Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Incorrect timestamp values might stall TCP sessions

0

0

Article ID: JSA10357 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 3.0
Legacy Advisory Id:
PSN-2006-02-003
Product Affected:
All releases of JUNOS software built prior to November 10, 2005
Problem:
RFC1323 describes two techniques for increasing the performance of TCP. Both techniques are using TCP timestamps to estimate round-trip transmission times and for Protection Against Wrapped Sequence Numbers (PAWS). When these features are enabled, certain TCP implementations may be vulnerable to denial of service (DoS) attacks from packets with specially-crafted timestamp values. This vulnerability is described in PSN-2005-06-003.

The code changes made to address this vulnerability fix may generate incorrect timestamp values in ACK packets. This can make it appear as though the virtual clock for a TCP session has moved backward and ultimately breaks TCP's Round Trip Time (RTT) Estimation. This in turn may lead to the TCP session stalling. All TCP-based protocols and services (including the BGP,LDP and MSDP routing protocols) running on an M-series, T-series, or J-series router with JUNOS software built prior to November 10, 2005, are subject to this vulnerability.

This issue is tracked internally as PR/64682 for JUNOS software.
Solution:
All JUNOS software Releases 6.4 and later built on or after November 10, 2005 contain modified code that ensures timestamp values always increase. In addition, two new hidden configuration statements have been introduced to control the use of RFC1323 mechanisms.

For earlier JUNOS releases, turning off the RFC1323 and PAWS extensions ensures that a peer does not include TCP timestamps in its Acknowlegment packets. Therefore the virtual TCP clock will not run backward and TCP sessions will not stall. In Release 6.4 these statements are located at the [edit system] hierarchy level; in Releases 7.0 and later, they are located at the [edit system internet-options] hierarchy level.
  • The no-tcp-rfc1323-paws statement disables RFC1323 PAWS TCP extensions. By default, the PAWS extension is enabled.
  • The no-tcp-rfc1323 statement disables RFC1323 TCP extensions. By default, RFC1323 is enabled. If this option is configured, the no-tcp-rfc1323-paws option must also be configured.
These configuration options are hidden and will not automatically complete; they must be entered in their entirety when adding them to the router's configuration.
Implementation:
All JUNOS software Releases 6.4 and later built on or after November 10, 2005 include the modified code. Juniper Networks strongly recommends that customers install a version of JUNOS software that includes the changes to the TCP protocol. Customers who are unable to upgrade are encouraged to use the suggested workaround of disabling RFC1323 extensions.

Please note that turning off RFC1323 extensions may affect the performance of the Border Gateway Protocol (BGP). BGP may take as much as two to five times longer to exchange routing tables with neighboring routers.
Severity Level:
High
Severity Assessment:
If the TCP transport for routing/signaling protocols (e.g. BGP/LDP) is broken then Routing instability will occur.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search