SRX Services Gateway
Reply
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Here is the official info on the bug:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21713

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
techniq
Posts: 40
Registered: ‎01-14-2009
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Thanks, good to see the KB article posted. 

 

I'm going to try the firewall filter to bypass flow-mode and process in packet mode, but honestly I surprised that works, as I would expect IP Spoofing to work in packet-mode, as it's not restricted to stateful packet processing.  It should be a per packet analysis.

Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

@techniq: I got puzzled, too. Trusty JunOS flow diagram to the rescue! (attached)

 

As you can see, packet filters take effect before Screens. Screens are still part of the Flow Module.

 

That diagram, btw, is so useful in so many ways. It completely explains just why NAT and policy-based VPN just cannot work together, for example.

 

Contributor
techniq
Posts: 40
Registered: ‎01-14-2009
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Yes, I'm familiar with the packet-processing diagram.  I guess I was really questioning the logic of the IP Spoofing screen only being in flow-mode.  However, I rationalized it with a scenario of a legitimate need to allow asymmetric traffic (for example).

 

I still have to test it again, b/c as I stated previously I setup a stateless firewall filter for this but only using the ports 67/68/udp and it did not work.  I'll play around with various 'from' parameters.

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

@cryptochrome

 

btw, I tested the ip spoofing with the SRX working as DHCP server as well and it also affects the receiving of DHCP broadcast packets.

 

We will get the KB updated to reflect this as well.In my setup, I can clearly see the spoof messages and counters incrementing though not sure why counters are not working for you.

 

EG Aug 30 15:12:17 RT_IDS: RT_SCREEN_IP: IP spoofing! source: 0.0.0.0, destination: 255.255.255.255, protocol-id: 17, zone name: trust, interface name: fe-0/0/5.0, action: drop

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


WL wrote:

@cryptochrome

 

btw, I tested the ip spoofing with the SRX working as DHCP server as well and it also affects the receiving of DHCP broadcast packets.

 

We will get the KB updated to reflect this as well.In my setup, I can clearly see the spoof messages and counters incrementing though not sure why counters are not working for you.

 

EG Aug 30 15:12:17 RT_IDS: RT_SCREEN_IP: IP spoofing! source: 0.0.0.0, destination: 255.255.255.255, protocol-id: 17, zone name: trust, interface name: fe-0/0/5.0, action: drop


Hi WL,

 

confirmed. JTAC said the same thing. As for the counters, they were increasing last time I checked. Not sure why I didn't see them the first time. My guess is the customer that owns the machine must have reset the counters without me knowing :-)

 

JTAC still has no ETA for a bug fix release, which is kind of disapointing. 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

IMHO, I dont really think its actually a bug as I said in my previous post as I dont see the need to apply ip spoofing for DHCP packets on interfaces which actually require DHCP

 

Also, I dont think they can actually roll back the behaviour to what it used to be since old behaviour is actually incorrect wrt to ip spoofing at least.

 

think at best, what'll happen is that there a be a cli to ignore dhcp packets or smthing like that.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


WL wrote:

IMHO, I dont really think its actually a bug as I said in my previous post as I dont see the need to apply ip spoofing for DHCP packets on interfaces which actually require DHCP

 

Also, I dont think they can actually roll back the behaviour to what it used to be since old behaviour is actually incorrect wrt to ip spoofing at least.

 

think at best, what'll happen is that there a be a cli to ignore dhcp packets or smthing like that.


We could argue about that. In my book, if IP spoofing prevents DHCP, that's clearly a bug :-)

 

But still, you are right of course. 

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

:smileyhappy: haha yes true you are right too but i guess thats all moot until the dev folks figure out what they are going to do
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Trusted Contributor
BenR
Posts: 89
Registered: ‎03-18-2010
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

This also breaks DHCP/bootp relay if spoofing detection is enabled on the interface, which isn't mentioned in the KB article.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.