date:20231109

Re: [j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

2023-11-09 Thread Richard McGovern via juniper-nsp

I believe if you cipher is set to one that Juniper no longer supports, i.e. 
that knob selection is depreciated, the upgrade will not complete. The change 
in cipher support is due to new vulnerability findings.

SSH Vulnerability, "Deprecated SSH Cryptographic Settings" with Vulnerability 
Result Type quoting the details of the category under which the alert is 
identified. For eg, if customer monitoring tool reports "Vulnerability Result 
Type Name key_exchange diffie-hellman-group14-sha1 host_key ssh-rsa MAC 
hmac-sha1- MAC hmac-sha1". This means the SRX is using deprecated SSH 
cryptographic settings to communicate.


changes needed under system service ssh to allow only strong ciphers, host key, 
MACs, algorithm



Settings currently considered deprecated (might change later):

+Ciphers using CFB of OFB -Very uncommon, and deprecated because of weaknesses 
compared to newer cipher chaining modes such as CTR or GCM

+RC4 cipher (arcfour, arcfour128, arcfour256) - The RC4 cipher has a 
cryptographic bias and is no longer considered secure

+Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST) - Ciphers 
with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)

+Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, 
gss-group1-sha1-*)- DH group 1 uses a 1024-bit key which is considered too 
short and vulnerable to Logjam-style attacks

+Key exchange algorithm rsa1024sha1 - Very uncommon, and deprecated because of 
the short RSA key size

+MAC algorithm umac-32 - Very uncommon, and deprecated because of the very 
short MAC length


Just FYI. Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks
978-618-3342

I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it




Juniper Business Use Only

On 11/9/23, 4:43 AM, "Muhammad Aamir"  wrote:
*try below and do to upgrade again.*

*deactivate system services ssh ciphers *

*Regards,*
*Aamir*

On Thu, Nov 9, 2023 at 12:28 PM Andreas S. Kerber via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

> Anybody successfully updated MX204 from 21.4R3-S4 to 21.4R3-S5?
> Got a few MX204 and trying to "request vmhost software add" fails
> on each of them.
>
> Anybody got a hint for me?
>
> $ request vmhost software add
> /var/tmp/junos-vmhost-install-mx-x86-64-21.4R3-S5.4.tgz
> Junos Validation begin. Procedure will take few minutes.
> Checking if VirtFS can be used for image install ...
> Required: 7654536554 bytes Available: 21476761600 bytes
> Using VirtFS ...
> {...}
> Hardware Database regeneration succeeded
> Validating against /config/juniper.conf.gz
> mgd: commit complete
> Validation succeeded
> Validating against /config/rescue.conf.gz
> mgd: commit complete
> Validation succeeded
> Verified junos-vmhost-install-mx-x86-64-21.4R3-S5.4 signed by
> PackageDevelopmentECP256_2023 method ECDSA256+SHA256
> Copied the config and other data to the aux disk.
> Transfer junos-host-upgrade.sh
> lost connection
> Transfer Done
> Starting upgrade ...
> sh: /junos/install/junos-host-upgrade.sh: No such file or directory
> rm: cannot remove '/junos/install/junos-host-upgrade.sh': No such file or
> directory
> ... upgrade failed.
> ___
> juniper-nsp mailing list 
> juniper-nsp@puck.nether.net
> https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!G2OaM6xbjo9xBebvYLAFzmsY60TWa1c9CQF9RidbdDfPWspCmb6C2V4jaXCLuuv4CySTSQO7tyumJx2GGqGshQb07zvieFBP$
>


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

2023-11-09 Thread Andreas S. Kerber via juniper-nsp

Am Thu, Nov 09, 2023 at 12:43:18PM +0300 schrieb Muhammad Aamir:
> *try below and do to upgrade again.*
> *deactivate system services ssh ciphers *

Thanks Aamir!

we had an ancient ssh key-exchange statement configured.
After removing that, the installation worked fine. Thanks again!

Andreas
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

2023-11-09 Thread Muhammad Aamir via juniper-nsp

*try below and do to upgrade again.*

*deactivate system services ssh ciphers *

*Regards,*
*Aamir*

On Thu, Nov 9, 2023 at 12:28 PM Andreas S. Kerber via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

> Anybody successfully updated MX204 from 21.4R3-S4 to 21.4R3-S5?
> Got a few MX204 and trying to "request vmhost software add" fails
> on each of them.
>
> Anybody got a hint for me?
>
> $ request vmhost software add
> /var/tmp/junos-vmhost-install-mx-x86-64-21.4R3-S5.4.tgz
> Junos Validation begin. Procedure will take few minutes.
> Checking if VirtFS can be used for image install ...
> Required: 7654536554 bytes Available: 21476761600 bytes
> Using VirtFS ...
> {...}
> Hardware Database regeneration succeeded
> Validating against /config/juniper.conf.gz
> mgd: commit complete
> Validation succeeded
> Validating against /config/rescue.conf.gz
> mgd: commit complete
> Validation succeeded
> Verified junos-vmhost-install-mx-x86-64-21.4R3-S5.4 signed by
> PackageDevelopmentECP256_2023 method ECDSA256+SHA256
> Copied the config and other data to the aux disk.
> Transfer junos-host-upgrade.sh
> lost connection
> Transfer Done
> Starting upgrade ...
> sh: /junos/install/junos-host-upgrade.sh: No such file or directory
> rm: cannot remove '/junos/install/junos-host-upgrade.sh': No such file or
> directory
> ... upgrade failed.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

2023-11-09 Thread Andreas S. Kerber via juniper-nsp

Anybody successfully updated MX204 from 21.4R3-S4 to 21.4R3-S5?
Got a few MX204 and trying to "request vmhost software add" fails
on each of them.

Anybody got a hint for me?

$ request vmhost software add 
/var/tmp/junos-vmhost-install-mx-x86-64-21.4R3-S5.4.tgz
Junos Validation begin. Procedure will take few minutes.
Checking if VirtFS can be used for image install ...
Required: 7654536554 bytes Available: 21476761600 bytes
Using VirtFS ...
{...}
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
mgd: commit complete
Validation succeeded
Validating against /config/rescue.conf.gz
mgd: commit complete
Validation succeeded
Verified junos-vmhost-install-mx-x86-64-21.4R3-S5.4 signed by 
PackageDevelopmentECP256_2023 method ECDSA256+SHA256
Copied the config and other data to the aux disk.
Transfer junos-host-upgrade.sh
lost connection
Transfer Done
Starting upgrade ...
sh: /junos/install/junos-host-upgrade.sh: No such file or directory
rm: cannot remove '/junos/install/junos-host-upgrade.sh': No such file or 
directory
... upgrade failed.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] backup routing engine authente from in-band interface

2023-11-09 Thread Saku Ytti via juniper-nsp

On Thu, 9 Nov 2023 at 10:38, Chen Jiang via juniper-nsp
 wrote:

> Just want to confirm if Juniper backup routing engine could authenticate
> users from in-band interface like ge-0/0/0 to the AAA server?
>
> If not, do we have a solution? The scenario is MX960 with dual RE and no
> OOB network. But need to authenticate users login backup RE from AAA.

No solution. Well sort of hacky solution, if you route AAA server
statically over FXP/EM. But generally speaking, hard no, only local
authentication on backup RE.

But luckily they've fixed this awkward mismatch, and no remote
authentication on either console on EVO at all. Another thing that
might surprise people is that the lo0 filter no longer applies to
EM/FXP ports in EVO.

Ideally we'd all be asking vendors to implement true lights out
ethernet ports, with dedicated control-planes, like Cisco CMP. So we
could get rid of problematic RS232 and useless in-band MGMT ports
(EM/FXP are actively dangerous).
-- 
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] backup routing engine authente from in-band interface

2023-11-09 Thread Chen Jiang via juniper-nsp

Hi! Experts

Just want to confirm if Juniper backup routing engine could authenticate
users from in-band interface like ge-0/0/0 to the AAA server?

If not, do we have a solution? The scenario is MX960 with dual RE and no
OOB network. But need to authenticate users login backup RE from AAA.

Thanks for your great help.

-- 
BR!



   James Chen
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

Re: [j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

Re: [j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

[j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5

Re: [j-nsp] backup routing engine authente from in-band interface

[j-nsp] backup routing engine authente from in-band interface

6 matches

Site Navigation

Mail list logo

Footer information