Re: [j-nsp] VPLS Multihoming on Junos - FEC confusion
Hello, IMHO there is mess with docs/terms. FEC 128 multihoming as described has nothing to do with ldp. It's bgp signaling and autodiscovery. Krasi On 8 September 2013 22:37, Darren O'Connor wrote: > > > > Hi list. > > I'm going over the VPLS multihoming options on Juniper's web site. I'm not > concerned with LAG and MC-LAG for the moment. > > As far as I'm aware, FEC128 is when you are using manual discovery of > pseudowires (LDP) - FEC129 is when you are using BGP auto-discovery. > > Juniper techpub for FEC129 multihoming I don't have a problem with as it > shows how to multihome with BGP: > https://www.juniper.net/techpubs/en_US/junos/topics/topic-map/vpls-bgp-multihoming.html > > The FEC128 multihome techpub says that you cannot enable LDP signalling, > you have to use BGP signalling: > http://www.juniper.net/techpubs/en_US/junos/topics/usage-guidelines/vpns-configuring-vpls-multihoming.html > > > I know that you can use LDP for manual discovery and LDP will then signal > VC labels. You can also use BGP for auto-discovery and LDP for VC label > signalling. You can also use BGP for both. > > What I don't get is how you could use FEC128 with BGP signalling. Junos > doesn't give you the option to only signal through BGP but manual discovery > through LDP. > > So my question is, when exactly would the FEC128 config be used over the > FEC129 config? If you are using BGP for signalling are you not using BGP > for discovery at the same time? > > Or maybe I'm just misunderstanding something. > > > Thanks > Darren > http://www.mellowd.co.uk/ccie > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH version 4 vulnerability on JUNOS
On 9/9/2013 12:16 PM, Harri Makela wrote: > Hi There > > I got following report from after the vulneraboility scanning. Now first we > don`t use IPv6 and secondly how we can check on Juniper that versio is SSH 4? > > > Synopsis: The remote SSH service is prone to an X11 session > hijacking\nvulnerability. > > Description: According to its banner, the version of SSH installed on the > remote host is older than 5.0. Such versions may allow a local user to > hijack X11 sessions because it improperly binds TCP ports on the local IPv6 > interface if the corresponding ports on the IPv4 interface are in use. > > Solution : Upgrade to OpenSSH version 5.0 or later. > > This is what I have searched on ex-8208 switch and came for SSH:- > > > set system services ssh root-login deny > set system services ssh protocol-version v2 -> it says version 2 > > > Sorry if these are too basic questions as I am new to all this. > > Thanks > HM > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp "set system services ssh protocol-version v2" That sets the SHH *protocol* version. The most current version is 2. JunOS uses OpenSSH code. As far as what version of OpenSSH is in your version of JunOS: drop to a shell: "start shell" from the JunOS CLI. % ssh -v e.g. EX2200 with JUNOS 11.4R2.14 % ssh -v OpenSSH_5.8, SSH protocols 1.5/2.0, OpenSSL 0.9.8r 8 Feb 2011 SSH release 11.4R2.14 built by builder on 2012-03-17 16:12:45 UTC However I doubt you have anything to fear from an X11 vulnerability on JunOS.. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH version 4 vulnerability on JUNOS
Thank you very much for an update Tim. Much appreciated. From: Tim Eberhard To: Harri Makela Cc: "juniper-nsp@puck.nether.net" Sent: Monday, 9 September 2013, 17:45 Subject: Re: [j-nsp] SSH version 4 vulnerability on JUNOS I've checked in with Juniper CERT a couple of times after SSH vulnerabilities get made public and given the fact they run such older ssh binaries. The answer i've received every time is they run a modified version of OpenSSH 4.4, and disallow unsigned, third party or modified binaries to run under Junos by default. With that said, I wouldn't really worry about an X11 session hijacking vulnerability.. given you don't have X11 installed on your device. This seems like a generic scan report that looks for anything under OpenSSH 5.0 and just tells you to upgrade. I think you're safe to ignore here Harri. Hope this helps, -Tim Eberhard On Mon, Sep 9, 2013 at 9:16 AM, Harri Makela wrote: Hi There > >I got following report from after the vulneraboility scanning. Now first we >don`t use IPv6 and secondly how we can check on Juniper that versio is SSH 4? > > >Synopsis: The remote SSH service is prone to an X11 session >hijacking\nvulnerability. > >Description: According to its banner, the version of SSH installed on the >remote host is older than 5.0. Such versions may allow a local user to hijack >X11 sessions because it improperly binds TCP ports on the local IPv6 interface >if the corresponding ports on the IPv4 interface are in use. > >Solution : Upgrade to OpenSSH version 5.0 or later. > >This is what I have searched on ex-8208 switch and came for SSH:- > > >set system services ssh root-login deny >set system services ssh protocol-version v2 -> it says version 2 > > >Sorry if these are too basic questions as I am new to all this. > >Thanks >HM >___ >juniper-nsp mailing list juniper-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH version 4 vulnerability on JUNOS
I've checked in with Juniper CERT a couple of times after SSH vulnerabilities get made public and given the fact they run such older ssh binaries. The answer i've received every time is they run a modified version of OpenSSH 4.4, and disallow unsigned, third party or modified binaries to run under Junos by default. With that said, I wouldn't really worry about an X11 session hijacking vulnerability.. given you don't have X11 installed on your device. This seems like a generic scan report that looks for anything under OpenSSH 5.0 and just tells you to upgrade. I think you're safe to ignore here Harri. Hope this helps, -Tim Eberhard On Mon, Sep 9, 2013 at 9:16 AM, Harri Makela wrote: > Hi There > > I got following report from after the vulneraboility scanning. Now first > we don`t use IPv6 and secondly how we can check on Juniper that versio is > SSH 4? > > > Synopsis: The remote SSH service is prone to an X11 session > hijacking\nvulnerability. > > Description: According to its banner, the version of SSH installed on the > remote host is older than 5.0. Such versions may allow a local user to > hijack X11 sessions because it improperly binds TCP ports on the local IPv6 > interface if the corresponding ports on the IPv4 interface are in use. > > Solution : Upgrade to OpenSSH version 5.0 or later. > > This is what I have searched on ex-8208 switch and came for SSH:- > > > set system services ssh root-login deny > set system services ssh protocol-version v2 -> it says version 2 > > > Sorry if these are too basic questions as I am new to all this. > > Thanks > HM > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSH version 4 vulnerability on JUNOS
Hi There I got following report from after the vulneraboility scanning. Now first we don`t use IPv6 and secondly how we can check on Juniper that versio is SSH 4? Synopsis: The remote SSH service is prone to an X11 session hijacking\nvulnerability. Description: According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. Solution : Upgrade to OpenSSH version 5.0 or later. This is what I have searched on ex-8208 switch and came for SSH:- set system services ssh root-login deny set system services ssh protocol-version v2 -> it says version 2 Sorry if these are too basic questions as I am new to all this. Thanks HM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp