The True Story Behind the Cisco Identification Port
If you’ve ever taken a look at the (now deprecated) RFC-1700 (a.k.a. “Assigned Numbers”), or at its replacement, IANA’s maintained PORT NUMBERS database, you may have been as puzzled as I was about these two lines:
What is that supposed to mean? Does Cisco IOS devices have some kind of custom IDENT server running on ports 1999/tcp and 1999/udp? Well… no. This is yet another instance of “gather around the campfire to hear a story.”
The oldest public reference to the so-called “cisco identification port” can be found on a BUGTRAQ post from 1999, whose title was “Remote Cisco Identification,” and quoting from said post:
Basically any Cisco Router or device running IOS code responds to requests to port 1999 different than any other port. … Cisco products respond to SYNs directed to port 1999 with a RST. Which is normal but they also include ‘cisco’ in the payload of the packet.
Could that be true? Indeed, sending a TCP SYN datagram to port 1999/tcp on a Cisco IOS router (a good old 2501!) running release 11.0(1) results in an RST being sent back — and lo and behold, the payload of said RST does indeed include the string “cisco” (pcap here for those who’d like to see proof).
A search on our CDETS database leads us to the bug entry “CSCdk85821 – Identification protocol on TCP 1999 has outlived its usefulness“, by which this “feature” was removed from Cisco IOS Software, starting with the 12.0 mainline train. And the release note for said bug reads:
When a TCP connection is made to a Cisco IOS device on TCP port 1999, the string “cisco” is included in the resulting TCP reset packet. This releases the information that the system is running Cisco IOS software.
So it is true that 1999/tcp is some kind of identification port, and we removed this “feature” back in April of 1999. Problem solved, move on, nothing else to see here…
But where did it come from and why? Well, try as we may, there’s no design document anywhere specifying how it came to be, why it came to be, and what the original purpose of the feature was. But even if there’s no design document anywhere about the feature, one of the fringe benefits of being a PSIRT Incident Manager is that you get access to the Cisco IOS source code, all releases, all trains. (That and dental is what makes working here so worthwhile.) And in the source code for 11.0(1), file sys/tcp/tcpoutput.c, Kirk Lougheed notes that in the early days of the company some IP routers were lost on the way to Finland, and since at the time routers were considered a controlled technology by the military, there was some concern that they had ended up in the hands of the former Soviet Union. Kirk goes on to explain how this led to the feature:
So that’s the true story behind the “cisco identification port” — how it came to be and why, and when and why it was removed from the Cisco IOS source code.
But there is still another mystery here: RFC-1700’s last update was in October of 1994, and the original public post to BUGTRAQ that made people aware of how this identification port worked is from January 1999. The question is: who was the person that, back in 1994, knew the purpose of 1999/tcp and let the IETF know so it could be added to RFC-1700? Well, that’s proven to be more difficult to find out, so if anyone here has any insight, let me know.