Thanks Paul, wonderful job. Side-note (taken from the exploit write-up
http://www.linx.net/tunnel-advisory.txt):
// Adding "log-input" to the end of each access-list line will log
// the hardware address of the sender for good measure. IOS 11.1
// and upwards only (from memory)
We find log-input to very unreliable and often producing wrong
information. It indeed operates differently across the 11.1 train (no
comment on 11.2 offered) I think 11.1.15 breaks it badly. Albeit
improperly worded and not well defined in print on CCO, please reference
cisco BUGid CSCdj40503 prior to trusting log-input for any valid info.
Best regards,
David Van Allen - FASTNET(tm) / You Tools Corporation
dave@fast.net (888)321-FAST(3278) http://www.fast.net
FASTNET - Business and Personal Internet Solutions
From: Paul Thornton [SMTP:prt@linx.net]
Sent: Tuesday, November 25, 1997 9:47 AM
To: nanog@merit.edu
Cc: eof@ripe.net; se-gix@sunet.se; mae-east-tech@uu.net;
membership@linx.net; ops@linx.net
Subject: Advisory - tunneling of IP at exchange points.-- PLEASE NOTE: If you are replying to this, consider pruning the list
-- of cc's rather than crossposting replies wildly!
Thanks.
[snip]