[nsp-sec] AS4 / ASN32 and IOS
Mike Hellers
Mike.Hellers at interoute.com
Mon Feb 2 09:10:38 EST 2009
Juniper did release PSN-2009-01-200 the evening after the NANOG presentation.
>From the PSN:
>Juniper has validated the work done by Andy Davidson, NetSumo (andy.davidson at netsumo.com), Jonathan Oddy, Hostway UK (jonathan.oddy at hostway.co.uk), and
>Rob Shakir, GX Networks (rjs at eng.gxn.net).
>
>A fix has been completed and is currently being applied to all images which has yet to reach End of Engineering (EOE). Consequently, fixes will be
>available in the next scheduled releases of JUNOS (please check with your local Juniper technical representative).
>
>The PR for this issue is 417046.
>
>This only impact JUNOS from 9.1R1 forward. 4-byte ASNs were introduced in JUNOS in 9.1R1 (released before 20090126).
...mike
-----Original Message-----
From: nsp-security-bounces at puck.nether.net on behalf of David Freedman
Sent: Mon 2/2/2009 13:39
To: nsp-security at puck.nether.net
Subject: [nsp-sec] AS4 / ASN32 and IOS
----------- nsp-security Confidential --------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm sure many of you have seen posts from Rob Shakir
on many mailing lists recently regarding this:
http://www.merit.edu/mail.archives/nanog/msg14345.html
Cisco's PSIRT have refused to react:
"Because PSIRT does not have knowledge of malicious use of the issue"
So this is really a heads up, it is a standards issue and is being
addressed by draft-chen-rfc4893bis-00.txt and discussed on IETF idr
mailing list
(http://www.nabble.com/-Fwd%3A-I-D-Action%3Adraft-chen-rfc4893bis-00.txt--to21645335.html)
In the interim, I would strongly advise AGAINST deploying IOS code which
has ASN32 support (latest 12.0(S) train for example), especially if this
box will be facing your upstreams or peers.
Have no information from Juniper about the implications for JunOS,,
perhaps somebody else would like to comment?
Dave.
More information about the nsp-security
mailing list