Slashdot Mirror

Cisco seem to recommend autonegotiation; Sun recommend forcing the speed/duplex.

We've had problems in the past with Sun's "ce" fibre cards and Cisco Catalyst switches. It's not that either implementation is "wrong", the specs simply are not specific enough.
Sorry, can't find the detail in the spec which causes the problem

"Rogue access point" is an issue that has been discussed long ago, even such giants as Cisco have picked it up and describe fighting with them in "security best practices" whitepaper:
wireless security best practices

They also have a neat management system that can detect rogue clients/access points, display their location on them map and trace/disconnect them from Ethernet port:
wireless management system

Sure, Cisco's not a startup and not Linus, but you cannot deny that they already have the technology and products. While not exactly cheap (as in for an average person or knowledgeable geek) such security functions do make them attractive to bigger customers.

"Rogue access point" is an issue that has been discussed long ago, even such giants as Cisco have picked it up and describe fighting with them in "security best practices" whitepaper:
wireless security best practices

They also have a neat management system that can detect rogue clients/access points, display their location on them map and trace/disconnect them from Ethernet port:
wireless management system

Sure, Cisco's not a startup and not Linus, but you cannot deny that they already have the technology and products. While not exactly cheap (as in for an average person or knowledgeable geek) such security functions do make them attractive to bigger customers.

Actually, nowadays even Cisco recommends trying auto negotiation first, and only hard coding port/speed settings for problem NICs or for other switches, routers, and important servers. Also, with gigabit ethernet, the port speed and other settings like flow control have to be auto negotiated ( http://www.cisco.com/en/US/products/hw/switches/ps 663/products_tech_note09186a0080094713.shtml#auto_ neg/).

Apparently, when auto negotiation was first being standardized, it was crap and most network admins just learned to shut it off and never changed practices as auto negiotiation became more stable. Instead, the "turn it off" wisdom was passed down, normally with vague hand waving about "problems". Today Cisco and Sun (the only companies I researched) recommend auto negotiation. I'll bet those 9 machines failing to auto negotiate is more because of crap components being used than any fault of auto negotiation; this was apparently a known problem, and auto negotiation should have been turned off for those specific machines.

Sounds like a classic Cisco problem. I don't know what switches LJ were plugged into, but for years most Cisco switches would autonegotiate 100/half-duplex if the NIC was locked to 100/full; conversely, sometimes, NICs would autonegotiate 100/half if the Cisco was locked to 100/full.

They're cheeky enough to document this now. It's a feature, not a bug! Honest!

Just found a quick link about it here.

The NAT problem got resolved by UDP encapsulation ("NAT-T" = NAT traversal, after years of being a draft finally published 5 days ago as RFC) got implemented by most vpn software during the past two years (= too late).

Hybrid auth means: peer A ("the server") authenticates itself to peer B ("the client") through asymmetric methods (like an RSA keypair and a X.509v3 cert). Peer B chooses a random symmetric session key and encrypts it for A, this sets up an encrypted tunnel. Inside this tunnel, B authenticates itself to A using simpler techniques like challenge-response or even clear passwords. Allmost all personalized TLS/SSL protected services (https, pop3s, imaps, ...) work this way: Servers has a cert, client has a password. Easy to admin, easy to deploy, easy to rollout.

But with IPsec/IKE/ISAKMP you have to choose between shared secrets (bah!) or rolling out keypairs to all peers. And like all other protocols requiring all peers to be part of a PKI (PGP, S/MIME, SSL+certs on both sides) this slowed down propagation strongly.

There is an IETF draft "A Hybrid Authentication Mode for IKE" which is adopted my more and more implementations right now (= far too late). Cisco is now pushing it because of the failure of their own "group password scheme" (of course they name it differently: "Mutual Group Authentication").

Man, why did they wait so long?

/graf0z.

But because of where that 4% falls, it can be significant in a heavily-used network; see this writeup.

Of course, that writeup was mostly written considering office buildings (where the users/AP ratio is much higher), but it's still worth consideration.

"EGRP was created to solve many of the problems with RIP and has become the default routing protocol across the Internet."

...it uses up to 5 metrics (conditions) to determine the best route:

* Bandwidth
* Hop Count (Delay) - maximum of 255
* Maximum Packet size
* Reliability
* Traffic (Load)

Does anyone know if Sacramento got their city-wide fiber-to-the-home project completed? The last I heard, the company had gone bankrupt during installation, and had been bought by someone else.

Not quite city-wide fiber, but the company is still working on it. Winfirst was the company that originally offered FTTH in parts of Sacto, but they did go bankrupt a few years ago. They have since been taken over by Surewest (which I believe was formerly Roseville Telephone). As far as I can tell they plan to continue building their fiber network. They claim that they aren't currently making much of a profit, because they are committed to reinvesting millions into the fiber network. But I just got their service (just TV and Internet, although they offer phone as well) about 6 months ago and it is very nice. 10Mbps both ways for Internet. They have a limit to 40GB transfers per month but they seem pretty lax on enforcing it unless you are heavily abusing the limit. As for the TV service, it has its up and downs, but overall it is up to par with Comcast. As far as reliability, both TV and Internet seem to never go down.

In my opinion, as long as they can keep on making a profit, extend their network, they should have a good chance at competing with both Comcast and SBC in the area. The equipment they use runs at 100Mbps I believe, and I read a press release on Cisco's site about what equipment they are using which seems to suggest that they can upgrade to 1Gbps (to the home) without much hassle in the future. I don't know anything about fiber but maybe someone more knowledgeable can correct me on this if I am wrong.

This is by no means the first wifi phone. Its cool and the price point looks pretty attractive, but if your interesting in existing technology check it out:

BroadVoice branded Wisip Phone (standards standards standards)
Pulver Innovations (unbranded) Wisip Phone (for the purists)
Cisco's sexily titled IP Phone 7920 (like they'd be behind the curve!)
and
Zyxel's Prestige 2000W

There's probably more, but thats what google coughed up for "wifi phone" tonight (in the first couple of pages..I have a life you know. Just kidding!).

Happy you got modded funny, however Long Reach Ethernet (LRE) does exactly what it says with very good throughput (we're nowhere near the alledged 80% packets loss of the parent post).

Oh, and the video clip which shows Ethernet over barbed wire is at the same url on the right-hand side where it says "Video: Charlie Giancarlo Demonstrates LRE Technology". It's nice to see it once for the "Wow!" effect. You'll also see the demo go over Cat3, Cat5, speaker cable, coax and lamp cord...

Power over Ethernet meets VoIP Phones stay up, until the UPS dies.

• All models offer straightforward user customization capabilities to meet changing needs
• Cisco IP Phones 7971G-GE and 7970G support IEEE 802.3af PoE
• Cisco IP Phones 7970G, 7960G, 7940G, 7910G, 7910G + SW, 7912G, 7905G and 7902G can accept Cisco pre-standard Power over Ethernet (PoE) from a card integrated with a Catalyst switch or a Catalyst in-line power patch panel
• Cisco IP Phone 7971G-GE includes two 10/100/1000BaseT switch interfaces to ensure quality of service (QoS)
• Cisco IP Phones 7970G, 7960G, 7940G, 7910G + SW, and 7912G include two-port 10/100BaseT switch interfaces to ensure quality of service (QoS)
• Cisco Wireless IP Phone 7920 delivers up to six extensions, wireline voice quality, small form factor, standard and extended Li-ion battery options, menu driven graphical user interface, and inter-campus secure-seamless roaming
• Cisco IP Phone 7902G, is a cost-effective, single-line, entry-level IP phone addressing the voice communications needs of a lobby, laboratory, manufacturing floor, or hallway--or other areas where only basic calling capability is required

you should probably not be allowed anywhere near networking equipment, seeing as how you think Linux-based routers are somehow superior to Cisco's (nothing like telling the CEO the entire sales force won't be getting their e-mail because the "router" hard drive crashed) and the fact that you think Cisco's equipment (let's face it, they are the industry standard so even if you hate it and refuse to use it, you should still be pretty damn familiar with it.) doesn't support IPV6 (and you apparently aren't aware that it's supported it for five years)

What was it Einstein said? business without IT is lame, IT without business is blind... yeah Cisco's hardware/support is expensive. But that's totally fucking irrelevant if that's what's required to support the business needs. Some wacky home-grown Linux router is great till the thing crashes and it takes you 6 hours to get it back on line, or you get hit by a bus and no one else knows how the hell to support it.

Yes, this new router does IPv6 and the Cisco 12016 doesn't, but isn't the model number a little familiar?

Is this the Intel/AMD "486" thing all over again?

Even Cisco has posted Earthquake and Tsunami Relief on their main page. I guess a good chunk of their CCIEs are affected by this :)

What will they think of next?

Well, I don't have a lot of experience with SSL offloading (we are an ISP and do webhosting, but we aren't a hosting provider with crazy amounts of SSL-enabled sites), but I met with Cisco a few weeks ago to purchase some new equipment (I don't think I am going to though), and they showed me their 7600 series boxes. One of the blades that you can stick in these is an SSL processor. Click Here
to check out the link. Here is the summary:

Up to four SSL service modules can be installed in each chassis providing the fastest SSL session setup rates and bulk encrypted throughput in the industry and supporting the highest number of concurrent connections:

3000 connection setups/second per module--10,000 per Chassis fully-populated with SSL modules

300 Mbps bulk encrypted throughput per chassis module--1.2 Gbps per fully-populated with SSL modules

64,000 concurrent client connections--256,000 per chassis fully-populated with SSL modules

So it doesn't look like one blade will do you, but if you stick 4 in there, your rockin'

There's the Cisco packet game. The game that not only confused me about who it was being marketed toward. But also drove me nuts about its gig with Port au Prince and whatever the rest of the crap on it was. I'm no expert on Haiti, but I don't think stereotyping everyone living in Port au Prince as impoverished schmos who get their water from 5 hours away per day. The game's simply creepy. Peter Packet

I wouldn't consider this to be new...rather it's the idea of this that is starting to propigate.

CISCO's new 92 terabit/sec router already has some of these features. The OS they used to build the system supports many of these features (high availability, self healing, etc).

http://www.qnx.com/markets/networking_telecom/cisc o/

http://www.cisco.com/en/US/products/ps5763/index.h tml

It's a self healing system. It uses the services and functionality of the OS to accomplish it.

QNX's networking system is really neat because it allows processes to be independent of where they actually run on a network. And the network can be anything (i.e. a backplane, Ethernet, whatever). So it lends itself to solving such a problem.

I find it interesting that the focus with regards to DDoS attacks that I have read about is not on proper security and precautions, but rather the client/server applications being attacked. Because your Apache server is DDoS'd, does that mean you distribute your website through ftp? Of course not, you take further security precautions and strengthen your protection against DDoS attacks. Why then should there be a need to "create a new protocol" to "protect" from attacks?

Protocols in and of themselves do not inherently have protection from these kinds of attacks. That is not the purpose of a protocol. The purpose of a protocol is to establish an agreed method of communications between two or more identified systems in a connection. This is where the problem persists: identification.

DDoS is not successful because it overrides the buffers or socket space for connections to a server. It is successful because these sockets are kept open longer than they should be.

What a server needs is not a "secure" protocol, because any protocol (method of communication) can be compromised so long as the attacker can make the protocol believe that an identified, valid entitiy has made a connection and intends to communicate.

Instead, system administrators need to strengthen the rules in their firewalling and subsystem (kernel) to improve the latency of the socket states so that the system will not fail when attacked. I believe GNU/Linux has many tools available as well as kernel modules already available in order to accomplish much of this already.

Rather than wasting time in creating YAP (Yet Another Protocol), the time and effort may be better utilized creating the system and firewalling tools needed to combat DDoS at its root.

This brings it even further to the point of not necessarily even having to reconfigure and install and reconfigure again the varied tools needed for server-side protection, but even look as close as the router itself and the built-in firewalls there.

I believe even Cisco has given some hardware advice for DDoS here.

We don't necessarily need to be creating so much as we should be perfecting and improving.

We use CSA http://www.cisco.com/en/US/products/sw/secursw/ps5 057/products_data_sheet09186a008033a40f.html It fulfills most of the requirements of your dream.

are you sure?

a 1ghz athlon can forward >150k 64byte packets/sec. an opteron can do >550k/sec. this is commodity pc hardware, cheap and easy to come by.

i am quite certain a 3620 cannot do that.

also, if a part in your 3620 dies (power supply, etc) you are totally screwed unless you have a spare on-hand.

inexpensive parts huh. thats why an intel gigabit pci card costs $50 while a cisco NM-1FE-TX costs $1100? is the cisco card really 22 times better than the intel card?

not to mention you're fucked if cisco EOLs the hardware.

As opposed to a security hole in a closed-source router... like a Cisco?

A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled. There is no workaround.

Golly, if you had the source, you might be able to do something like... hmmm... I dunno... disable the default password, maybe?

Take a look here and here.

Take a look here and here.

It's anctually even easier than that...

interface FastEthernet0/0 ...
ip verify unicast source reachable-via ...

Cisco started RPF (reverse path forwarding) a number of years ago. It uses the CEF (Cisco Express Forwarding) table's FIB (Forwarding Information Base) to know if the packet came from where it should've. Since this is within the packet's normal switching path, the check is practically free.

[See Also: Configuring Unicast Reverse Path Forwarding]

(As others have stated, this will not stop a DDoS as they aren't spoofed.)

You seem to have left out a couple. Let me enlighten you!

SRP (Spatial Reuse Protocol)
DPT (Dynamic Packet Transport)

which of course have gone on to inspire the IEEE 802.17 standard RPR (Resilient Packet Ring).

You seem to have left out a couple. Let me enlighten you!

SRP (Spatial Reuse Protocol)
DPT (Dynamic Packet Transport)

which of course have gone on to inspire the IEEE 802.17 standard RPR (Resilient Packet Ring).

Ah, another misguided Vepublican. When will you learn that the VOP is only helping out big business?

According to the presentation on security given by Cisco this may be the ultimate tool for larger environments: http://www.cisco.com/en/US/products/sw/secursw/ps5 057/index.html It's supposed to lock machines down based upon master policies that you set centrally, and when laptop users reconnect after being 'out of the office' they can pull updates right off the central configuration. And it can be hidden from the end user.
The downside is that it comes from Cisco in a proprietary binary and that you usually have to get it from a channel, but if it works as advertised....

So we have about 3000 laptops in our organization. Mostly Win2K Pro, some XP pro. Users only have power user rights, and we're so far behind on patching it's not even funny (can you say SP2 with 1 or 2 hotfixes?). Their machines are so overrun with Spyware that some web apps won't even run.

Due to our desktop team's negligence in patching (even though we own Altiris), I've been taking a hard look at Cisco's Secure Agent... It's really robust, but it complains about ANYTHING trying to do ANYTHING (think Zonealarm from hell), the Altiris client apparently needs 'self modifying code' to run, KlipFolio tries to make a network connection and all sorts of alarms go off, and most spyware still ends up installing anyway. I've been spending some time with Cisco, and I'm sure I'll be spending more, but this looks like an uphill battle the entire way.

Another 'solution' I'm looking at is the Check Point Integrity VPN client (Check Point sucked up Zone Labs last year)... Instead of my clients using traditional VPN software, we'd look at deploying an SSL-type-VPN with Integrity. Basically, everytime you make a VPN connection back to our office, your machine gets scanned for spyware (this would hold true for Internet kiosks as well as their home PCs and even corporate PCs)... Depending on how infuckted you are, you can define different access levels (keylogger = no access, normal cookie crap and a couple Browser Helper Objects, you get access to webmail only. You're clean? Congrats, you get the Intranet and network drive shares). It sounds great and all, but I can't say I've had time to see if the rubber meets the road. Read for yourself, more info here and here.

This is definitely a very interesting 'ask slashdot', and I'll be keeping my eye on the ideas presented.

I work for a pretty big company and they've used Cisco Security Agent. It's been kind of a pain in the a** because it monitors all execution on your computer and complains of any suspicious behavior, but they've been able to write some rules to get around that. http://www.cisco.com/en/US/products/sw/secursw/ps5 057/ It's pretty good because its not really like a virus detector that detects known spyware, it tries to watch for any suspicious behavior.

Headquartered in San Mateo, Calif., InfoWorld Media Group is a wholly owned independent business unit of IDG, the world's leading IT media, research and exposition company. IDG publishes more than 285 computer magazines and newspapers and 500 book titles and offers online users the largest network of technology-specific sites around the world through IDG.net (http://www.idg.net), which comprises more than 200 targeted Web sites in 52 countries. IDG is also a leading producer of 110 computer-related expositions worldwide, and provides IT market analysis through 49 offices in 41 countries worldwide. Company information is available at www.idg.com.

IDG is one of those earth-flattening corporations which dominates everything. Look at their track record. Interestingly, they're not just interested in owning all the computer publications in the world. They also have their fingers in Brain Research. --Which looks on the surface to be a bit of PR angling, but 350 million worth? Whatever. Creepy.

Huge publishing conglomerates have mandates and agendas, (whether they realize it or not), so IDG publishing articles about Echelon is interesting to say the least.

By contrast. . .

Slashdot is owned by OSDG. (Open Source Data Group)
From the OSDG website

In the most recent release of Nielsen//NetRatings' @plan (Summer 2004), OSTG retained its top ranking across all competitive networks for delivering online buyers of computer hardware and software, visitors who purchase home electronics online and visitors who buy anything online. OSTG moved up in the rankings for many consumer technology categories, including visitors who are heavy spenders on computer hardware, visitors who purchase MP3 players, and visitors who purchase video games.

For the eighth consecutive quarter, OSTG has been validated as the number one network for delivering visitors who look for technology news online. OSTG reaches over 16 million visitors every month and delivers nearly 250 million page views.

OSDG is in turn owned by VA Software

[. . .]VA Software develops and markets SourceForge Enterprise Edition, an enterprise-grade solution for managing and optimizing distributed development. SourceForge Enterprise Edition provides a secure, centralized platform that connects heterogeneous tools and processes together with an integrated suite of project, change management and collaboration tools. Fortune 1000 companies and government agencies use SourceForge Enterprise Edition as a Global Development Platform(TM) to integrate disparate tools and processes, expand visibility and control, and improve development efficiency and collaboration.

VA Software appears to have its morals lined up nicely. That is, their goal appears to be data sharing and the facilitation of collaborative creative efforts. As the much maligned, (and biblically misrepresented), Christ advised, "Judge the Tree by the Fruit it Bears." This is one of the most outstanding bits of advice I have ever heard. Flowing all the way down this particular chain, Slashdot allows peculiar guys like me to speak my mind in forum on taboo subject matter. I have an enormous amount of respect for that.

Here's an article written by Carl Redfield, a guy way up at the top of th

I'm testing the Cisco 7970G for the local university's Technology Quarters program... It's a VOIP phone, but it's only VOIP across the university LAN. Mostly it's absurd overkill, but you can see how people in a big company who make lots of calls could really use it.

Raster Image Process

Router Information Protocol

Yep, I was thinking the same thing. The 6513 is a nice box. The SUP 720 is a pretty ridiculous board and expensive of course. Also, at present time I believe you can only run IOS on the SUP, which may be a consideration. I hate IOS for switching but using it is worth it if you have a SUP 720.

Disclaimer: I work for Cisco, so I guess I'm more than a little biased here.

But: 3Com wants to compete with the 3725 & 3745? Fine with us. We just announced a bunch of new routers:

http://newsroom.cisco.com/dlls/2004/prod_091404.ht ml?CMP=ILC-001

Cisco now owns 3Com so this is just Cisco rehashing their own products under a different label.

Cisco carries a brief press release on the Yakima County public safety network, a WiFi network that replaced the old repeater/trunking radio network. Yakima county is the second largest (by area)county in Washington state and with careful site planning and radio engineering, they are able to cover almost the entire county with 30 wireless bridges. You have to realize that most of the county is located in a large valley surrounded by fairly tall hills, so it is an ideal candidate for line-of-site networks. But to cover 4,296.1 square miles in such a manner is pretty impressive. http://www.cisco.com/en/US/products/hw/wireless/ps 430/prod_business_case09186a00800a9de3.html The press release is very bland compared to the actual implementation. The police and safety officials seem to love it. This network is now becoming a standard for implementation by many of the rural counties in Washington and Oregon.

No such thing as a free lunch, baby.

You can find out about what multicast is and what it means by checking out this Cisco page that explains what it actually is.

As always, Google is your friend...

The home page (www.cisco.com) is not where it belongs. Security notices are available at http://www.cisco.com/go/psirt That's where security people will be looking. (and they'll be subscribed to any number of Cisco emailed alerts.)

I constantly have to deal with people who have been oversold on Cisco and what it can do for them. These perceptions are not uncommon, but people need to take some action to get things fixed.

Too bad somebody didn't go to http://www.cisco.com/en/US/support/ or call 1-800-553-2447 and get a updated version of code rather than live with the problem day in and day out. Be sure to have your contract number or serial number ready when you call.

• ...
• but that doesn't releave you of your responsability to properly roll things out

Yes. It. Does. Yes, there are proper proceedures. There are even documented proceedures ("policy".) There's also the boss (and everyone has a boss, even the bosses) telling you what to do contrary to proceedure. You are either inexperienced, lying, or damned lucky to have never been forced outside the "proper proceedures." This shit happens somewhere every day. That it has never happened to you is highly improbable.

• Frankly no security patch requires instant roll out if you've got proper security in place.

Ok, evidence now suggests "inexperience". Exhibit A: Cisco IOS Interface Blocked by IPv4 Packets. Exhibit B: the bind worm from some years ago. Sometimes you don't get the luxury of several months notice of bugs before rampant exploits are released.

• ...
• still give everyone the access they need

It's never an issue of need. No admin will ever intentionally place restrictions that interfere with real work. It's more a matter of want and not enslaving people in a jail cell. Making sure people cannot do anything but their job is, well, stupid and needlessly time consuming. (translation: users will always be shooting themselves in the foot; you'll never be able to stop them from pulling the trigger without making them leave.)

• ...
• The large price tag may come from administrators who aren't willing to put in the time to learn how to do it themselves or learn how to properly configure what is available out there...

This is called training and experience. People with more experience get paid more. Experience equals value. It's a simple economic premise. It's why you are paid more today than you were on your first day as a "green" sysadmin.

Companies (commercial, for-profit institutions) are not going to bet everything on the hacked-together, 386 server their 18yo, college drop-out, sysadmin built out of the junk he found rattling around in the trunk of his step-dad's LTD. While that would work for many a home and a number of small, straped-for-cash companies, no serious company is going to allow any such home-grown "trash" to be part of their critical infrastructure. There must be accountability and a clear line of support. Basically, the company needs someone to bitch at and possiblly sue when things fall apart. When that 18yo kid gets hit by a bus skateboarding in the street or simply quits, who's gonna take over management of the system(s) he built? Commercial hardware/software systems have people with training, experience, and certifications who can manage anyone's installation with few exceptions (there's a limited set of differences... think oracle DBA.) Such resources don't exist for one-off, home-grown systems -- while there are people who can figure it out, it takes time to figure the system out (and it might end up broken in the process) and you certainly cannot afford to be hunting when the system(s) aren't being managed.

• as for monitoring...

I repeat: knowing who brought in the matches will not un-burn the office. Monitoring systems are good at pointing out anomalous behaviors

What a beginner's mistake: Allowing a physical attack to unplug the network.

They should have a Self defending network

What about this one Cisco 7920

1. Slap 4 of them in a linux box.
2. Build a pretty case to rival CRS-1.
3. Undercut Cisco by god knows how much. Lots of profit.

Related issue: there really ought to be a way to test 911.

I agree there should be an automated way to test 911, as you described.. That said, I work for a large multi-city real estate company and we are deploying Cisco IP phones to every new office we complete.. We always test 911 service, because there was one time when we first deployed IP phones in our corporate office we had not tested it and found out the hard way it wasn't working (luckily we were still migrating from a legacy PBX, so there were still legacy phones around to dial 911 with).

We set our IP phones up so that 911 or 9911 will work (since people are so used to dialing a 9 first). We try each number and when the operator answers we start with "THIS IS NOT AN EMERGENCY CALL, we are testing a new phone system installation and need to know what number and address we are posting". Every one I've talked to has been happy to help and not acted put out in any way. They'd rather KNOW you have working 911 service than have to deal with answering emergency calls with the wrong phone number or address associated with the call.

Also, for those curious about how E911 is handled with VoIP in the enterprise market, cisco has a product called Cisco Emergency Responder that adds on to the Cisco Call Manager Infrastructure and can do intelligent E911 routing. If someone picks their phone up and moves to another office (happens all of the time with real estate agents) the Emergency Responder figures out where they are and intelligently routes their 911 calls appropriately. It can also send you emails or automatically call your building's security team when someone places a 911 call. It's just a matter of time before someone conquers this in the residential VoIP arena.

The problem, IMHO, is that ALL high end routers use HARDWARE routing (see: flow/fast switching in 7500/12000s) instead of software routing. Unless you 're building ASICs to handle stuff in the data plane (VIPs or whatever the 12ks use for dCEF and the like), you're not really in any danger of becoming used by the higher end routing equipment manufacturers.

However, they still run their protocols, control "plane", etc. in software on a commodity general purpose CPU, which is what the likes of XORP, GNU Zebra and Quagga cover. Indeed, the Juniper routing engines are literally PC's running some flavour of BSD off of flash. There is nothing stopping one implementing off-board forwarding cards for a PC - you just end up with Juniper's architecture. Intel for example have ASICs targeted toward the building such boards, the Intel Network Processor range, customised Xscale CPUs with PCI interfaces designed for offloading packet-forwarding.

Still, a PC is *more* than capable of replacing any low-end Cisco, eg 26xx, which btw use software forwarding, not hardware, and even mid-range, provided one is careful to match the PC hardware to the requirements.

Cisco at least notified their large carriers before specific details leaked onto the net - I shudder to think of someone posting 0day exploit code for something like this on Full-Disclosure.

There was a Cisco BGP DoS vulnerability announced recently, GNU Zebra and Quagga were not vulnerable to the DoS. Also, why do you think white hats would leak a DoS for an open project but not for IOS? Or why do you think CERT, would not co-ordinate with an open project for vulnerabilities, when they already do so?