The True Story Behind the Cisco Identification Port
If you’ve ever taken a look at the (now deprecated) RFC-1700 (a.k.a. “Assigned Numbers”), or at its replacement, IANA’s maintained PORT NUMBERS database, you may have been as puzzled as I was about these two lines:
tcp-id-port 1999/tcp cisco identification port
tcp-id-port 1999/udp cisco identification port
What is that supposed to mean? Does Cisco IOS devices have some kind of custom IDENT server running on ports 1999/tcp and 1999/udp? Well… no. This is yet another instance of “gather around the campfire to hear a story.”
The oldest public reference to the so-called “cisco identification port” can be found on a BUGTRAQ post from 1999, whose title was “Remote Cisco Identification,” and quoting from said post:
Basically any Cisco Router or device running IOS code responds to requests to port 1999 different than any other port. … Cisco products respond to SYNs directed to port 1999 with a RST. Which is normal but they also include ‘cisco’ in the payload of the packet.
Could that be true? Indeed, sending a TCP SYN datagram to port 1999/tcp on a Cisco IOS router (a good old 2501!) running release 11.0(1) results in an RST being sent back — and lo and behold, the payload of said RST does indeed include the string “cisco” (pcap here for those who’d like to see proof).
A search on our CDETS database leads us to the bug entry “CSCdk85821 – Identification protocol on TCP 1999 has outlived its usefulness“, by which this “feature” was removed from Cisco IOS Software, starting with the 12.0 mainline train. And the release note for said bug reads:
When a TCP connection is made to a Cisco IOS device on TCP port 1999, the string “cisco” is included in the resulting TCP reset packet. This releases the information that the system is running Cisco IOS software.
So it is true that 1999/tcp is some kind of identification port, and we removed this “feature” back in April of 1999. Problem solved, move on, nothing else to see here…
But where did it come from and why? Well, try as we may, there’s no design document anywhere specifying how it came to be, why it came to be, and what the original purpose of the feature was. But even if there’s no design document anywhere about the feature, one of the fringe benefits of being a PSIRT Incident Manager is that you get access to the Cisco IOS source code, all releases, all trains. (That and dental is what makes working here so worthwhile.) And in the source code for 11.0(1), file sys/tcp/tcpoutput.c, Kirk Lougheed notes that in the early days of the company some IP routers were lost on the way to Finland, and since at the time routers were considered a controlled technology by the military, there was some concern that they had ended up in the hands of the former Soviet Union. Kirk goes on to explain how this led to the feature:
* Well, the routers did turn up, but in case we ever had routers go
* missing again, Len and I installed the port 1999 hack. There are
* two parts. The first was to have the no such connection code
TCP port 1999. It would then fill in the data portion
of the RST
packet with the five byte string "cisco" and send
back to the originator.
The other part was to have
remove and print out the data
portion of any
* The idea was to be able to conclusively identify a router as
router. No version information was ever included
would be a
very blatant security hole (e.g. oh, it's
you need to do this
to break in). We have never
advertised this functionality.
The function has
been in the code
since Release 6 or so.
So that’s the true story behind the “cisco identification port” — how it came to be and why, and when and why it was removed from the Cisco IOS source code.
But there is still another mystery here: RFC-1700’s last update was in October of 1994, and the original public post to BUGTRAQ that made people aware of how this identification port worked is from January 1999. The question is: who was the person that, back in 1994, knew the purpose of 1999/tcp and let the IETF know so it could be added to RFC-1700? Well, that’s proven to be more difficult to find out, so if anyone here has any insight, let me know.