[AusNOG] Older Juniper J series routers - time bomb

Jonathan Thorpe jthorpe at Conexim.com.au
Fri Mar 28 10:15:44 EST 2014 

Hi All,

I wonder if this affects the last generation of J-Series (x350) before Juniper came out with the SRX?

I have a couple of J-4350s (and also some J-6350s, not currently powered on) running in a lab environment that run a rather antiquated 10.0R3.10 release and they appear to be running fine. The certificates in /etc/db/certs/ all show the same expiry date that was mentioned in the post and the time/date is correct, however " show system license" doesn't show any errors regarding the certificates, it just shows:
---
License usage: none

Licenses installed: none
---

I know for a fact that these routers never had any additional licenses installed, so that looks normal to me.

One of the posts mentioned that "When the J-series was initially released, there were order numbers that came with some ports software-disabled, and you could pay for a key to enter to unlock the additional ports. It looks like the certificate 
used to check the keys has expired.".

To the best of my knowledge, the last of the J-Series didn't have restrictions on activated ports so they may therefore be unaffected. 

What does worry me slightly is that MX-series routers do rely on licenses and on a couple I have in production, all have license files that show expired certificates. These are running fine and "show system license" shows everything I'd expect.

Kind Regards,
Jonathan 



-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt Palmer
Sent: Friday, 28 March 2014 7:44 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Older Juniper J series routers - time bomb

On Thu, Mar 27, 2014 at 05:57:40PM +0100, Tom Storey wrote:
> Perusing the j-nsp list I came across this thread:
> 
> http://www.gossamer-threads.com/lists/nsp/juniper/50450
> 
> If youre running any older J series (i.e. x300), or were thinking of 
> digging them out to use for some purpose, you might be in for a 
> slightly rude shock.
> 
> Otherwise its a "sad" thing to see. I have a J2300 in my lab at home 
> which works great in such a role, it would be a shame to have to ditch 
> it due to an expired certificate.

I really hope someone with a bit of money and an evil gleam in their eye decides to take Juniper to task for this.  I'm fairly certain that hard-coding a drop-dead date into your devices would be frowned upon by the courts.

- Matt

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list