RE: IP Default-Network/IP Subnet-Zero Exploit--or old news?

From: Mas Kato (tealp729@xxxxxxxx)
Date: Thu May 03 2001 - 19:45:17 GMT-3

   
Logic? With IOS? We don't need no stinking logic! <G>

The reason I tried subnet-zero is I once read a TAC newsletter article
that illustrated how subnet-zero ambiguity could bite you because of the
assumptions the IOS must make if you allow it. So I got to wondering if
there was a way to exploit the ambiguity in this mis-matched mask
situation.

Sure, subnet zero could represent the "zero-ith" subnet or the whole
classful network itself--but I thought this was the purpose of the 'ip
subnet-zero' command: 'ip subnet-zero' = "zero-ith" subnet; 'no ip
subnet-zero' = whole classful network.

Apparently, the 'ip default-network' command was coded on a Friday,
because although you noticed, -it- doesn't seem to notice that the
172.16.0.0 network is a /24. I was actually expecting it to install a
static /16 route with the /24 route as the next hop. I was then going to
try 'no ip subnet-zero' and stand back to see what happened next, but I
found this!

So I think it might be a bug...

Regards,

Mas

-----Original Message-----
From: Johnny Dedon [mailto:johnny.dedon@exodus.net]
Sent: Thursday, May 03, 2001 8:34 AM
To: Mas Kato
Subject: Re: IP Default-Network/IP Subnet-Zero Exploit--or old news?

Mas,
This works great. What logic did you apply to come up with this or was
it
an accidental discovery? The classless (24bit) mask on the loopback
would
allow router 5 to advertise the route to r2 but I'm lost at why the
default
works. The 172.16.0.0 network is listed as a 24 bit subnet. It somehow
ignores that fact on the recursive lookup.

Johnny Dedon
Senior Staff Consultant
Exodus Professional Services
johnny.dedon@exodus.net
www.exodus.net
----- Original Message -----
From: "Mas Kato" <tealp729@home.com>
To: "'CCIELAB'" <ccielab@groupstudy.com>
Sent: Thursday, May 03, 2001 1:21 AM
Subject: IP Default-Network/IP Subnet-Zero Exploit--or old news?

> Hello everybody,
>
> I've been playing around with the ole' FLSM network-to-VLSM network
> reachability scenario and may have stumbled across an 'ip
> default-network' / 'ip subnet-zero' exploit. It's a variation on
> something I found in the archives--but I'm not sure if it's old news
or
> not, so I thought I'd throw it out there and have you guys rip it to
> shreds...
>
> Major network: 172.16.0.0
>
> OSPF/28--(R3)--OSPF/24--(R5)--IGRP/24--(R2)
>
> Goal: Provide reachability to the OSPF/28 network from the IGRP/24
> network while avoiding statics, blah, blah...
>
> One of the archived suggestions is to configure a classful loopback on
> R5, have IGRP advertise it to R2 and then use the 'ip default-network'
> command on R2, referencing the classful network. Fine--but what if
we're
> limited to using subnets from just one major network?
>
> Well, since the 'ip default-network' command is classful, if we
> reference a subnet of our major network we get that lovely static
route
> installed to the major net and then we have to issue the 'ip
> default-network' command again, this time referencing the major net.
Ug.
>
> Here's what it looked like on R2:
>
> Gateway of last resort is 172.16.5.0 to network 172.16.0.0
>
> * 172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
> C 172.16.52.0/24 is directly connected, Ethernet0
> I 172.16.35.0/24 [100/7100] via 172.16.52.5, 00:00:13, Ethernet0
> I 172.16.5.0/24 [100/1600] via 172.16.52.5, 00:00:13, Ethernet0
> S* 172.16.0.0/16 [1/0] via 172.16.5.0
> C 172.16.2.0/24 is directly connected, Loopback0
> R2#
>
> But then I got to thinking, "yo, what if the subnet we reference is
> subnet zero?"
>
> Now check out R2 (no static!):
>
> Gateway of last resort is 172.16.52.5 to network 172.16.0.0
>
> * 172.16.0.0/24 is subnetted, 5 subnets
> C 172.16.52.0 is directly connected, Ethernet0
> I 172.16.35.0 [100/7100] via 172.16.52.5, 00:01:16, Ethernet0
> I* 172.16.0.0 [100/1600] via 172.16.52.5, 00:01:16, Ethernet0
> C 172.16.2.0 is directly connected, Loopback0
> R2#
>
> Analysis, feedback, gotchas, etc. welcomed...
>
> Regards,
>
> Mas Kato
>
> (Config snippets follow...)
>
> !!!!!!!!!!
> hostname R5
> !
> ip subnet-zero
> !
> interface Loopback0
> ip address 172.16.0.5 255.255.255.0
> !
> interface Ethernet0
> ip address 172.16.52.5 255.255.255.0
> !
> interface Serial1
> bandwidth 2000
> ip address 172.16.35.5 255.255.255.0
> !
> router ospf 1
> log-adjacency-changes
> redistribute igrp 1 metric 10 subnets route-map IGRPNETS
> network 172.16.35.0 0.0.0.255 area 0
> !
> router igrp 1
> redistribute ospf 1 metric 2000 2000 255 1 1500
> passive-interface Serial1
> network 172.16.0.0
> !
> ip classless
> !
> access-list 1 permit 172.16.0.0 0.0.0.255
> access-list 1 permit 172.16.2.0 0.0.0.255
> access-list 1 permit 172.16.52.0 0.0.0.255
> route-map IGRPNETS permit 10
> match ip address 1
> !
> end
> R5#
>
> !!!!!!!!!!
> R2#
> hostname R2
> !
> ip subnet-zero
> !
> interface Loopback0
> ip address 172.16.2.1 255.255.255.0
> !
> interface Ethernet0
> ip address 172.16.52.2 255.255.255.0
> !
> router igrp 1
> network 172.16.0.0
> !
> ip classless
> ip default-network 172.16.0.0
> end
> R2#
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:33 GMT-3