Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Commit failure for ip-options field when defining a non-specified value

0

0

Article ID: KB26083 KB Last Updated: 05 Mar 2017Version: 2.0
Summary:
This KB addresses the issue as to why we get a commit failure when trying to add just any value to the ip-options filed.
Symptoms:
Commit fails:
Lab_Router# commit check
  dfwc: dfwc_bitfield: "82" is an invalid option
  error: configuration check-out failed
Cause:
 This is caused by the fix for PR/516778. The goal of this fix was to remove inconsistant behavior. Before the fix, any value could be entered, but if it was not one of the supported values, it was silently ignored.
Solution:
What is Ip-Options?
===============
IP Options are values that you provide within the IP Header that addresses some of the routing concerns when a packet is parsed by a router for example you can specify one of the following text synonyms (the field values are also listed): any, loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68).

All other options are deemed as malicious and are dropped by default no matter what options number they have.

What can we specify as an IP- Options Value?
====================================
To understand this issue better lets say we specify any value to the IP-Options field:
[edit firewall family inet]
Lab_Router# show
filter gre_ingress {
    term tcp-syn-control {
        from {
          protocol tcp;
          tcp-flags "(syn & !ack) | fin | rst";
        }
        then next term;
    }
    term block-frags {
        from {
          is-fragment;
          protocol icmp;
        }
        then {
          syslog;
          discard;
        }
    }
    term block-old-traceroute {
        from {
          protocol udp;
          destination-port 33400-34400;
        }
        then {
          log;
          syslog; 
          discard;
        }
    }
    term block-new-traceroute {
        from {
          ip-options 82;   <<<<<<<<<<<<<<<<<<<<< 82 Value has been specified.
        }
        then {
          log;
          syslog;
          discard;
        }
    }
    term icmp-in-good {
        from {
          protocol icmp;
          icmp-type [ echo-request echo-reply time-exceeded unreachable ];
        }
        then accept;
    }
    term block-icmp {
        from {
          protocol icmp;
        }
        then {
          log;
          syslog;
          discard;
        }
    }
}

IP-Options value 82 has not been specified as an accepted value hence we do not allow it to commit and it fails:
[edit firewall family inet filter gre_ingress term block-new-traceroute]
Lab_Router# commit check
  dfwc: dfwc_bitfield: "82" is an invalid option
  error: configuration check-out failed
Lab_Router#
The CLI commit failed with the message is correct as ip-options 82 is not one of the supported options. The CLI help message on the possible options below match the implementation of the code. This is a day one behavior. Also from the sample below:
Lab_Router# set firewall filter opt82 term t2 from ip-options ?
Possible completions:
                Range of values
  [                    Open a set of values
  any                  Any IP option
  loose-source-route   Loose source route
  route-record         Route record
  router-alert         Router alert
  security             Security
  stream-id            Stream ID
  strict-source-route  Strict source route
  timestamp            Timestamp
[edit]
Lab_Router# set firewall filter opt82 term t2 from ip-options  
Hence we do not allow it to commit and it fails and for any value in the IP options, in place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): any, loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68).

Caveat
======
In JUNOS 9.3 and earlier releases we were allowing users to commit the config but we still discard the packets as they are deemed as malicious. But later we addressed this issue in PR/516778 which not only allowed the ip-options to be specified in numeric value as well as in a range and expression but also restricted commit for any values that had not been supported.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search