The DefendOps DiariesUnderstanding the Cisco IOS XR Vulnerability: CVE-2025-20115
https://thedefendopsdiaries.com/understanding-the-cisco-ios-xr-vulnerability-cve-2025-20115/
Łukasz Bromirski 
Annual reminder: I'm running various free projects for networking community - BGP feeds with bogons, FlowSpec, geo information for country filtering, full IPv4/IPv6 global table, RPKI RSes and AS112 sinkholes. All documented here: https://lukasz.bromirski.net/projects/ #bgp #as112 #anycast #freebsd #iosxr #xrv9000 #pushdastuff
projects
below you can see some of the community projects I created/actively maintaining: AS 112 - world wide project to sinkhole RFC 1918 DNS traffic locally within countries/geos and avoid slamming DNS root servers; I’m maintaining three AS112 servers in different parts of Poland BGP Blackholing - open BGP route server project, that provides “bogons” feed via dynamic BGP peering BGP Full Feed - open BGP route server that provides full DFZ view of IPv4/IPv6 BGP table
Even seasoned network engineers can make mistakes. Mistakes are good, they make us learn things and remind we should stay humble. And if you waste hours troubleshooting... you write a post ;) https://lukasz.bromirski.net/post/xr-route-internal/ #iosxr #routing
IOS XR and routes
those of you working on a daily basis with configuration and reconfiguration of network devices are likely to hit various caveats and surprises. sometimes, we hit problems that take hours to troubleshoot. route? what route? we’re adding new router. it has address of 172.16.0.11 that’s defined on Loopback0. this interface and all other physical interfaces of new router are included in area 0 of OSPF. neighbors see it that way as well:
Doing geoblocking is generally doing 'security by building false sense of it'. However, sometimes somebody forces you to do it anyway. If you know what you're doing, take a look here - any feedback on this is great! https://lukasz.bromirski.net/bgp-geo-blackholing/ #bgp #geoblocking #iosxr #pushdastuff
BGP Geo-Blackholing project
what it’s all about? in the internet, not all IPv4 and IPv6 prefixes will be sources or destinations of traffic you’d like to have anything common with. some of them will be used or controlled by bad actors that can try to compromise your network (you have been likely selected at random, do not flatter yourself) or other evil goals. why would you like to receive that traffic? or send traffic towards them?
If You want to experiment with BGP FlowSpec on your router, there's alpha version of my BGP Blackholing FlowSpec server at 85.232.240.180 & 2001:1a68:2c:2::180. You'll get 1345 IPv4 FlowSpec AF prefixes and 45 in IPv6 FlowSpec AF. The rest of configuration is the same as in main project: https://lukasz.bromirski.net/bgp-blackholing/ Please ping me directly and share your feedback (with your platform details if possible - thanks!) #iosxr #pushdastuff #bgp #blackholing
BGP Blackholing PL project
what it’s all about? in the internet, not all IPv4 and IPv6 prefixes will be sources or destinations of traffic you’d like to have anything common with. some of them will be used or controlled by bad actors that can try to compromise your network (you have been likely selected at random, do not flatter yourself) or other evil goals. why would you like to receive that traffic? or send traffic towards them?
You *may* have noticed small disturbance of the force with regards to BGP Full Feed and BGP Blackholing projects. That's because over last two nights I migrated all infra to... this ;) #iosxr #xrv9000 #pushdastuff
Logging to IOS XR using SSH keys - 7.0+ edition howto: lukasz.bromirski.net/post/ios-xr-au… #iosxr #ssh #openssh #hardening #security #pushdastuff
I decided to upgrade my home internet router before Easter while visiting local PC shop. Seller gave me that. I'm not sure if it supports WPA3 or UPnP though... ;) #iosxr #cisconcs #100ge #400ge
heise online (inoffiziell)Es gibt wichtige Sicherheitsupdates für Ciscos Netzwerkbetriebssystem IOS XR. Keine der Lücken gilt als kritisch.
Angreifer könnten Cisco-Router mit IOS XR Software lahmlegen
Angreifer könnten Cisco-Router mit IOS XR Software lahmlegen
