[j-nsp] RES: Juniper Junos 8.4

Richard A Steenbergen ras at e-gerbil.net
Thu Dec 13 02:16:06 EST 2007


On Thu, Dec 13, 2007 at 01:07:36PM +0700, Beny Dwi Setyawan wrote:
> Hi Gunjan,
> 
> It is true this BGP bug only problem on BGP configuration without MD5
> authentication, this mean no issue when you implement BGP with MD5 auth.
> Is the patch will be major upgrade?

This is not true, MD5 has no relation. The issue is with an invalid BGP 
message which Cisco propagates harmlessly (a violation of the BGP spec, 
allowing the message to spread), but which Juniper (correctly) detects as 
an error (thus dropping the session). The risk is to any BGP session 
between a Cisco and an unpatched Juniper, which would flap "forever" with 
such a bad message being propagated through BGP.

I'm not going to talk about any details until after the announcement and 
plenty of time for people to upgrade, but I will say that the issue has 
already been seen in the wild and thus none of this requires any inside 
knowledge. Any astute observer who cares to know is probably already in 
posession of the particular message necessary to cause the issue, and it 
can't be filtered, so yes you really do want to upgrade immediately.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list