Discussion:
[c-nsp] what the heck is "ip forward-protocol nd" good for
Sebastian Beutel
2016-04-06 16:16:08 UTC
Permalink
Hi List,

so... i have here this brand new c6880x running 15.2(1)SY1a and in it's
default configuration i found this strange string "ip forward-protocol nd".
My first thought was, that this has something to do with v6's neighbor
discovery. But for what use would one forward this anywhere?
So i asked wisdom of the search engines and found out, that there once
was a protocol with the name "sun-nd" and the ip protocol number 77, used in
suns diskless sun 2 stations. The line "ip forward-protocol nd" seems to be
the equivalent for sun-nd what ip-helper is for dhcp. Could this be? A
workaround for a 30 year old proprietary legacy protocol is in the default
configuration of a modern router? This is what i found:

Router(config)#default ip forward-protocol nd
Router(config)#end
Router#show running-config | include forward
ip forward-protocol nd

What do you think: Is this a bug?

Best,
Sebastian.

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Alex Pressé
2016-04-06 16:26:20 UTC
Permalink
That's not the only insane default. IP Proxy arp is enabled by default and
it doesn't even show up in the config.
You have no idea how many misconfigured things in your environment are
relying on this "feature"... so don't just blindly disable it on a friday
afternoon.


router#sh run | inc proxy
router#

router#sh run *all* | inc proxy
no ip arp proxy disable



On Wed, Apr 6, 2016 at 10:16 AM, Sebastian Beutel <
Post by Sebastian Beutel
Hi List,
so... i have here this brand new c6880x running 15.2(1)SY1a and in it's
default configuration i found this strange string "ip forward-protocol nd".
My first thought was, that this has something to do with v6's neighbor
discovery. But for what use would one forward this anywhere?
So i asked wisdom of the search engines and found out, that there once
was a protocol with the name "sun-nd" and the ip protocol number 77, used in
suns diskless sun 2 stations. The line "ip forward-protocol nd" seems to be
the equivalent for sun-nd what ip-helper is for dhcp. Could this be? A
workaround for a 30 year old proprietary legacy protocol is in the default
Router(config)#default ip forward-protocol nd
Router(config)#end
Router#show running-config | include forward
ip forward-protocol nd
What do you think: Is this a bug?
Best,
Sebastian.
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Alex Presse
"How much net work could a network work if a network could net work?"
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Nick Hilliard
2016-04-06 16:42:30 UTC
Permalink
Post by Sebastian Beutel
the equivalent for sun-nd what ip-helper is for dhcp. Could this be? A
workaround for a 30 year old proprietary legacy protocol is in the default
configuration of a modern router?
DECnet MOP support keeps resurfacing as enabled-by-default in various
image trains. It was enabled on most of 12.4, then was disabled by
default, but more recently made an appearance on 15.3 or so. This can be
fixed using:

interface GigabitEthernet1/0
no mop enabled

Nick
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Saku Ytti
2016-04-06 16:50:53 UTC
Permalink
On 6 April 2016 at 19:16, Sebastian Beutel
<***@rus.uni-stuttgart.de> wrote:

Hey,
Post by Sebastian Beutel
So i asked wisdom of the search engines and found out, that there once
was a protocol with the name "sun-nd" and the ip protocol number 77, used in
suns diskless sun 2 stations. The line "ip forward-protocol nd" seems to be
the equivalent for sun-nd what ip-helper is for dhcp. Could this be? A
workaround for a 30 year old proprietary legacy protocol is in the default
Helper is for any number of protocols iterated by 'ip
forward-protocol'. Usually as you say DHCP (BOOTP).

Cisco (and other vendors) are in difficult position when it comes to
default settings. You ship with some config, and no matter how crazy
they are, changing them will break something from someone.

I think one solution to this would be to support multiple
standard/default settings, and your config would have line about which
standard you are using. If there is nothing, it's using the latest
available in that image. This way people could choose when they adopt
more modern standards and as vendors and customers learn how things
should be configured, it would be lower barrier to introduce new
standard.
Basically this standard release would be just be config over which
user config is merged on, likely very simple concept for ios-xr,
junos, but perhaps not so simple for classic ios.
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Mattias Gyllenvarg
2016-04-07 11:03:52 UTC
Permalink
Yeah, This was discussed some time ago when they where planning on IOS 15
and checked what we wanted here on the list.

I asked for a global "modern standards/defaults" but no go.
Or legacy-default-off.
Nothing fancy, just like the above. No proxy-arp etc etc, stuff left behind
the last millenia.
Post by Saku Ytti
On 6 April 2016 at 19:16, Sebastian Beutel
Hey,
Post by Sebastian Beutel
So i asked wisdom of the search engines and found out, that there
once
Post by Sebastian Beutel
was a protocol with the name "sun-nd" and the ip protocol number 77,
used in
Post by Sebastian Beutel
suns diskless sun 2 stations. The line "ip forward-protocol nd" seems to
be
Post by Sebastian Beutel
the equivalent for sun-nd what ip-helper is for dhcp. Could this be? A
workaround for a 30 year old proprietary legacy protocol is in the
default
Helper is for any number of protocols iterated by 'ip
forward-protocol'. Usually as you say DHCP (BOOTP).
Cisco (and other vendors) are in difficult position when it comes to
default settings. You ship with some config, and no matter how crazy
they are, changing them will break something from someone.
I think one solution to this would be to support multiple
standard/default settings, and your config would have line about which
standard you are using. If there is nothing, it's using the latest
available in that image. This way people could choose when they adopt
more modern standards and as vendors and customers learn how things
should be configured, it would be lower barrier to introduce new
standard.
Basically this standard release would be just be config over which
user config is merged on, likely very simple concept for ios-xr,
junos, but perhaps not so simple for classic ios.
--
++ytti
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Patrick M. Hausen
2016-04-07 11:14:03 UTC
Permalink
Hi, all,
Post by Mattias Gyllenvarg
Yeah, This was discussed some time ago when they where planning on IOS 15
and checked what we wanted here on the list.
I asked for a global "modern standards/defaults" but no go.
Or legacy-default-off.
Nothing fancy, just like the above. No proxy-arp etc etc, stuff left behind
the last millenia.
Be grateful we do not need to explicitly configure

ip classless
ip subnet-zero

;-)
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
***@punkt.de http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.ne
Mark Tinka
2016-04-07 11:31:23 UTC
Permalink
Post by Patrick M. Hausen
Be grateful we do not need to explicitly configure
ip classless
ip subnet-zero
Or "ip routing" :-).

Mark.
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Gert Doering
2016-04-07 11:36:23 UTC
Permalink
Hi,
Post by Mark Tinka
Post by Patrick M. Hausen
Be grateful we do not need to explicitly configure
ip classless
ip subnet-zero
Or "ip routing" :-).
Which really shouldn't be default nowadays, while "ipv6 unicast-routing"
*should* be... :-)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Mark Tinka
2016-04-07 11:38:08 UTC
Permalink
Post by Gert Doering
Which really shouldn't be default nowadays, while "ipv6 unicast-routing"
*should* be... :-)
IOS 22.5(SE6) :-).

If anyone remembers, when the ME3600X/3800X first launched in 2010, you
needed explicitly "ip routing" to enable IP/MPLS capability. 12.2(EY)
greatness!

Mark.
Phil Mayers
2016-04-07 12:03:24 UTC
Permalink
Post by Sebastian Beutel
What do you think: Is this a bug?
As others have said: IOS defaults are, largely, insane for 2016.

We have:

no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

...amongst other things in our standard IOS config.

It's one more tedious part of modern IT - reaping the "benefits" of
compatibility with the very best the 1980s had to offer.

:o(
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Nick Cutting
2016-04-07 12:06:28 UTC
Permalink
The whizzkids often used a connection to the super-unprotected LAN to get themselves out of a locked room while they were being held captive by white collar criminals.
Those 80's protocols got them out of numerous Jams.

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-***@puck.nether.net] On Behalf Of Phil Mayers
Sent: 07 April 2016 13:03
To: cisco-***@puck.nether.net
Subject: Re: [c-nsp] what the heck is "ip forward-protocol nd" good for
Post by Sebastian Beutel
What do you think: Is this a bug?
As others have said: IOS defaults are, largely, insane for 2016.

We have:

no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

...amongst other things in our standard IOS config.

It's one more tedious part of modern IT - reaping the "benefits" of compatibility with the very best the 1980s had to offer.

:o(
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Phil Mayers
2016-04-07 12:09:13 UTC
Permalink
Post by Nick Cutting
The whizzkids often used a connection to the super-unprotected LAN to
get themselves out of a locked room while they were being held
captive by white collar criminals. Those 80's protocols got them out
of numerous Jams.
"How do you make it play itself?"
"Number of players: zero"
"SIGSEGV: halting"
"...ah"
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Stephen Stuart
2016-04-07 16:21:57 UTC
Permalink
Post by Phil Mayers
Post by Nick Cutting
The whizzkids often used a connection to the super-unprotected LAN to
get themselves out of a locked room while they were being held
captive by white collar criminals. Those 80's protocols got them out
of numerous Jams.
"How do you make it play itself?"
"Number of players: zero"
"SIGSEGV: halting"
"...ah"
Clearly leaving an unsecured console running when your code has a
zero-day exploit over not sanitizing inputs is also a risk.

Stephen
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Sebastian Beutel
2016-04-07 18:20:54 UTC
Permalink
Hi Phil,
hi List,
Post by Phil Mayers
Post by Sebastian Beutel
What do you think: Is this a bug?
As others have said: IOS defaults are, largely, insane for 2016.
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
...amongst other things in our standard IOS config.
It's one more tedious part of modern IT - reaping the "benefits" of
compatibility with the very best the 1980s had to offer.
To me the "Cisco IOS IP Application Services Command Reference" is a little
blurry:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/command/iap-cr-book/iap-i1.html#wp1776761080

If i get it right, enabling an ip helper on an interfaces enables forwarding
of a list of stuff. Furthermore the global "ip forward-protocol udp"
(without any protocol name) enables forwarding all of this on any interface.
I suppose, that it's very naive to assume, that the lines you wrote could be
replaced by this:

no ip forward-protocol udp
ip forward-protocol udp bootpc
ip forward-protocol udp bootps

But the thing that keeps me puzzled is, that only "ip forward-protocol nd" appears
in a "sho run" of a default virgin configuration and none of the above does.
Not even in a "sho run {all|full}. Why exactly this and none of the others?

Best, Sebastian.
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Loading...