Re: [j-nsp] CVE-2023-4481

2023-09-17 Thread Gert Doering via juniper-nsp
Hi, On Sun, Sep 17, 2023 at 03:07:26PM +0200, Tobias Heister via juniper-nsp wrote: > So, like with all features and knobs, you might want to consider whether it > brings you any benefit to keep the prefixes in hidden state or "minimize" > processing of things you will maybe never look at. From

Re: [j-nsp] CVE-2023-4481

2023-09-17 Thread Tobias Heister via juniper-nsp
Hi, On 11.09.2023 19:55, Tom Beecher wrote: Which in theory opens a new attack vector for the future. What is the attack vector you foresee for a route sitting as hidden with the potentially offending attributes stripped off? It is theoretical, but if you do $something with a prefix

Re: [j-nsp] CVE-2023-4481

2023-09-11 Thread Tom Beecher via juniper-nsp
> > Which in theory opens a new attack vector for the future. > What is the attack vector you foresee for a route sitting as hidden with the potentially offending attributes stripped off? On Thu, Aug 31, 2023 at 4:27 AM Tobias Heister via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > Hi,

Re: [j-nsp] CVE-2023-4481

2023-08-31 Thread Jeff Haas via juniper-nsp
On 8/31/23, 4:28 AM, "juniper-nsp on behalf of Tobias Heister via juniper-nsp" mailto:juniper-nsp-boun...@puck.nether.net> on behalf of juniper-nsp@puck.nether.net > wrote: > Am 30.08.2023 um 18:09 schrieb heasley via juniper-nsp: > > Tue, Aug 29, 2023 at

Re: [j-nsp] CVE-2023-4481

2023-08-31 Thread Tobias Heister via juniper-nsp
Hi, Am 30.08.2023 um 18:09 schrieb heasley via juniper-nsp: Tue, Aug 29, 2023 at 03:42:41PM -0700, David Sinn via juniper-nsp: A network I operate is going with: bgp-error-tolerance { malformed-route-limit 0; } The thoughts being that there is no real reason to

Re: [j-nsp] CVE-2023-4481

2023-08-30 Thread heasley via juniper-nsp
Tue, Aug 29, 2023 at 03:42:41PM -0700, David Sinn via juniper-nsp: > A network I operate is going with: > > bgp-error-tolerance { > malformed-route-limit 0; > } > > The thoughts being that there is no real reason to retain the malformed route > and the default of

Re: [j-nsp] CVE-2023-4481

2023-08-29 Thread David Sinn via juniper-nsp
A network I operate is going with: bgp-error-tolerance { malformed-route-limit 0; } The thoughts being that there is no real reason to retain the malformed route and the default of 1000 is arbitrary. We haven't really seen a rash of them, so adjusting the logging

[j-nsp] CVE-2023-4481

2023-08-29 Thread Randy Bush via juniper-nsp
do we have a recommended `bgp-error-tolerance {}` config to deal with CVE-2023-4481? and what does one do on antique hardwhere with. e.g., junos 14? randy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net