|
Way back in May 18, 2010, Dario Ciccarone of The Cisco Product Security Incident Response Team (PSIRT) published a blog post called Router Spring Cleaning – No MOP Required. It has since been archived, but the key points of that blog are captured below: |
|
When looking over the recommendations in the Cisco Guide to Harden Cisco IOS Devices, time and again people are puzzled by this line: “Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service.” And they come back to us with questions like, “What is MOP, why do I have to disable it, and is it even relevant if I’m not running DECnet?” Well, the thing is, the MOP functionality is decoupled from the DECnet protocol stack, so even if your device isn’t configured for DECnet, you will still be able to establish a MOP RC session to the device, as long as MOP hasn’t been explicitly disabled. So, some key points to note from all of this:
So, now you’re wondering, “Why is Cisco bring this old stuff back up again?” Well… This topic recently came up again in an external forum. I hope this blog will clear up some inconsistencies and outline a clear mitigation path for customers. The contents below pertain to any router or switching platform that is running Cisco IOS Software or Cisco IOS-XE Software. Identifying MOP on PlatformsOver the years, support for MOP has been completely removed and can’t be enabled or configured in some releases and in some license level sets. For those platforms that have not removed support, some have left it enabled by default, while others ship with it disabled by default. We can use the following steps to determine if the protocol is both present and enabled on the running image. |
Step 1: Determine Whether the Platform Supports MOP
To see if the software image on the platform you are running supports MOP, enter
the show subsys | include mop CLI command. If the platform supports MOP, it will show a line with mop Protocol, as shown in the following example:
Router#show subsys | include mop mop Protocol 1.000.001 Router#
If the device doesn’t support MOP, it will return nothing as shown in the following example:
Router#show subsys | include mop Router#
If a platform doesn’t support MOP, then the commands to disable MOP won’t be visible in the command help and you will get an error if you try to configure it, as shown in the following examples:
Router(config)#interface gigabitEthernet 1
Router(config-if)#no mop ?
% Unrecognized command
Router(config-if)#no mop enabled
^
% Invalid input detected at '^' marker.
Router(config-if)#
Step 2: Determine Whether the Platform is Running MOP
If you have confirmed that the platforms supports MOP, use the show processes | include
MOP CLI command to see if the MOP process is actually running on the device. If the platform has MOP enabled (either by default or by a configuration), it will show the MOP Protocols in the output, as shown in the following example:
Router#show processes | include MOP 208 Mwe 5632C4164FCE 7 66 10622408/24000 0 MOP Protocols Router#
If the device isn’t running MOP, it will return nothing as shown in the following example:
Router#show processes | include MOP Router#
The platform will accept MOP RC sessions only if it is running MOP.
Controlling MOP RC Sessions on the VTY Lines
Once we have determined that the image supports MOP and that the MOP process is running, how do we control MOP usage and access? The following question came up on the external forum, and it was mentioned in the original blog: Why is MOP RC traffic even accepted when the VTY lines were configured with transport input ssh, which should drop all management protocols other than SSH over the VTY lines, especially when transport input does include the keyword option of mop?
The answer is that this is a bug and it has been addressed with Cisco Bug ID CSCwa57951. The fix will be included in Cisco IOS XE Software releases 17.9(1) and later. After you implement the fix, if you do have the recommended configuration of transport input ssh on the VTY lines, then even if MOP is running, no connections that use MOP RC will be permitted.
Note: MOP RC sessions still are subject to whatever authentication options are configured on the VTY lines.
Recommendations for MOP
The current advice really hasn’t changed from what was recommended way back in 2010 and as per the hardening guide. Go ahead and disable MOP on all interfaces; unless your business requires it to be enabled.
Recently, the MOP protocol has been disabled by default in Cisco IOS XE releases but, unfortunately, that varies from platform type to platform type and even license levels.
Regardless of how you are configuring the device – via templates, API, scripts, or manually – ensure that you apply no mop enable on all interfaces. The command will be rejected if the release or license level doesn’t support MOP, but it won’t impact to the device.
At this point you may ask, “Hang on… isn’t there a global command to just disable MOP? Something similar to the no cdp run command?” The short answer is no. But a feature request has been raised for the support of this command via Cisco Bug ID CSCwa91505.
Also, ensure that you have your VTY and TTY lines configured in accordance with the Cisco Guide to Harden Cisco IOS Devices. Doing so will ensure that once you upgrade your Cisco IOS XE release beyond 17.9(1), you will be protected regardless of the MOP configuration status.
What About MOP sysid?
This blog and the previous one focused on no mop enable. You will likely also see the no mop sysid interface configuration command. When MOP is enabled, the MOP server will periodically multicast a system ID message out to the Ethernet interfaces if mop sysid is enabled.
So if you see frames on your network with the Ethertype 0x6002, then there’s a good chance you not only have MOP enabled but mop sysid enabled as well. Disabling MOP with the no mop enable interface configuration command also disables sending MOP periodic system ID.
Final Concerns
What if you disabled MOP with the no mop enable interface command on all interfaces, then issued the show processes | include MOP and you still see the MOP process being active? Be patient. In the background, a process runs every 8 to 12 minutes to check if MOP is disabled on all supported interfaces. If it is, then it fully shuts down the MOP process and you will no longer see it in the show processes | include MOP output. If you wait 15 minutes and still see the MOP process in the output of show processes | include MOP, then you still have MOP enabled on a supported interface.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
CONNECT WITH US