[j-nsp] ntpd vulnerability
Hello, Does anyone know if Juniper has issued a patched version of JunOS for the following vulnerabilities in ntpd ? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. (1) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_crypto_recv (2) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_ctl_putdata (3) http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_configure Buffer overflows (2) and (3) have no mitigation except upgrading ntp to 4.2.8 or filtering ntp packets. (1) depends on having crypto ... directives in ntp.conf. ntpd on JunOS 11.4 seems to be based on ntpd 4.2.0 and is likely vulnerable. $strings ntpd |grep ntpd.4 ntpd 4.2.0-a Fri Mar 1 08:50:44 UTC 2013 (1) -- Jean BENOIT Université de Strasbourg ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX80 JFlow Setup
All,
Trying to get an MX80 to output Flow to an external collector. I've been
reading several pieces of documentation and I keep getting differing views
and opinions on how this is supposed to be done. I'm looking for the
simplest option right now and if I need to expand I can move to more
detailed processes after
I'm currently using the following
[edit chassis]
- tfeb {
- slot 0 {
- sampling-instance calix;
- }
- }
[edit]
- forwarding-options {
- sampling {
- instance {
- calix {
- input {
- rate 50;
- }
- family inet {
- output {
- flow-server [ipaddress] {
- port 2058;
- version-ipfix {
- template {
- ipv4;
- }
- }
- }
- inline-jflow {
- source-address [ipaddress];
- }
- }
- }
- }
- }
- }
- }
- services {
- flow-monitoring {
- version-ipfix {
- template ipv4 {
- flow-active-timeout 60;
- flow-inactive-timeout 70;
- template-refresh-rate {
- seconds 30;
- }
- option-refresh-rate {
- seconds 30;
- }
- ipv4-template;
- }
- }
- }
- }
Edited for Anonymity.
Thank you,
.
*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 JFlow Setup
Hi there, what you have will work well with a few modifications.
If you’re using inline sampling you might as well set the rate to 1, the
sampling is happening at 1:1 regardless and all the rate adjusts in this config
is the scaling factor.
You’re config also needs sample points so something like
set interfaces xe-0/0/0.0 family inet sampling input
place an input sampling statement on the interfaces that face your upstream and
that face your inside network, do not sample on the output channel.
You also don’t need to define everything on the template level
you can just do services monitoring flow sampling template ipv4 ipv4-template
you can set your flow sizes on the forwarding options sampling instance input
section and finally you want to define an ipv4 and ipv6 flow-table size on the
tfeb.
set chassis tfeb slot 0 sampling instance blah ipv4 and ipv6 table-size
note that the tfeb will restart when configured to reprogram with the new flow
table size settings.
Settings are 1-15 where the number is x*256K flows. You can define ipv4 only
if you do not have any ipv6.
Hope that helps.
On Dec 23, 2014, at 12:16 PM, Levi Pederson levipeder...@mankatonetworks.net
wrote:
All,
Trying to get an MX80 to output Flow to an external collector. I've been
reading several pieces of documentation and I keep getting differing views
and opinions on how this is supposed to be done. I'm looking for the
simplest option right now and if I need to expand I can move to more
detailed processes after
I'm currently using the following
[edit chassis]
- tfeb {
- slot 0 {
- sampling-instance calix;
- }
- }
[edit]
- forwarding-options {
- sampling {
- instance {
- calix {
- input {
- rate 50;
- }
- family inet {
- output {
- flow-server [ipaddress] {
- port 2058;
- version-ipfix {
- template {
- ipv4;s
- }
- }
- }
- inline-jflow {
- source-address [ipaddress];
- }
- }
- }
- }
- }
- }
- }
- services {
- flow-monitoring {
- version-ipfix {
- template ipv4 {
- flow-active-timeout 60;
- flow-inactive-timeout 70;
- template-refresh-rate {
- seconds 30;
- }
- option-refresh-rate {
- seconds 30;
- }
- ipv4-template;
- }
- }
- }
- }
Edited for Anonymity.
Thank you,
.
*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 JFlow Setup
All,
Amazing, prompt and detailed responses. I'll get to work on these right
away.
Thank you,
*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
On Tue, Dec 23, 2014 at 11:31 AM, Scott Granados sc...@granados-llc.net
wrote:
Hi there, what you have will work well with a few modifications.
If you’re using inline sampling you might as well set the rate to 1, the
sampling is happening at 1:1 regardless and all the rate adjusts in this
config is the scaling factor.
You’re config also needs sample points so something like
set interfaces xe-0/0/0.0 family inet sampling input
place an input sampling statement on the interfaces that face your
upstream and that face your inside network, do not sample on the output
channel.
You also don’t need to define everything on the template level
you can just do services monitoring flow sampling template ipv4
ipv4-template
you can set your flow sizes on the forwarding options sampling instance
input section and finally you want to define an ipv4 and ipv6 flow-table
size on the tfeb.
set chassis tfeb slot 0 sampling instance blah ipv4 and ipv6 table-size
note that the tfeb will restart when configured to reprogram with the new
flow table size settings.
Settings are 1-15 where the number is x*256K flows. You can define ipv4
only if you do not have any ipv6.
Hope that helps.
On Dec 23, 2014, at 12:16 PM, Levi Pederson
levipeder...@mankatonetworks.net wrote:
All,
Trying to get an MX80 to output Flow to an external collector. I've been
reading several pieces of documentation and I keep getting differing
views
and opinions on how this is supposed to be done. I'm looking for the
simplest option right now and if I need to expand I can move to more
detailed processes after
I'm currently using the following
[edit chassis]
- tfeb {
- slot 0 {
- sampling-instance calix;
- }
- }
[edit]
- forwarding-options {
- sampling {
- instance {
- calix {
- input {
- rate 50;
- }
- family inet {
- output {
- flow-server [ipaddress] {
- port 2058;
- version-ipfix {
- template {
- ipv4;s
- }
- }
- }
- inline-jflow {
- source-address [ipaddress];
- }
- }
- }
- }
- }
- }
- }
- services {
- flow-monitoring {
- version-ipfix {
- template ipv4 {
- flow-active-timeout 60;
- flow-inactive-timeout 70;
- template-refresh-rate {
- seconds 30;
- }
- option-refresh-rate {
- seconds 30;
- }
- ipv4-template;
- }
- }
- }
- }
Edited for Anonymity.
Thank you,
.
*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 JFlow Setup
Be aware that modifying the 'table-size' parameters will cause the tfeb to
reboot. You will want to do this during a maintenance period if this is a
production router.
-evt
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
Of Scott Granados
Sent: Tuesday, December 23, 2014 12:31 PM
To: Levi Pederson
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] MX80 JFlow Setup
Hi there, what you have will work well with a few modifications.
If you're using inline sampling you might as well set the rate to 1, the
sampling is happening at 1:1 regardless and all the rate adjusts in this
config is the scaling factor.
You're config also needs sample points so something like
set interfaces xe-0/0/0.0 family inet sampling input
place an input sampling statement on the interfaces that face your
upstream and that face your inside network, do not sample on the output
channel.
You also don't need to define everything on the template level
you can just do services monitoring flow sampling template ipv4 ipv4-
template
you can set your flow sizes on the forwarding options sampling instance
input section and finally you want to define an ipv4 and ipv6 flow-table
size on the tfeb.
set chassis tfeb slot 0 sampling instance blah ipv4 and ipv6 table-size
note that the tfeb will restart when configured to reprogram with the
new flow table size settings.
Settings are 1-15 where the number is x*256K flows. You can define ipv4
only if you do not have any ipv6.
Hope that helps.
On Dec 23, 2014, at 12:16 PM, Levi Pederson
levipeder...@mankatonetworks.net wrote:
All,
Trying to get an MX80 to output Flow to an external collector. I've
been
reading several pieces of documentation and I keep getting differing
views
and opinions on how this is supposed to be done. I'm looking for the
simplest option right now and if I need to expand I can move to more
detailed processes after
I'm currently using the following
[edit chassis]
- tfeb {
- slot 0 {
- sampling-instance calix;
- }
- }
[edit]
- forwarding-options {
- sampling {
- instance {
- calix {
- input {
- rate 50;
- }
- family inet {
- output {
- flow-server [ipaddress] {
- port 2058;
- version-ipfix {
- template {
- ipv4;s
- }
- }
- }
- inline-jflow {
- source-address [ipaddress];
- }
- }
- }
- }
- }
- }
- }
- services {
- flow-monitoring {
- version-ipfix {
- template ipv4 {
- flow-active-timeout 60;
- flow-inactive-timeout 70;
- template-refresh-rate {
- seconds 30;
- }
- option-refresh-rate {
- seconds 30;
- }
- ipv4-template;
- }
- }
- }
- }
Edited for Anonymity.
Thank you,
.
*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipeder...@mankatonetworks.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX80-1 JFlow
All, Sorry for the inconvenience. There is a request to move to version9 under Forwarding options and Services but as I implement I'm getting tons of requests for config changes that do not make much sense. Sending Errors Now -mx80-1# commit check [edit forwarding-options sampling instance calix family inet output] 'flow-server' Output 'interface' or 'inline Jflow' should be configured with flow-server [edit forwarding-options sampling instance calix family inet output flow-server 199.71.143.217] 'version9' Service PIC or inline-jflow (j-series and SRX only) must be specified for version9 error: configuration check-out failed: (statements constraint check failed) Any help or direction pointing would be helpful. Thank you, *Levi Pederson* Mankato Networks LLC cell | 612.481.0769 work | 612.787.7392 levipeder...@mankatonetworks.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80-1 JFlow
You do not want to run version 9 in this case. set forwarding-options sampling instance blah family output flow-server 199.b.c.d port version-ipfix template ipv4 set forwarding-options sampling instance blah family inet output inline-jflow source-address 199.loopback.0.address (or similar) note that you can not originate flow data for capture from with in a routing instance, source must be in the global router. Thanks Scott On Dec 23, 2014, at 1:14 PM, Levi Pederson levipeder...@mankatonetworks.net wrote: All, Sorry for the inconvenience. There is a request to move to version9 under Forwarding options and Services but as I implement I'm getting tons of requests for config changes that do not make much sense. Sending Errors Now -mx80-1# commit check [edit forwarding-options sampling instance calix family inet output] 'flow-server' Output 'interface' or 'inline Jflow' should be configured with flow-server [edit forwarding-options sampling instance calix family inet output flow-server 199.71.143.217] 'version9' Service PIC or inline-jflow (j-series and SRX only) must be specified for version9 error: configuration check-out failed: (statements constraint check failed) Any help or direction pointing would be helpful. Thank you, *Levi Pederson* Mankato Networks LLC cell | 612.481.0769 work | 612.787.7392 levipeder...@mankatonetworks.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX480 SCB firmware issue
Hi all-- Pardon my stupidity, but I'm getting the following error on a new (purchased used) SCB for an MX480 running the recommended software release (12.3R6.6): 1 alarm currently active Alarm time Class Description 2014-12-23 21:50:13 UTC Major CB 0 FPGA Revision unsupported In looking over the Juniper documentation, there's a request system firmware command to update the SCB, but unfortunately, I'm not seeing that option (meaning request system ? doesn't reveal firmware as a possibility). I'm also not seeing any specific BIOS/firmware files in the download section of the Juniper MX Series portion of the Juniper website. Can anyone take pity on me and give me some pointers on how to update the firmware and clear that error? As always, much appreciated. --Dave Peters ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX480 SCB firmware issue
Hi, Am 23.12.2014 um 23:23 schrieb Dave Peters - Terabit Systems: 1 alarm currently active Alarm time Class Description 2014-12-23 21:50:13 UTC Major CB 0 FPGA Revision unsupported In looking over the Juniper documentation, there's a request system firmware command to update the SCB, but unfortunately, I'm not seeing that option (meaning request system ? doesn't reveal firmware as a possibility). I'm also not seeing any specific BIOS/firmware files in the download section of the Juniper MX Series portion of the Juniper website. It is a hidden command, so you have to manually complete it. After the firmware it starts to auto complete: request system firmware ? Possible completions: downgrade upgrade request system firmware upgrade ? Possible completions: fpc Upgrade FPC ROM monitor pic Upgrade PIC firmware vcpu Upgrade VCPU ROM monitor The output above is from an MX240 with SCB. I have never seen that error showing up but from what i have seen on similar situations the firmware should be embedded in junos and the firmware upgrade should just work without additional files. But SCB seems not to be a valid upgrade target on MX: request system firmware upgrade scb error: command is not valid on the mx480 tested on MX480 with SCBE Would you by any chance have bought SCBE2 (they would probably not been available in used condition) instead of SCB. Just asking because SCBE2 is supported starting from 13.something and does not work in 12.3 -- Kind Regards Tobias Heister ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] experience with modeling tool
Hello, can somebody give me feedback on the two tool I am thinking about using and cannot decide which one to use. I think the answer depends on what needs to be done? I am planning to decommission some services from my backbone and like to move over those existing ckt to pt to pt link. I am pretty sure there will be change in traffic pattern , flows etc, so I need to know which tool can help me or give me good picture of the network in present and future state. I am looking at wandl or Junosphere. thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] juniper qfx5100 vs ex9200
People, Any advice on a distribution layer switch for campus networks? juniper qfx5100 vs ex9200? I am not sure what the requirements need to be a priority. The core is MX 960 and currently routing. I am thinking about campus distro¹s becoming PE with TE and allowing the core¹s to label switch only? Given the current network and possible change, which platform is the best? Qfx or ex? Data centers are working well with q-fabric, but I understand that has been abandoned by juniperŠ. Which is sadŠ I liked the eVPN BGP NLRI design. Thanks, - Randy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
