[j-nsp] RES: Juniper Junos 8.4
Richard A Steenbergen
ras at e-gerbil.net
Thu Dec 13 02:16:06 EST 2007
On Thu, Dec 13, 2007 at 01:07:36PM +0700, Beny Dwi Setyawan wrote:
> Hi Gunjan,
>
> It is true this BGP bug only problem on BGP configuration without MD5
> authentication, this mean no issue when you implement BGP with MD5 auth.
> Is the patch will be major upgrade?
This is not true, MD5 has no relation. The issue is with an invalid BGP
message which Cisco propagates harmlessly (a violation of the BGP spec,
allowing the message to spread), but which Juniper (correctly) detects as
an error (thus dropping the session). The risk is to any BGP session
between a Cisco and an unpatched Juniper, which would flap "forever" with
such a bad message being propagated through BGP.
I'm not going to talk about any details until after the announcement and
plenty of time for people to upgrade, but I will say that the issue has
already been seen in the wild and thus none of this requires any inside
knowledge. Any astute observer who cares to know is probably already in
posession of the particular message necessary to cause the issue, and it
can't be filtered, so yes you really do want to upgrade immediately.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list