Hi Chris, Thanks for your detail information! Regarding the following message:
Message data: 144 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00900200 00007540 01010040 02220208 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 000003D8 00060A11 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 182DC6B8
We can find the BGP attribute data that causes the problem as follows:
E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Semantically, this is a "complete" BGP Path Attribute: Flags=0xE0 Type=0x28, it is defined in RFC8669. (https://datatracker.ietf.org/doc/rfc8669/) Length=0x1C The Value field, as indicated by Length, does indeed occupy 28 bytes, although they are all zeros. Some network operating systems may try to parse the TLV carried in this attribute per RFC8669 and find that there is no valid TLV, so resulting in an error. Other operating systems found that the attribute was semantically correct but the content was incorrect, so they ignored the attribute and no BGP session interruption occurred. I'm curious how this strange attribute was generated. Was it the result of a test initiated by someone? Was it an attempt to test the robustness of the BGP protocol on the Internet? Cheers, Shunwan
-----Original Message----- From: Chris Welti via NANOG [mailto:nanog@lists.nanog.org] Sent: Thursday, May 22, 2025 8:09 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Niels den Otter <niels.denotter@surf.nl>; Chris Welti <chris.welti@switch.ch> Subject: Re: BGP malformed update/attribute list
Hi Niels,
For what it's worth, thats what we saw here on our AS3356 uplink:
Total Update messages received: 281003910 Malformed Update messages received: 6 First received: May 20 09:01:52.256 Last received: May 20 09:02:12.529 (2d04h ago) Memory allocation failures: 0 First failure: --- Last failure: --- (never) Error-handling session resets: 0 First reset: --- Last reset: --- (never) Discarded attributes: 6
Since session establishment: Update messages received: 37579519 Final actions: None: 0, DiscardMsg: 0, Reset: 0 TreatAsWdrOrReset: 0, TreatAsWdr: 0, DiscardAttr: 6 LocalRepair: 0
Malformed messages stored: 5 (current index: 0)
Malformed message #1 Received: May 20 09:02:12.529 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr
Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr
NLRIs: "IPv4 Unicast" <15 chars> 140.150.9.0/24
Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes)
Message data: 136 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00880200 00006D40 01010040 021A0206 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 188C9609
Malformed message #2 Received: May 20 09:02:12.529 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr
Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr
NLRIs: "IPv4 Unicast" <68 chars> 138.113.116.0/24 163.171.104.0/24 163.1 71.102.0/24 163.171.103.0/24
Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes)
Message data: 152 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00980200 00007140 01010040 021E0207 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 0000D6D2 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 188A7174 18A3AB68 18A3AB66 18A3AB67
Malformed message #3 Received: May 20 09:02:10.106 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr
Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr
NLRIs: "IPv4 Unicast" <109 chars> 103.87.71.0/24 103.160.154.0/24 103.87. 70.0/24 103.160.54.0/24 110.44.172.0/22 103.52.2.0/24 203.84.138.0/24...
Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes)
Message data: 184 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00B80200 00006D40 01010040 021A0206 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 18675747 1867A09A 18675746 1867A036 166E2CAC 18673402 18CB548A 18CB5489 18A014DE 1867A037 18CA38AC 186E2CAA 18673403
Malformed message #4 Received: May 20 09:01:57.313 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr
Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr
NLRIs: "IPv4 Unicast" <15 chars> 156.230.0.0/16
Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes)
Message data: 139 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 008B0200 00007140 01010040 021E0207 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 000003D8 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 870D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 109CE6
Malformed message #5 Received: May 20 09:01:57.312 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr
Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr
NLRIs: "IPv4 Unicast" <16 chars> 45.198.184.0/24
Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes)
Message data: 144 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00900200 00007540 01010040 02220208 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 000003D8 00060A11 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 182DC6B8
Cheers, Chris
Hallo Randy,
That's interesting. At exact the same moment this is what our Juniper routers reported;
--- May 20 07:01:51 router rpd[34930]: %DAEMON-4: bgp_read_v4_update:13937: NOTIFICATION sent to a.b.c.d (Internal AS xxx): code 3 (Update Message Error) subcode 131 (invalid), Data: 00 00 00 00 00 00 May 20 07:01:51 router rpd[34930]: %DAEMON-3: Received malformed update from a.b.c.d (Internal AS xxx) May 20 07:01:51 router rpd[34930]: %DAEMON-3: Family inet-vpn-unicast, prefix a.b.c.d:32767:156.230.0.0/40 (label 114) May 20 07:01:51 router rpd[34930]: %DAEMON-3: Malformed Attribute PREFIX_SID(40) flag 0x80 length 28 error 131 (TLV length error). ---
Appears to be another prefix? Unfortunately we don't have a BMP dump of
On 22.05.2025 08:29, Niels den Otter via NANOG wrote: this packet.
* Niels
________________________________ Van: Randy Bush via NANOG <nanog@lists.nanog.org> Verzonden: woensdag 21 mei 2025 22:47 Aan: Simon Lockhart via NANOG <nanog@lists.nanog.org> CC: Randy Bush <randy@psg.com> Onderwerp: Re: BGP malformed update/attribute list
just to aol, and other posts did not show full nlri
May 20 07:01:51 r2.f00 16869308: RP/0/RSP0/CPU0:May 20 07:01:51.437 : bgp[1059]: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE
message
received from neighbor 123.45.67.89 (VRF: default) - message length 106 bytes, error flags 0x000c0000, action taken "DiscardAttr". Error details: "Error 0x00040000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28), Data [e0281c]". NLRIs: [IPv4 Unicast] 45.198.25.0/24
randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/56 PKKMWIL7WN5T2VQTDL7M23RFSZO6I3/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/JL S5CHUGXNY6C55ZA4SVQO6CJU6KBTG5/
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/IGG5VK 7BADZMQLYRND6L7YKHK7FTHYAD/