Debian Secure APT Keys for Third-Party Repositories

In most (if not all) installation instructions for Debian Third-Party repositories you will find a sentence like this:

wget -O - https://packages.example.com/example.key | apt-key add -

This allows the package maintainers key to sign ALL Debian packages, not only the packages from their repository. I’m not sure why this is still so common when a more secure alternative exists.

Read on

Juniper krt queue problems

Juniper is somewhat (in-)famous for unhelpful and/or superfluous error messages. We faced a new one on our Juniper MX boxes recently. A normal-looking static route was committed, the next-hop was reachable via an irb interface bound to a VPLS instance:

[edit routing-options static]
    +    route {
    +        next-hop;
    +        tag 666;
    +    }

Read on

Juniper local-as and BGP loops

I faced an interesting problem today. In a customer L3VPN/VRF a route was hidden and it was not apparent why. In JunOS when you do a show route ... command you will get a summary at the top that tells you some statistics. In this case, four routes are hidden (three were expected, the one displayed here should not have been hidden). You can display hidden routes by adding the hidden option to the show route command:

user@core1> show route table customer-vrf.inet.0 hidden

customer-vrf.inet.0: 31 destinations, 34 routes (30 active, 0 holddown, 4 hidden)
+ = Active Route, - = Last Active, * = Both      [BGP ] 1d 17:20:31, MED 0, localpref 100, from
                    AS path: 65003 ?, validation-state: unverified
                    to via ae1.0, Push 16, Push 300928(top)
                    > to via ae17.0, Push 16, Push 302608(top)

Read on

Configure JunOS via SSH and NETCONF

I was looking for an easy and fast way to push configuration to our Juniper devices. Preferably one that doesn’t need anything special except a ssh connection.

I started with a standard Juniper configuration snippet. Something like this:

policy-options {
    policy-statement deny-everything {
        then reject;

How do we get this on the device? Luckily Juniper (as well as other vendors) supports a feature called NETCONF ({% include rfc.html rfc=“6241” %}) which uses a XML RPC API to talk to the device. You need to enable it together with SSH:

Read on