DOCSLIB.ORG

Release Notes: Junos® OS Release 19.4R1 for the ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, SRX Series, JRR Series, and Junos Fusion

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Release Notes: Junos® OS Release 19.4R1 for the ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, SRX Series, JRR Series, and Junos Fusion Release Published Notes 2021-04-22 Junos ® OS 19.4R1 Release Notes SUPPORTED ON • ACX Series, EX Series, JRR Series, Junos Fusion Enterprise, Junos Fusion Provider Edge, MX Series, NFX Series, PTX Series, QFX Series, and SRX Series HARDWARE HIGHLIGHTS • Wi-Fi Mini-Physical Interface Module (SRX320, SRX340, SRX345, and SRX550M) SOFTWARE HIGHLIGHTS • Support for EVPN routing policies (ACX5448) • Inline monitoring services (MX Series with MPCs excluding MPC10E linecards) • Support for BGP PIC Edge with BGP labeled unicast (MX Series and PTX Series) • Integrating RIFT protocol into Junos OS (MX Series and VMX virtual routers) • Support for flexible algorithm in IS-IS for segment routing–traffic engineering (MX Series and PTX Series) • Junos Multi-Access User Plane (MX240, MX480, MX960) • Support for Lawful Intercept on Junos Multi-Access User Plane (MX240, MX480, MX960) • Precision Time Protocol (PTP) transparent clock (QFX5120 and QFX5210) • Additional support for Bidirectional Forwarding Detection (QFX5110, QFX5120, QFX5200, and QFX5210) • Selectively disable midstream APBR (SRX Series and vSRX) • Improved query performance in on-box reporting (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX4600, and vSRX) • UTM Support for Active/Active Chassis Cluster (SRX Series) IN FOCUS GUIDE • Use this new guide to quickly learn about the most important Junos OS features and how you can deploy them in your network. 1 Release Notes: Junos® OS Release 19.4R1 for the ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, SRX Series, JRR Series, and Junos Fusion 22 April 2021 Contents Introduction | 14 Junos OS Release Notes for ACX Series | 14 What's New | 15 EVPN | 15 Junos OS XML API and Scripting | 16 MPLS | 18 OAM | 18 Routing Protocols | 18 System Logging | 19 Software Defined Networking (SDN) | 19 What's Changed | 20 General Routing | 20 Routing Protocols | 20 Known Limitations | 21 General Routing | 21 Open Issues | 22 General Routing | 22 2 Resolved Issues | 23 General Routing | 24 Layer 2 Ethernet Services | 26 Platform and Infrastructure | 26 Routing Protocols | 26 Documentation Updates | 26 Feature Guides Are Renamed As User Guides | 27 Migration, Upgrade, and Downgrade Instructions | 27 Upgrade and Downgrade Support Policy for Junos OS Releases | 27 Junos OS Release Notes for EX Series Switches | 28 What's New | 29 Authentication, Authorization, and Accounting | 30 Class of Service | 30 EVPN | 30 Junos OS XML, API, and Scripting | 32 Junos Telemetry Interface | 33 Layer 2 Features | 34 MPLS | 36 Multicast | 36 Operation, Administration, and Maintenance (OAM) | 36 Port Security | 37 Routing Policy and Firewall Filters | 38 System Logging | 38 System Management | 38 User Interface and Configuration | 39 What's Changed | 39 What’s Changed in Release 19.4R1-S3 | 40 What's Changed in Release 19.4R1 | 40 Known Limitations | 41 Open Issues | 42 Authentication and Access Control | 43 Class of Service (CoS) | 43 EVPN | 43 General Routing | 43 3 Infrastructure | 45 Interfaces and Chassis | 45 Junos Fusion Enterprise | 45 Junos Fusion Satellite Software | 45 Layer 2 Ethernet Services | 45 Layer 2 Features | 46 Platform and Infrastructure | 46 Routing Protocols | 46 User Interface and Configuration | 47 Resolved Issues | 47 Authentication and Access Control | 48 EVPN | 48 General Routing | 48 Infrastructure | 50 Interfaces and Chassis | 51 Junos Fusion Enterprise | 51 Junos Fusion Satellite Software | 51 J-Web | 51 Layer 2 Ethernet Services | 51 Layer 2 Features | 51 Platform and Infrastructure | 52 Routing Protocols | 52 User Interface and Configuration | 53 Virtual Chassis | 53 Documentation Updates | 53 Feature Guides Are Renamed As User Guides | 54 Migration, Upgrade, and Downgrade Instructions | 54 Upgrade and Downgrade Support Policy for Junos OS Releases | 54 Junos OS Release Notes for JRR Series | 55 What's New | 56 Hardware | 56 What's Changed | 57 Known Limitations | 57 4 Open Issues | 58 General Routing | 58 Resolved Issues | 58 Documentation Updates | 59 Feature Guides Are Renamed As User Guides | 59 Migration, Upgrade, and Downgrade Instructions | 60 Upgrade and Downgrade Support Policy for Junos OS Releases | 60 Junos OS Release Notes for Junos Fusion Enterprise | 61 What’s New | 61 What’s Changed | 62 Known Limitations | 62 Open Issues | 63 Junos Fusion for Enterprise | 63 Resolved Issues | 64 Documentation Updates | 64 Feature Guides Are Renamed As User Guides | 65 Migration, Upgrade, and Downgrade Instructions | 65 Basic Procedure for Upgrading Junos OS on an Aggregation Device | 66 Upgrading an Aggregation Device with Redundant Routing Engines | 67 Preparing the Switch for Satellite Device Conversion | 68 Converting a Satellite Device to a Standalone Switch | 69 Upgrade and Downgrade Support Policy for Junos OS Releases | 69 Downgrading from Junos OS | 70 Junos OS Release Notes for Junos Fusion Provider Edge | 71 What's New | 71 What's Changed | 72 Known Limitations | 72 Open Issues | 73 Junos Fusion for Provider Edge | 73 Resolved Issues | 73 Documentation Updates | 74 Feature Guides Are Renamed As User Guides | 74 5 Migration, Upgrade, and Downgrade Instructions | 75 Basic Procedure for Upgrading an Aggregation Device | 75 Upgrading an Aggregation Device with Redundant Routing Engines | 78 Preparing the Switch for Satellite Device Conversion | 78 Converting a Satellite Device to a Standalone Device | 80 Upgrading an Aggregation Device | 82 Upgrade and Downgrade Support Policy for Junos OS Releases | 82 Downgrading from Junos OS Release 19.4 | 83 Junos OS Release Notes for MX Series 5G Universal Routing Platform | 83 What's New | 84 Hardware | 85 Class of Service | 88 EVPN | 88 Forwarding and Sampling | 89 General Routing | 90 High Availability (HA) and Resiliency | 90 Interfaces and Chassis | 90 Junos OS, XML, API, and Scripting | 93 Junos Telemetry Interface | 94 Layer 2 Features | 96 Layer 2 VPN | 96 MPLS | 96 Multicast | 97 Network Management and Monitoring | 98 OAM | 98 Routing Policy and Firewall Filters | 98 Routing Protocols | 99 Services Applications | 102 Software-Defined Networking | 102 Software Licensing | 103 Subscriber Management and Services | 103 6 System Logging | 104 What's Changed | 105 General Routing | 105 Interfaces and Chassis | 106 MPLS | 107 Network Management and Monitoring | 107 Routing Protocols | 107 Services Applications | 107 Software-Defined Networking | 107 Subscriber Management and Services | 108 Known Limitations | 109 General Routing | 109 Interfaces and Chassis | 110 MPLS | 111 Platform and Infrastructure | 111 Routing Protocols | 111 Open Issues | 112 Application Layer Gateways | 113 Class of Service | 113 EVPN | 113 Forwarding and Sampling | 113 General Routing | 114 Infrastructure | 122 Interfaces and Chassis | 122 Layer 2 Features | 123 Layer 2 Ethernet Services | 123 MPLS | 124 Network Management and Monitoring | 124 Next Gen Services MX-SPC3 Services Card | 124 Platform and Infrastructure | 125 Routing Protocols | 126 Services Applications | 127 Subscriber Access Management | 128 VPNs | 128 7 Resolved Issues | 129 Resolved Issues: 19.4R1 | 129 Documentation Updates | 150 Feature Guides Are Renamed As User Guides | 150 Migration, Upgrade, and Downgrade Instructions | 151 Basic Procedure for Upgrading to Release 19.4 | 152 Procedure to Upgrade to FreeBSD 11.x based Junos OS | 152 Procedure to Upgrade to FreeBSD 6.x based Junos OS | 155 Upgrade and Downgrade Support Policy for Junos OS Releases | 156 Upgrading a Router with Redundant Routing Engines | 157 Downgrading from Release 19.4 | 157 Junos OS Release Notes for NFX Series | 158 What’s New | 158 General routing | 159 Hardware | 159 Architecture | 159 What's Changed | 160 Known Limitations | 161 Interfaces | 161 Platform and Infrastructure | 161 Open Issues | 162 Mapping of Address and Port with Encapsulation (MAP-E) | 162 Interfaces | 162 Platform and Infrastructure | 163 Virtual Network Functions (VNFs) | 164 Resolved Issues | 164 Class of Service | 165 High Availability | 165 Interfaces | 165 Layer 2 Ethernet Services | 166 Platform and Infrastructure | 166 Routing Protocols | 167 SNMP | 167 Virtual Network Functions (VNFs) | 167 8 Documentation Updates | 168 Feature Guides Are Renamed As User Guides | 168 Migration, Upgrade, and Downgrade Instructions | 169 Upgrade and Downgrade Support Policy for Junos OS Releases | 169 Basic Procedure for Upgrading to Release 19.4 | 169 Junos OS Release Notes for PTX Series Packet Transport Routers | 171 What's New | 172 General Routing | 173 Hardware | 173 High Availability (HA) and Resiliency | 173 Junos OS, XML, API, and Scripting | 173 Junos Telemetry Interface | 174 MPLS | 176 Routing Protocols | 177 Services Applications | 178 Software Defined Networking | 179 System Logging | 179 What's Changed | 180 General Routing | 180 Interfaces and Chassis | 180 Routing Protocols | 181 Software-Defined Networking | 181 Known Limitations | 181 General Routing | 182 Open Issues | 183 General Routing | 183 Infrastructure | 185 Layer 2 Ethernet Services | 185 MPLS | 185 Routing Protocols | 185 Resolved Issues | 186 Forwarding and Sampling | 186 General Routing | 186 Infrastructure | 188 9 Interfaces and Chassis | 188 Layer 2 Ethernet Services | 188 MPLS | 188 Platform and Infrastructure | 188 Routing Protocols | 188 VPNs | 189 Documentation Updates | 189 Feature Guides Are Renamed as User Guides | 190 Migration, Upgrade, and Downgrade Instructions | 190 Basic Procedure for Upgrading to Release 19.4 | 190 Upgrade and Downgrade Support Policy for Junos OS
Load more

Recommended publications
  • The Title Title: Subtitle March 2007
    sub title The Title Title: Subtitle March 2007 Copyright c 2006-2007 BSD Certification Group, Inc. Permission to use, copy, modify, and distribute this documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CON- SEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEG- LIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS DOCUMENTATION. NetBSD and pkgsrc are registered trademarks of the NetBSD Foundation, Inc. FreeBSD is a registered trademark of the FreeBSD Foundation. Contents Introduction vii 1 Installing and Upgrading the OS and Software 1 1.1 Recognize the installation program used by each operating system . 2 1.2 Recognize which commands are available for upgrading the operating system 6 1.3 Understand the difference between a pre-compiled binary and compiling from source . 8 1.4 Understand when it is preferable to install a pre-compiled binary and how to doso ...................................... 9 1.5 Recognize the available methods for compiling a customized binary . 10 1.6 Determine what software is installed on a system . 11 1.7 Determine which software requires upgrading . 12 1.8 Upgrade installed software . 12 1.9 Determine which software have outstanding security advisories .
    [Show full text]
  • Recent Security Enhancements in Netbsd
    Recent Security Enhancements in NetBSD Elad Efrat < [email protected] > September 2006 Abstract Over the years, NetBSD obtained the position of the BSD focusing on portability. While it is true that NetBSD offers an easily portable operating system, care is also given to other areas, such as security. This paper presents the NetBSD philosophy of security, design decisions, and currently offered security features. Finally, some of the current and future research will be revealed. 1. Introduction Running on almost twenty different architectures, and easily portable to others, NetBSD gained its reputation as the most portable operating system on the planet. While that may indicate high quality code, the ever demanding networked world cares about more than just that. Over the past year, NetBSD evolved quite a bit in various areas; this paper, however, will focus on the aspect relating to security. This paper was written and structured to present a full overview of the recent security enhancements in NetBSD in an easily readable and balanced form that will satisfy new, intermediate, and experienced users. References were sprinkled across the text to provide more information to those who want the gory details, while preserving the continuity. Section 2 will present the bigger picture of security in NetBSD: how NetBSD perceives security, the design decisions of NetBSD software in general and the security infrastructure and features more specifically. Section 3 will present a detailed overview of the recent enhancements in the security infrastructure and features of NetBSD including, where relevant, details about the design, implementation, and possible future development. Section 4 will present current security-related research and development in NetBSD, and section 5 will discuss how the described enhancements work together to provide a more secure platform.
    [Show full text]
  • Comparaţie Între Versiuni BSD
    UNIVERSITATEA POLITEHNICA BUCUREŞTI FACULTATEA DE ELECTRONICĂ, TELECOMUNICAŢII ŞI TEHNOLOGIA INFORMAŢIE Comparaţie între versiuni BSD -Sisteme de operare avansate- Profesor coordonator Masterand Conf. Dr. Ing. Ştefan Stăncescu Rînciog Florentina-Cosmina Master IISC, an I Bucureşti 2015 Cuprins 1. Introducere BSD ............................................................................................................ 3 1.1 Scurt istoric............................................................................................................. 3 1.2 Dezvoltare .............................................................................................................. 3 1.3 Descendenţi BSD ................................................................................................... 4 2. FreeBSD ........................................................................................................................ 5 2.1 Utilizare ...................................................................................................................... 5 2.2 Caracteristici tehnice .................................................................................................. 5 2.3 Securitate .................................................................................................................... 6 3. NetBSD ......................................................................................................................... 7 3.1 Utilizare .....................................................................................................................
    [Show full text]
  • CYBERSECURITY When Will You Be Hacked?
    SUFFOLK ACADEMY OF LAW The Educational Arm of the Suffolk County Bar Association 560 Wheeler Road, Hauppauge, NY 11788 (631) 234-5588 CYBERSECURITY When Will You Be Hacked? FACULTY Victor John Yannacone, Jr., Esq. April 26, 2017 Suffolk County Bar Center, NY Cybersecurity Part I 12 May 2017 COURSE MATERIALS 1. A cybersecurity primer 3 – 1.1. Cybersecurity practices for law firms 5 – 1.2. Cybersecurity and the future of law firms 11 – 2. Information Security 14 – 2.1. An information security policy 33 – 2.2. Data Privacy & Cloud Computing 39 – 2.3. Encryption 47 – 3. Computer security 51 – 3.1. NIST Cybersecurity Framework 77 – 4. Cybersecurity chain of trust; third party vendors 113 – 5. Ransomware 117 – 5.1. Exploit kits 132 – 6. Botnets 137 – 7. BIOS 139 – 7.1. Universal Extensible Firmware Interface (UEFI) 154– 8. Operating Systems 172 – 8.1. Microsoft Windows 197 – 8.2. macOS 236– 8.3. Open source operating system comparison 263 – 9. Firmware 273 – 10. Endpoint Security Buyers Guide 278 – 11. Glossaries & Acronym Dictionaries 11.1. Common Computer Abbreviations 282 – 11.2. BABEL 285 – 11.3. Information Technology Acronymns 291 – 11.4. Glossary of Operating System Terms 372 – 2 Cyber Security Primer Network outages, hacking, computer viruses, and similar incidents affect our lives in ways that range from inconvenient to life-threatening. As the number of mobile users, digital applications, and data networks increase, so do the opportunities for exploitation. Cyber security, also referred to as information technology security, focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction.
    [Show full text]
  • The Bsds & Pkgsrc
    The BSDs & pkgsrc - Introductory fun for the whole family Featuring slides from a past life describing The BSD Family of Operating Systems Sevan Janiyan [email protected] @sevanjaniyan Berkeley CSRG 1977 - 1995 There are two main flavors of UNIX: one from AT&T ("original") and one from the University of California, Berkley ("extra crispy") FreeBSD handbook 1989 NetBSD Guide 2014 NetBSD Internals OpenBSD FAQ NetBSD IoT visionaries by targeting a Toaster VAX support veriexec ATF Unprivileged builds build.sh pkgsrc FreeBSD Moving towards free from GPL in base dummynet jails / VIMAGE geom ports bhyve Capsicum RISC-V support BERI - CheriBSD OpenBSD libc LibreSSL PF CARP ipsec.conf pledge vmm OpenSSH/SMTPD/BGPD/SPFD/HTTPD DragonFly BSD HAMMER Scaling on multi-cpu systems Clustered Filesystem Scheduler improvements LWKT (Light Weight Kernel Thread) / User Thread Scheduler vkernel swapcache RetroBSD LiteBSD Copycenter licensed The way it was characterized politically, you had copyright, which is what the big companies use to lock everything up; you had copyleft, which is free software's way of making sure they can't lock it up; and then Berkeley had what we called ‘copycenter’, which is ‘take it down to the copy center and make as many copies as you want.’ — Kirk McKusick, BSDCon 1999 NASA Android Network stack OpenBSD libc pkgsrc mksh Apple NetBSD & FreeBSD for Darwin PF Airport OS Juniper Toyota NetApp OpenBSD libraries? Force10 Sony Playstation …. Packaging Ports Started in FreeBSD circa 1994 NetBSD pkgsrc / OpenBSD ports adopted around 1997 DragonFly BSD Dports ~ 2012? pkgsrc platform support pkg_tools pkgng OpenBSD pkg_tools? FreeBSD - poudriere NetBSD pkgsrc - pbulk OpenBSD - dpb FreeBSD Porters Handbook NetBSD pkgsrc guide OpenBSD ports FAQ DragonFly BSD Howtodports Security Notification FreeBSD vuxml pkgsrc pkg-vulnerabilities.
    [Show full text]
  • From Roof to Basement - Netbsd Introduction & Status Report
    From roof to basement - NetBSD Introduction & Status Report - Hubert Feyrer <[email protected]> Contents ● What does NetBSD look like? ● So what is NetBSD? ● Introducing NetBSD: Some Applications & Products ● NetBSD 4 and beyond What does NetBSD look like? NetBSD looks like ... KDE NetBSD looks like ... GNOME NetBSD looks like ... XFCE NetBSD looks like ... Xen So what is NetBSD? NetBSD is ... ● A descendant of 4.4BSD Unix ● A “general purpose” Unix/Linux-like Open Source Operating System ● Not Linux – NetBSD has its own kernel and userland ● A small core system that can be adjusted for many purposes via pkgsrc: Desktop, Web and Database servers, Firewalls, ... ● Secure and Performant, of course! ● Focussed on multiplatform portability Features: Thousands of packages via pkgsrc Many areas of application One Operating System, 1 Source Modern & Vintage Hardware More than fifty Hardware Platforms Introducing NetBSD: Some Applications & Products NetBSD from roof to basement: On Air International Space Station, on-plane systems Roof WaveLAN routers, surveillance cameras, embedded boards Office Highspeed networking, desktop, Embedded development Entertainment Various game consoles and robots Basement Storage solutions, servers “Commodity” Networking: ● Various WLAN-Routers and Access-Points by Allied Telesis, IIJ/Root and Apple: ● Seclarity's SiNic Router-on-a-card ● Avocent KVM Switches ● Surveillance- and Webcams by SGI, Panasonic and Brains Inc. Embedded Boards: PowerPC, MIPS ● MIPS – NetBSD/evbmips ● Malta 4/5kc, Access Cube, AMD Alchemy, Atheros, Meraki Mini ● PowerPC – NetBSD/evbppc ● Virtex-4 ML403 FPGA, Motorola Walnut, Marvell, Plat'Home OpenBlockS Embedded boards: SH3/4, ARM ● Super-Hitachi - NetBSD/sh3 ● CqREEK, Computes 7709, KZ-SH4-01: ● ARM, StrongARM, Xscale – NetBSD/evbarm ● Mesa 4C81, Gumstix + peripherals, Technologic Systems' TS-7200, ..
    [Show full text]
  • The BSD Associate Study Guide the BSD Associate Study Guide: the Beginning BSD Unix Administration Book
    The Beginning BSD Unix Administration Book The BSD Associate Study Guide The BSD Associate Study Guide: The Beginning BSD Unix Administration Book November 24, 2011 Editor: Jeremy C. Reed Book Wiki: http://bsdwiki.reedmedia.net/ Copyright c 2006-2011 BSD Certification Group, Inc. Permission to use, copy, modify, and distribute this documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WAR- RANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN AC- TION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS DOCUMENTATION. NetBSD and pkgsrc are registered trademarks of the NetBSD Foundation, Inc. FreeBSD is a registered trademark of the FreeBSD Foundation. Contents Introduction vii 1 Installing and Upgrading the OS and Software 1 1.1 Recognize the installation program used by each operating system . 1 1.2 Recognize which commands are available for upgrading the operating system . 5 1.3 Understand the difference between a pre-compiled binary and compiling from source . 6 1.4 Understand when it is preferable to install a pre-compiled binary and how to do so . 7 1.5 Recognize the available methods for compiling a customized binary . 7 1.6 Determine what software is installed on a system .
    [Show full text]
  • Software Security
    Software security Aleksey Cheusov [email protected] Minsk, Belarus, 2012 Secure string functions ◮ strlcat, strlcpy (*BSD, Solaris, AltLinux, Cygwin, Interix) ◮ getline (POSIX 2008) ◮ snprintf (C99) ◮ scanf (%Ns) ◮ ... Stack smashing protection (SSP) ◮ Canary ◮ Available since gcc-4.1 (-fstack-protector, -fstack-protector-all) ◮ ”Base system” compiled with SSP: OpenBSD, NetBSD (partially), AltLinux... ◮ SSP always enabled in gcc: OpenBSD, AltLinux... (-fno-stack-protector) Address Space Layout Randomization (ASLR) ◮ Shared libraries ◮ Enabled: Hardened Gentoo, OpenBSD, AltLinux ... ◮ Disabled by default: NetBSD (sysctl, paxctl) ◮ Stack segment ◮ Enabled: Hardened Gentoo, OpenBSD, AltLinux ... ◮ Disabled by default: NetBSD (sysctl, paxctl) ◮ Data segment, mmap, PIC (Position Independent Executable) ◮ Enabled: Hardened Gentoo, OpenBSD ... “Chroot is not and never has been a security tool.” c Problems ◮ Unprivileged user: fchdir(2), ptrace(2), getcwd(3) ◮ Root: mknod(2), mount(8), chroot(2) . Solutions ◮ Unprivileged user: Hardened Gentoo, NetBSD ◮ Root: Hardened Gentoo, NetBSD (patch) Non-executable stack and heap (NX bit) ◮ PaX: Hardened Gentoo, NetBSD (original implementation) ◮ WˆX: OpenBSD ◮ Exec Shield: Linux kernel (patch), Fedora(?), RHEL(?) PaX MPROTECT ◮ Hardened Gentoo ◮ NetBSD (disabled y default, sysctl, paxctl) PaX Segvgard ◮ Hardened Gentoo ◮ NetBSD (disabled y default, sysctl, paxctl) Veriexec, a file integrity subsystem ◮ NetBSD Per-user directory for temporary files ◮ NetBSD (/tmp) ◮ AltLinux (/tmp/.private/$USER, tempnam(3) and
    [Show full text]
  • What's New in Netbsd in 2006 ?
    What’s new in NetBSD in 2006 ? Emmanuel Dreyfus October 24, 2006 Abstract NetBSD is known as a highly portable operating system, but its strengths are not limited to being available on many platforms. NetBSD goals also include security, performance, standards conformance and clean design. Development of innovative features also occurs. In this paper, we will have a look at the new features that have been integrated into NetBSD this year. 1 NetBSD in the news 1.1 Dead or irrelevant? Thanks to the numerous and valuable contributions from Slashdot’s anonymous coward, we are now all aware that *BSD is dying [1]. While the recurrent Slashdot troll gave us strong warnings about FreeBSD’s and OpenBSD’s imminent deaths for years, NetBSD was often omitted. Did that mean NetBSD was already dead? The EuroBSDCon 2005 social event was called "the night of the living dead", in reference to the Slashdot troll. That was an attractive point of view, since it implied that dead projects like the *BSD could be alive and kicking after all. Unfortunately, NetBSD did not show any sign of life that night, as it was even outperformed by DragonFly BSD at the beer drinking contest. The few people who still remembered an OS called NetBSD were still puzzled about the death of NetBSD: did it occur while nobody was watching? Fortunately, on the 30th of August 2006, one of the NetBSD project founders sent an insightful message to the netbsd-users@ netbsd.org mailing list [2]. In that message, Charles M. Hannum explained that NetBSD had increasingly become irrelevant.
    [Show full text]
  • Running-Daemons-Non-Root
    5/18/2019 Running daemons non-root Running daemons non-root Simon J. Gerraty Juniper Networks, Inc. 2019 Imagine something very witty here Agenda Introduction Daemons need privileges Approach Progress Further work Q&A Introduction Running daemons non-root was goal 20 years ago Hacking kernel always an option Modern FreeBSD offers better solutions Capabilities (Capsicum) Mandatory Access Control (MAC) Daemons need privileges open AF_UNIX sockets in protected dirs open raw sockets bind reserved ports set fib (routing instance) read[/write] routing socket set sysctl values tweak rlimits configure devices read/write /dev/mem file:///Users/sjg/work/rst/talks/obj/run-daemons-non-root-slides.htm 1/8 5/18/2019 Running daemons non-root CLI needs privileges too setuid open MGD managemnt socket run ping, traceroute with restricted options careful to drop privs when not needed raising privs controlled by MGD (uses fine grained permissions control) better if simply run as user ? possibly safer to remain setuid for opening managemnt socket then permanently drop privs Goal run daemons as unprivileged user minimize collateral damage from bugs and exploits use of Verified Exec mitigates local exploits allow controlled and specific privilege escalation just enough to do the operations needed allow gradual transition potentially one daemon at a time many filesystem related privileges could be addressed by redesign subdir of /var/run/ with group write permissions makes transition more disruptive Hack the kernel? simple (for some value of simple) if brutal Cheswick
    [Show full text]
  • The Netbsd Guide
    The NetBSD Guide (2021/05/08) The NetBSD Developers The NetBSD Guide by The NetBSD Developers Published 2021/05/08 12:08:23 Copyright © 1999, 2000, 2001, 2002 Federico Lupi Copyright © 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 The NetBSD Foundation All brand and product names used in this guide are or may be trademarks or registered trademarks of their respective owners. NetBSD® is a registered trademark of The NetBSD Foundation, Inc. Table of Contents Purpose of this guide............................................................................................................................ xvii I. About NetBSD.................................................................................................................................. xviii 1 What is NetBSD?............................................................................................................................1 1.1 The story of NetBSD..........................................................................................................1 1.2 NetBSD features.................................................................................................................1 1.3 Supported platforms...........................................................................................................2 1.4 NetBSD’s target users.........................................................................................................2 1.5 Applications for NetBSD...................................................................................................2
    [Show full text]
  • Junos® OS Software Installation and Upgrade Guide
    Junos® OS Junos® OS Software Installation and Upgrade Guide Published 2021-03-24 ii Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Junos® OS Junos® OS Software Installation and Upgrade Guide Copyright © 2021 Juniper Networks, Inc. All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. iii Table of
    [Show full text]