before being allowed interactive access to the device
  • Ashow usersWILL show anyone connected to a Cisco IOS device over a MOP RC session
  • MOP RC packets are neither encrypted nor authenticated
  • Removingtransport input mopfrom the VTY lines will not disable the MOP RC functionality

So, now you're wondering, "Why is Cisco bring this old stuff back up again?" Well...

This topic recently came up again in an external forum. I hope this blog will clear up some inconsistencies and outline a clear mitigation path for customers. The contents below pertain to any router or switching platform that is running Cisco IOS Software or Cisco IOS-XE Software.

Identifying MOP on Platforms

Over the years, support for MOP has been completely removed and can't be enabled or configured in some releases and in some license level sets. For those platforms that have not removed support, some have left it enabled by default, while others ship with it disabled by default. We can use the following steps to determine if the protocol is both present and enabled on the running image.

Step 1: Determine Whether the Platform Supports MOP

To see if the software image on the platform you are running supports MOP, enter
the show subsys | include mopRouter| include mop mop Protocol 1.000.001Router| include mop| include mopCLI command. If the platform supports MOP, it will show a line withmop Protocol, as shown in the following example:

Router#show subsys | include mop   mop Protocol 1.000.001   Router#

If the device doesn't support MOP, it will return nothing as shown in the following example:

   Router#show subsys | include mop   Router#

If a platform doesn't support MOP, then the commands to disable MOP won't be visible in the command help and you will get an error if you try to configure it, as shown in the following examples:

Router(config)#interface gigabitEthernet 1 Router(config-if)#no mop ? % Unrecognized command Router(config-if)#no mop enabled                       ^ % Invalid input detected at '^' marker.Router(config-if)#

Step 2: Determine Whether the Platform is Running MOP

If you have confirmed that the platforms supports MOP, use theshow processes | include
MOPCLI command to see if the MOP process is actually running on the device. If the platform has MOP enabled (either by default or by a configuration), it will show theMOP Protocolsin the output, as shown in the following example:

Router#show processes | include MOP,| include MOP| include MOP| include MOP   Router| include MOP208 Mwe 5632C4164FCE 7 66 10622408/24000 0 MOP ProtocolsRouter| include MOP208 Mwe 5632C4164FCE 7 66 10622408/24000 0 MOP ProtocolsRouter#

If the device isn't running MOP, it will return nothing as shown in the following example:

   Router#show processes | include MOP   Router#

The platform will accept MOP RC sessions only if it is running MOP.

Controlling MOP RC Sessions on the VTY Lines

Once we have determined that the image supports MOP and that the MOP process is running, how do we control MOP usage and access? The following question came up on the external forum, and it was mentioned in the original blog: Why is MOP RC traffic even accepted when the VTY lines were configured withtransport input ssh, which should drop all management protocols other than SSH over the VTY lines, especially whentransport inputdoes include the keyword option of mop?

The answer is that this is a bug and it has been addressed with Cisco Bug ID CSCwa57951. The fix will be included in Cisco IOS XE Software releases 17.9(1) and later. After you implement the fix, if you do have the recommended configuration of transport input ssh on the VTY lines, then even if MOP is running, no connections that use MOP RC will be permitted.

Note:MOP RC sessions still are subject to whatever authentication options are configured on the VTY lines.

Recommendations for MOP

The current advice really hasn't changed from what was recommended way back in 2010 and as per the hardening guide. Go ahead and disable MOP on all interfaces; unless your business requires it to be enabled.

Recently, the MOP protocol has been disabled by default in Cisco IOS XE releases but, unfortunately, that varies from platform type to platform type and even license levels.

Regardless of how you are configuring the device -via templates, API, scripts, or manually -ensure that you applyno mop enableon all interfaces. The command will be rejected if the release or license level doesn't support MOP, but it won't impact to the device.

At this point you may ask, "Hang on... isn't there a global command to just disable MOP? Something similar to theno cdp runcommand?" The short answer is no. But a feature request has been raised for the support of this command via Cisco Bug ID CSCwa91505.

Also, ensure that you have your VTY and TTY lines configured in accordance with the Cisco Guide to Harden Cisco IOS Devices. Doing so will ensure that once you upgrade your Cisco IOS XE release beyond 17.9(1), you will be protected regardless of the MOP configuration status.

What About MOP sysid?

This blog and the previous one focused onno mop enable. You will likely also see theno mop sysidinterface configuration command. When MOP is enabled, the MOP server will periodically multicast a system ID message out to the Ethernet interfaces ifmop sysidis enabled.

So if you see frames on your network with the Ethertype 0x6002, then there's a good chance you not only have MOP enabled but mop sysid enabled as well. Disabling MOP with the no mop enable interface configuration command also disables sending MOP periodic system ID.

Final Concerns

What if you disabled MOP with theno mop enableinterface command on all interfaces, then issued theshow processes | include MOPand you still see the MOP process being active? Be patient. In the background, a process runs every 8 to 12 minutes to check if MOP is disabled on all supported interfaces. If it is, then it fully shuts down the MOP process and you will no longer see it in theshow processes | include MOPoutput. If you wait 15 minutes and still see the MOP process in the output ofshow processes | include MOP,then you still have MOP enabled on a supported interface.


We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn


tag-icon Etiquetas calientes: Seguridad de red

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.
Our company's operations and information are independent of the manufacturers' positions, nor a part of any listed trademarks company.