Möhrenfeld

Debian Secure APT Keys for Third-Party Repositories
2020-02-13

In most (if not all) installation instructions for Debian Third-Party repositories you will find a sentence like this:

wget -O - https://packages.example.com/example.key | apt-key add -

This allows the package maintainers key to sign ALL Debian packages, not only the packages from their repository. I’m not sure why this is still so common when a more secure alternative exists.


Read on

Juniper krt queue problems
2018-03-22

Juniper is somewhat (in-)famous for unhelpful and/or superfluous error messages. We faced a new one on our Juniper MX boxes recently. A normal-looking static route was committed, the next-hop was reachable via an irb interface bound to a VPLS instance:

[edit routing-options static]
    +    route 10.1.2.168/29 {
    +        next-hop 10.1.2.167;
    +        tag 666;
    +    }

Read on

Juniper local-as and BGP loops
2017-11-27

I faced an interesting problem today. In a customer L3VPN/VRF a route was hidden and it was not apparent why. In JunOS when you do a show route ... command you will get a summary at the top that tells you some statistics. In this case, four routes are hidden (three were expected, the one displayed here should not have been hidden). You can display hidden routes by adding the hidden option to the show route command:

user@core1> show route table customer-vrf.inet.0 10.1.2.0/22 hidden

customer-vrf.inet.0: 31 destinations, 34 routes (30 active, 0 holddown, 4 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.2.0/22      [BGP ] 1d 17:20:31, MED 0, localpref 100, from 198.51.100.27
                    AS path: 65003 ?, validation-state: unverified
                    to 198.51.100.174 via ae1.0, Push 16, Push 300928(top)
                    > to 198.51.100.66 via ae17.0, Push 16, Push 302608(top)

Read on

Configure JunOS via SSH and NETCONF
2017-05-12

I was looking for an easy and fast way to push configuration to our Juniper devices. Preferably one that doesn’t need anything special except a ssh connection.

I started with a standard Juniper configuration snippet. Something like this:

policy-options {
replace:
    policy-statement deny-everything {
        then reject;
    }
}

How do we get this on the device? Luckily Juniper (as well as other vendors) supports a feature called NETCONF ({% include rfc.html rfc=“6241” %}) which uses a XML RPC API to talk to the device. You need to enable it together with SSH:


Read on