[j-nsp] JUNOS Vulnerability

Richard A Steenbergen ras at e-gerbil.net
Thu Jan 27 18:10:27 EST 2005


On Thu, Jan 27, 2005 at 01:29:15PM -0500, Phil Shafer wrote:
> 
> >You probably don't 
> >want to be sticking random junk in your communities just to work around a 
> >silly config parser that makes invalid assumptions.
> 
> In general, we try to balance against allowing users to do anything
> (including creating empty prefix-lists) with helping users avoid
> and detect misconfigurations (such as empty prefix-lists ;^).  It's
> not always an easy call, given that one users's meat is another
> user's poison.   It's not always an easy call.
> 
> In this specific case, it's clearly just a bug.  If the UI lets you
> make an empty prefix-list, BGP should honor it.  It's now PR 56110.

When in doubt, make it optional. How about some config options that let 
you define the level of error checking you want? Maybe something like:

system {
    config-parser {
        empty-prefix-lists [ignore|warn|error];
        ...
    }
}

Where ignore says nothing, warn spits out a warning that what you are 
doing may not be what you want but still lets you commit it, and error 
won't let you commit it at all? Then you can set the default to whatever 
level of errors check you feel like, and probably even add new levels of 
parser checks which aren't appropriate for everyone but that some folks 
might want to explicitly turn on to say help their operations staff.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list