[outages] More notes

Jay_Ashworth · November 8, 2011, 2:41am

The reason it's called "gambling" is that sometimes, you lose.

Cheers,
-- jra

b_nickell · November 8, 2011, 3:37am

Actually, Juniper does disclose code bugs. Though not always to the public
at first, importantly to Juniper customers. Juniper had advised all of
their customers last August of this bug, however Level3 chose to continue
running it on their peer routers. Thus if Level3 and its clue(full)
management might have listened to their operators & network engineers....

cheers

_Stephane_Bortzmeyer · November 8, 2011, 8:21am

a message of 38 lines which said:

Actually, Juniper does disclose code bugs. Though not always to the
public at first, importantly to Juniper customers. Juniper had
advised all of their customers last August of this bug, however
Level3 chose to continue running it on their peer routers. Thus if
Level3 and its clue(full) management might have listened to their
operators & network engineers....

I disagree. The official bug statement from Juniper in August was
trying very hard to downplay the importance of the bug ("Given the
complexity of conditions required to trigger this issue, the
probability of exploiting this defect is extremely low"). No wonder so
few people (and not only at Level-3) did not upgrade.

Bjorn_Mork · November 8, 2011, 8:59am

Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:

("Given the
complexity of conditions required to trigger this issue, the
probability of exploiting this defect is extremely low").

Which translates to

"This bug has such catastrophic consequenses that we do not want to
disclose how to trigger it."

Do you think any such bug would be discovered and/or disclosed *at all*
unless it already was triggered in the wild? And if it was triggered
once, what are the chances it will happen again?

Bjørn

Valdis_Kletnieks · November 8, 2011, 6:05pm

August (and if that's when the *fix* came out, the bug is even older).

September.

October.

November. So maybe the probability *is* low.

And if JunOS is anything like CIsco IOS, a lot of shops didn't upgrade because
the newer release has *other* issues in their environments. Nobody wants to
upgrade to fix a once-ever-few-months bug if it also buys them a daily crash in
something else.

Jack_Bates · November 8, 2011, 7:03pm

Juniper runs a quarterly (roughly major) 10.1, 10.2, 10.3, 10.4, ....

R is patch revisions for the major release. They are usually good at fixing and not breaking things on the R release. My last upgrade a bit ago was R7.5 of 10.4 (which has more revisions than older 10 releases, probably due to the fact that it will be the long term support release and gets non-critical patches as well).

Jack