North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco and the tobacco industry

  • From: Ivan Groenewald
  • Date: Sat Jul 30 19:45:30 2005

Applying patches to binaries, hmmmmm. Sounds a bit difficult.

IMHO IOS should be completely modular. ie SNMP/QOS/BGP etc should be a loadable module etc. In the event of you patching a service specific bug, you'd only upload the new modules and insmod them. I'd be very happy if the Cisco router fairy would write and backport such an IOS. That should end this idiotic router rebooting nonsense that the internet is plagued with, for the most part.
But, there is some progress in this direction; afaik IOS XR is modular IOS but only runs on really-really-really big equipment like the Cisco CRS-1 ("Helo Dave" Red light module optional).

The actual patch file can be located in a server at the customer's site
and Cisco can distribute them via BitTorrent :-)
That's equivalent to saying the internet is safe enough to do your corporate banking via plain text email.
my 2 pence,
ivan

Jeffrey I. Schiller wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks.

All that is needed is for cisco to put an "upgrade" command into their
router. The "upgrade" command determines the routers version (and
current patch level) and requests the download of a version specific
patch file.

The command takes as arguments the on-disk (flash) version of the core
image and the beginning of a URL where to find the file. The filename
itself can be constructed based on the current version. The upgrade file
itself contains the checksum of the image it should be applied against
as well as the checksum of the final image. Of course it is digitally
signed by cisco (so Cisco will need a public key installed in its images).

The upgrade command then determines if sufficient flash exists to
perform the change and performs the upgrade. It might even be able to
patch in the in-core image (presumably this can be done via code that is
included in the patch itself, I leave this as an exercise for cisco).

The actual patch file can be located in a server at the customer's site
and Cisco can distribute them via BitTorrent :-)

Important points:

* Upgrade is initiated by the user. If the necessary arguments are
stored in the system configuration, perhaps the upgrade can be triggered
by SNMP even (yeah right).
* All patches are signed.
* Patches know what version they apply to and are careful to ensure they
are being applied to the right version (even if the customer improperly
names the files on their server).

This isn't trivial to do, but it isn't rocket science either!

-Jeff

- --
=============================================================================
Jeffrey I. Schiller
MIT Network Manager
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
[email protected]
============================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC6+RK8CBzV/QUlSsRAmdAAKDCpvTl0sBIk5v0hX1Wbta1mRHe4ACg5/Or
ONwi+567ZEAdtW7B1J/yDhk=
=GJ2e
-----END PGP SIGNATURE-----