Forgot your password?
typodupeerror
Networking

Cisco To Develop Third-Party APIs For IOS 129

Posted by kdawson
from the letting-a-little-light-in-on-the-crown-jewels dept.
MT628496 tips a Computerworld article on Cisco's announcement that it plans to build IOS on a UNIX kernel, in modules, and allow third-party developers to access certain parts of it. IOS has traditionally been a closely guarded piece of software without any way for anyone to add functionality. No timetable was given for when APIs will be available. A Forrester analyst said, "...the network is one of the least programmable pieces of the infrastructure. The automation and orchestration market is far more oriented towards servers, storage and desktop environments. The ability to dynamically change the network is a missing component." The article mentions that Juniper Networks had announced on Monday its own developer platform for Juniper routers, and it's available now.
This discussion has been archived. No new comments can be posted.

Cisco To Develop Third-Party APIs For IOS

Comments Filter:
  • by the_humeister (922869) on Saturday December 15, 2007 @07:56PM (#21712606)
    Wouldn't this make the networking equipment more prone to attacks?
    • by unixan (800014)

      Most networking equipment these days have a separate "admin" interface from the rest of the "traffic" interfaces. The intent of that is you can secure the "admin" connection and only access admin functions (like APIs) through that.

      But as bright as some some Senior Network Engineers (with a string of letters after their name) are, yes, you can count on an increase of vulnerabilities!

      Cisco is a late-comer to this game, by the way. Some other (even popular) network vendors are based on unix/linux with a rich

      • by giminy (94188)
        Most networking equipment these days have a separate "admin" interface from the rest of the "traffic" interfaces. The intent of that is you can secure the "admin" connection and only access admin functions (like APIs) through that.

        Nobody ever made a mistake in either software implementation of this kind of access scheme, and nobody ever made a mistake in deploying such a system.

        You pretty much nail it on the head, this is going to result in an increase in (scary!) vulnerabilities. If an attacker can take a
        • Taps are often the recommended method of handling IDS now if you're not doing it in-line. However, if someone can see which ports are mirrored, there's a good chance that they can figure out which interfaces are handling the most traffic, and so more likely to be on IDS (if one's IDS deployment is more on the limited side, that is).
    • by brucifer (12972)
      As is, Cisco already has plenty of vulnerabilities. Heck, I ran across a particular packet sequence from my VA tool that killed one of my Cisco routers and I wasn't even scanning the router!

      It will be interesting to see what they do with it. As much as I love IOS, it isn't the most intuitive piece of code in the world so a SDK could make things a little easier. Of course, it could also go no where.
    • Hate to say it, but security thru proprietary technology is nice in this case, IMHO. The less the technology controlling our network is exposed, the better, in some cases. Sadly, vice-versa is true. It's a trade-off, but it is still better than everyone being able to look at it and go "Oh, THAT'S how we shut down and infiltrate major networks!"
      • Re: (Score:3, Insightful)

        What you've actually described is security through obscurity.. Being proprietary does not keep it unpublished. The "proprietary technology" source code and utilities have been repeatedly stolen, published, and republished among the cracker crowd, and the tools they write get released and circulated among the script kiddie crowd eventually. And Cisco has repeatedly engaged in really unfortunate security standards for decades, with a lack of reporting of the incidents for both non-disclosure reeasons, and an
        • by Tony Hoyle (11698)
          The problem with IOS is every release breaks something different.. so if cisco says there's a security vulnerability well there's not a lot you can do - you get a release that works for you and never update it, because the downtime of having that release possibly having a bug in something you use and the general slowness of TAC (took me 6 months to get them to fix one bug for example.. they demand dozens of packet dumps etc. and it takes up a fair amount of time even though the bug I found was 100% reproduc
      • Proprietary technology doesn't provide absolute security. If the code is exposed, or if crackers are secretly able to probe a system to determine how it works, the device can become vulnerable to attack. Cisco doesn't always inform it's clients of new vulnerabilities to it's hardware.

        A few years ago, someone leaked portions of Cisco IOS source code [com.com]. I forget if this ended up being a hoax.
  • by flydpnkrtn (114575) on Saturday December 15, 2007 @07:58PM (#21712618)
    I wonder if they'll license something like QNX, or port one of the BSD kernels over. I can't imagine they'd use anything with the GPL, this being proprietary-out-the-ass Cisco after all.
    • Re: (Score:2, Insightful)

      by larry bagina (561269)
      They use Linux in some Linksys boxes.
      • by mrmeval (662166)
        Only because the bought linksys and got that as a bonus. I suspect they'll rape that as soon as they can.
        • by Tony Hoyle (11698)
          The newer linksys boxes do *not* use Linux, only the ones they inherited when they bought the company.

          I can't see cisco policy changing.. they'll use a proper embedded OS or simply open IOS to certain plugins without changing the OS at all.
    • by nick5546 (1157253)
      From what I understand, IOS-XR IS already based on QNX (from what I remember, the codename for the project was Chaos, but not sure...)
    • Re: (Score:3, Interesting)

      by Phishcast (673016)
      Not so fast -- Their whole line of MDS Fibre Channel switches are Linux underneath. There's even a GPL notice that comes up when they boot.
    • by Anonymous Coward
      ...even we're not sure. Different parts of the company have experimented with all of the above options.
    • Re: (Score:3, Interesting)

      by imp (7585)
      I wonder if this is related to the following post on the FreeBSD jobs list.

      http://www.freebsd.org/cgi/getmsg.cgi?fetch=0+4570+/usr/local/www/db/text/2007/freebsd-jobs/20071209.freebsd-jobs [freebsd.org]
    • by Bert64 (520050)
      Cisco make a lot of devices which are linux based...
      Their current version of call manager runs on linux
      Their old IDS boxes ran on linux
      The current series of ASA boxes run on linux
      And a lot more too i would imagine.
      • by Huh? (105485)
        Can you substantiate the ASA statement? Links..etc would be useful.
      • by fwr (69372)
        The ASA does not run Linux, although the IPS AIP-SSM does. All their IPS devices still run Linux. Interestingly, you can get them to run under a VMware session. You can also run IOS code using dynamips, and you can run PIX code (but not ASA code) using pixemu.
  • When Company A announces they've done something already- and Company B announces they will, that's more like the "Company-B-caught-with-pants-down-and-family-jewels-showing department."

    Cisco's response is laughably cliche...

    • by arivanov (12034)
      And who cares anyway. They are talking about this like it is rocket science.

      I have done that for a living for nearly 10 years now and frankly it is trivial (at least for Cisco). There is _NO_ rocket science in it. It takes a couple of weeks tops for someone who is good in both software development and network engineering to write one. There is no need for an extra API. The techniques on how to deal with IOS are well known.

      The problem is elsewhere. The problem is "what to orchestrate?". Data modelling a netw
  • JunOS, which sits on a FreeBSD kernel, has had the modular ability since forever now. Certain versions of JunOS allow individual core system processes to be restarted without taking down the router or requiring a reboot. Glad to see Cisco is getting with the program.

    • by Burdell (228580)
      I think all versions of JUNOS allow individual processes to be restarted. Different versions have different processes (for example, PPP is in the kernel for most versions, but it is being moved to a user-space process). Juniper also already works with third-parties for hardware. For example, on the J-series, you can get a PIM that has an Avaya PBX in a slot.
      • That is impressive. Thanks for the info about all versions supporting process restarts. I must have mixed up vendor C with Vendor J. Cisco's IOS XR has that feature but the regular Cisco IOS does not.

        It is fun watching these two companies go head to head.

  • Enron Broadband was working on this with Cisco starting in 1998. In fact, they bought two companies to try and make this happen. They told everyone that automatic provisioning was the wave of future.

    Think of a Tibco like messaging layer allowing automatic provisioning of more or less bandwidth between carriers throughout the day as companies need it (for real time communications or nightly data warehouse creations.... Whatever).

    10 years later it actually gets implemented.
  • Interesting, but... (Score:2, Interesting)

    by Zen (8377)
    Cisco IOS has already been running in house (for development purposes) on Unix for years. They call it IOU (IOS on Unix). It is a closely guarded secret. Supposedly it is fully featured and can emulate as many routers with as many interfaces as you want, all on one Solaris system. Supposedly Cisco employees get in trouble (fired??) for even mentioning its existence and certainly if they ever gave access to somebody, and only a very small number of Cisco employees even have access to it. It wouldn't be
    • by the_humeister (922869) on Sunday December 16, 2007 @01:06AM (#21714448)
      Haha! Next you're going to tell us that Apple has an in-house x86 version of OS X which they use as a sanity check for their code. I'm not falling for that one again...
    • by Tony Hoyle (11698)
      It is a closely guarded secret.

      Clearly not *that* closely guarded..
    • by dodobh (65811)
      Not a Cisco employee, but I have seen it in action last year. IOU runs on Intel Macs, and Linux definitely. I was told that it also runs on FreeBSD, but didn't see it in action on that OS.
    • by netik (141046)
      Closely guarded secret?

      When I interviewed there they showed me the emulation farm they use to test IOS. It's no secret.

      They emulate everything from the route processor to the individual network cards/supervisor modules on Solaris and have a team of admins that maintain the test cluster.
  • Extreme Networks has had a fully modular, Linux-based OS for years, called XOS. Individual processes can be cycled without taking down the box, the OS supports scripting (TCL-based), and they provide an API for extending the functionality of the OS though add-on modules.

    Juniper does similar things (though I'm not sure to what extent) with JunOS, and Force10 has a *nix (BSD?) -based modular OS in the works as well. It may even be available now.

    Good for Cisco. It's about time they stop playing the "We're C
    • by geniusj (140174)
      FTOS is NetBSD-based, but it doesn't allow shell access like JunOS does. At least, not that I've seen. Juniper and Force10 both make fantastic equipment in their respective segments. The Juniper CLI, though, I think is the best around. For example, I wish they all used 'less' as their pager :-)
  • by grumling (94709) on Sunday December 16, 2007 @12:14AM (#21714182) Homepage
    "This is a nice sense of direction statement - it says that Cisco understands that SOA and Web 2.0 are fundamentally changing how applications are built"

    "According to our router's logfile, your port on the switch has been modded down below the switch's current threshold."

    router#show int eth0/0
    adds by google:
    Get a Juniper router today!
    Best deals on Cisco routers: www.cisco4less.com
    Sid : 5
    Traffic Priority : 0
    Maximum Sustained Rate : 64000
    Maximum Burst : 0
    Minimum Reserved Rate : 0
    Minimum Packet Size : 0
    Maximum Concatenated Burst : 1522
    Scheduling Type : Best Effort
    Nominal Grant Interval : 0
    Tolerated Grant Jitter : 0
    Nominal Polling Interval : 0
    Tolerated Polling Jitter : 0
    Unsolicited Grant Size : 0
    Grants per Interval : 0
    Request/Transmission Policy : 0x0
    IP ToS Overwrite [AND-mask, OR-mask] : 0x0, 0x0
    Current Throughput : 0 bits/sec, 0 packets/sec
  • Cisco has been running QNX in their high end routers for several years now. They call it "IOS XR", but it's QNX. Classic IOS, unlike QNX, isn't a protected-mode OS. In classic IOS, everything runs in one address space. They need to get beyond that. So maybe this is just opening up classic IOS as an end of life measure.

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Let's clear a few things up.

      The QNX used wasn't the operating system "QNX" that most people associate with PC-based embedded systems. It was "Neutrino," a true microkernel with POSIX API's that QNX (the company) started shipping in 1996. This was a completely different and new product from the QNX (operating system) that QNX (the company) had been shipping for many years prior to 1996.

      Second, the reason why IOS has run in one (or two) address spaces for so long is easy: think about how you get the fastest p
      • by haruchai (17472)
        Interesting. But Cisco took too long to realize that they needed a change. They were squeezing every drop
        of performance through microcode programming - that gets really difficult really quickly.
        Other manufacturers were able to chip away at some of Cisco market share and to
        create some rather well performing platforms without having to burden themselves
        with such extreme low-level programming.
        Not to mention Cisco's customers were getting somewhat tired of being
        bled dry for upgrades - I remember pricing out RAM
  • More seriously, IOS is a high-performance but extremely poor interface toolkit on top of a lot of proprietary hardware. It doesn't matter much which kernel runs on it, unless they've been tuned out of all recognizability to deal with the high load, low latency issues of routing. And the kernels are pretty near the limits of their ability to tune performance to the hardware: the next level up is the compiler, and the next level up is the actual interface. And the extreaordinarily poor behavior of the user in
  • Not sure I like the sound of this. It's going to confuse the support for applications quite a lot.

    Right now if there's an application problem it is fairly easy to tell where it comes from. You can quite quickly rule out a network problem by checking the basic network traffic works and look at other similar traffic for issues.

    However if you move a load of your application logic onto the networking hardware and something starts running slow, unless your app has a lot of benchmarking built in for troubleshooti
  • by Slashcrap (869349) on Sunday December 16, 2007 @01:46PM (#21718076)
    ...thanks to Dynamips.

    I was going to say that it's only of use for training purposes, and can't be used in the real world. But then I noticed a lot of people in this thread advocating the use of consumer routers, and they probably would put emulated IOS on an old PIII and expect it to route 1Mpps. So knock yourselves out, retards.

%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears

Working...