Re: [j-nsp] CVE-2023-4481
Hi, On Sun, Sep 17, 2023 at 03:07:26PM +0200, Tobias Heister via juniper-nsp wrote: > So, like with all features and knobs, you might want to consider whether it > brings you any benefit to keep the prefixes in hidden state or "minimize" > processing of things you will maybe never look at. From an operational perspective, knowing that a given prefix *did* arrive at the local router, and was then dropped (= hidden) for a specific reason is very valuable. Without that information, you can only guess "did my peer send it at all?" and troubleshooting *this* means "talk to people outside your organization" which is way more time consuming than just looking at hidden prefixes. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] CVE-2023-4481
Hi, On 11.09.2023 19:55, Tom Beecher wrote: Which in theory opens a new attack vector for the future. What is the attack vector you foreseeĀ for a route sitting as hidden with the potentially offending attributes stripped off? It is theoretical, but if you do $something with a prefix and maybe even the "malformed" attribute and do not throw the prefix away completely $something in parsing and keeping the prefix further down the line could stumble over $whatever else makes the prefix special. This implies "problems"/bugs in the code parsing the prefix and its attributes, which can be assumed to not exist, but doing $something is more likely to hit a problem than not doing $something. By keeping the prefix and doing $something with it you do more than before and might hit a code path that was not hit before when the session was reseted or when the prefixes are just discarded. In an ideal world where all code and parsing is perfect all is fine. Do i think this is likely or a real world problem we will hit soon? Probably not. Do i think that it is a theoretic vector to hit problems not yet seen in the wild at some point? Yes I do. So, like with all features and knobs, you might want to consider whether it brings you any benefit to keep the prefixes in hidden state or "minimize" processing of things you will maybe never look at. regards Tobias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
