Re: [outages] More notes
----- Original Message -----
From: "Jonathan Lassoff" <jof@thejof.com>
<tangential sidenote> It's too bad that Junipers bugs aren't listed publicly. For clueful network operations, having this information available to them could have enabled them to properly weigh the risk of evaluating and certifying versions of their operating systems.
The reason it's called "gambling" is that sometimes, you lose. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Actually, Juniper does disclose code bugs. Though not always to the public at first, importantly to Juniper customers. Juniper had advised all of their customers last August of this bug, however Level3 chose to continue running it on their peer routers. Thus if Level3 and its clue(full) management might have listened to their operators & network engineers.... cheers On Mon, Nov 7, 2011 at 7:41 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Jonathan Lassoff" <jof@thejof.com>
<tangential sidenote> It's too bad that Junipers bugs aren't listed publicly. For clueful network operations, having this information available to them could have enabled them to properly weigh the risk of evaluating and certifying versions of their operating systems.
The reason it's called "gambling" is that sometimes, you lose.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
-- -B
On Mon, Nov 07, 2011 at 08:37:55PM -0700, brian nikell <nickellman@gmail.com> wrote a message of 38 lines which said:
Actually, Juniper does disclose code bugs. Though not always to the public at first, importantly to Juniper customers. Juniper had advised all of their customers last August of this bug, however Level3 chose to continue running it on their peer routers. Thus if Level3 and its clue(full) management might have listened to their operators & network engineers....
I disagree. The official bug statement from Juniper in August was trying very hard to downplay the importance of the bug ("Given the complexity of conditions required to trigger this issue, the probability of exploiting this defect is extremely low"). No wonder so few people (and not only at Level-3) did not upgrade.
Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:
("Given the complexity of conditions required to trigger this issue, the probability of exploiting this defect is extremely low").
Which translates to "This bug has such catastrophic consequenses that we do not want to disclose how to trigger it." Do you think any such bug would be discovered and/or disclosed *at all* unless it already was triggered in the wild? And if it was triggered once, what are the chances it will happen again? Bjørn
On Tue, 08 Nov 2011 09:21:37 +0100, Stephane Bortzmeyer said:
I disagree. The official bug statement from Juniper in August was trying very hard to downplay the importance of the bug ("Given the complexity of conditions required to trigger this issue, the probability of exploiting this defect is extremely low"). No wonder so few people (and not only at Level-3) did not upgrade.
August (and if that's when the *fix* came out, the bug is even older). September. October. November. So maybe the probability *is* low. And if JunOS is anything like CIsco IOS, a lot of shops didn't upgrade because the newer release has *other* issues in their environments. Nobody wants to upgrade to fix a once-ever-few-months bug if it also buys them a daily crash in something else.
On 11/8/2011 12:05 PM, Valdis.Kletnieks@vt.edu wrote:
And if JunOS is anything like CIsco IOS, a lot of shops didn't upgrade because the newer release has *other* issues in their environments. Nobody wants to upgrade to fix a once-ever-few-months bug if it also buys them a daily crash in something else.
Juniper runs a quarterly (roughly major) 10.1, 10.2, 10.3, 10.4, .... R is patch revisions for the major release. They are usually good at fixing and not breaking things on the R release. My last upgrade a bit ago was R7.5 of 10.4 (which has more revisions than older 10 releases, probably due to the fact that it will be the long term support release and gets non-critical patches as well). Jack
participants (6)
-
Bjørn Mork
-
brian nikell
-
Jack Bates
-
Jay Ashworth
-
Stephane Bortzmeyer
-
Valdis.Kletnieks@vt.edu