The long (176) AS20912 prepend incident was due to a misconfiguration of a BGP router we were testing. The problem is that differently to Cisco the syntax of the prepend field on thius system is not a string (eg. "20912 20912 20912") but an integer, that the user interface _should_ limit to the interval 0-16. Unfortunately something has gone wrong with the syntax checker so you can enter a number (the number entered, thinking to Cisco syntax, was 20912) and the sotware interpreted it as the request of 20912 prepends... (0x51B0), dropped the highest 8 bits and processed it as the request of 0xB0=176 prepends. The producer has been warned about the problem, which I can't completely define as a "bug"... but the lack of a user configuration helper (syntax checker). I think that the case of AS47868 is the same, because I seed the modulo was involved too. Many thanks to one of our upstream providers for their support. --------------------------------------------------- Giuliano Peritore - g.peritore@panservice.it Direzione Generale - Panservice Servizi professionali per Internet ed il Networking Panservice e' associata AIIP -- RIPE Local Registry Phone: +39 0773 410020 Fax +39 0773 470219 Numero verde: 800 901492 - http://www.panservice.it ---------------------------------------------------
Hi all, I can only cofnirm that AS47868 is using also Mikrotik as their border BGP router Tomas Giuliano Peritore wrote:
The long (176) AS20912 prepend incident was due to a misconfiguration of a BGP router we were testing.
The problem is that differently to Cisco the syntax of the prepend field on thius system is not a string (eg. "20912 20912 20912") but an integer, that the user interface _should_ limit to the interval 0-16.
Unfortunately something has gone wrong with the syntax checker so you can enter a number (the number entered, thinking to Cisco syntax, was 20912) and the sotware interpreted it as the request of 20912 prepends... (0x51B0), dropped the highest 8 bits and processed it as the request of 0xB0=176 prepends.
The producer has been warned about the problem, which I can't completely define as a "bug"... but the lack of a user configuration helper (syntax checker).
I think that the case of AS47868 is the same, because I seed the modulo was involved too.
Many thanks to one of our upstream providers for their support.
--------------------------------------------------- Giuliano Peritore - g.peritore@panservice.it Direzione Generale - Panservice Servizi professionali per Internet ed il Networking Panservice e' associata AIIP -- RIPE Local Registry Phone: +39 0773 410020 Fax +39 0773 470219 Numero verde: 800 901492 - http://www.panservice.it ---------------------------------------------------
On Fri, 20 Feb 2009, Giuliano Peritore wrote:
The problem is that differently to Cisco the syntax of the prepend field on thius system is not a string (eg. "20912 20912 20912") but an integer, that the user interface _should_ limit to the interval 0-16.
...
The producer has been warned about the problem, which I can't completely define as a "bug"... but the lack of a user configuration helper (syntax checker).
More important than whether or not to consider this a bug, it seems a very shortsighted way to support prepending. If your prepend "field" is an integer controlling how many times to prepend, how do you control which ASN(s) or even AS Paths are prepended? It sounds like you probably can't. As has been discussed recently, there are cases where you might want to prepend a creative AS Path for traffic engineering purposes to force certain routes/paths to be ignored by certain ASNs. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Replacing what is conventially thought to be a string with an integer multiplier seems a massive violation of the principle of least astonishment. On Fri, Feb 20, 2009 at 8:00 AM, Jon Lewis <jlewis@lewis.org> wrote:
On Fri, 20 Feb 2009, Giuliano Peritore wrote:
The problem is that differently to Cisco the syntax of the prepend
field on thius system is not a string (eg. "20912 20912 20912") but an integer, that the user interface _should_ limit to the interval 0-16.
...
The producer has been warned about the problem, which I can't completely define as a "bug"... but the lack of a user configuration helper (syntax checker).
More important than whether or not to consider this a bug, it seems a very shortsighted way to support prepending. If your prepend "field" is an integer controlling how many times to prepend, how do you control which ASN(s) or even AS Paths are prepended? It sounds like you probably can't. As has been discussed recently, there are cases where you might want to prepend a creative AS Path for traffic engineering purposes to force certain routes/paths to be ignored by certain ASNs.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp<http://www.lewis.org/%7Ejlewis/pgp>for PGP public key_________
On Fri, 20 Feb 2009, Dorn Hetzel wrote:
Replacing what is conventially thought to be a string with an integer multiplier seems a massive violation of the principle of least astonishment.
On a Cisco running 12.0S: route-map test1 set as-path prepend last-as ? <1-10> number of last-AS prepends Cisco seems to be doing more sensible limits, but I do agree that the feature makes sense. There are two ways of handling when someone puts in a very high number to number of prepends: 1. Say "out of limit" and disallow it in the config checker. 2. Actually prepend the number of times specified. The option done here: 3. Prepend number of times entered modulo 256, is just broken. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Fri, 20 Feb 2009, Mikael Abrahamsson wrote:
On Fri, 20 Feb 2009, Dorn Hetzel wrote:
Replacing what is conventially thought to be a string with an integer multiplier seems a massive violation of the principle of least astonishment.
3. Prepend number of times entered modulo 256, is just broken.
In v3.20 of RouterOS (Mikrotik) it seems to fixed (havn't checked earlier releases), so they must have been running an old version of RouterOS if that was the platform they was using in this case, that I think someone was indicating. [admin@router1] /routing filter> set 1 set-bgp-prepend=20912 value of set-bgp-prepend out of range (0..16) [admin@router1] /routing filter> set 1 set-bgp-prepend=17 value of set-bgp-prepend out of range (0..16) I think having an option to prepend the AS-PATH with an integer multiplier is pretty convenient, just as they have checks like bgp-as-path-length=0 to check the lengh of AS-PATHs without writing regexps. But there should of course also be normal text prepends and regexp checks. With a check that no more than 16 are added, like the current version enforces misstakes like this shouldn't be possible. -- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign OpenVPN GUI for Windows X NO HTML/RTF in e-mail http://openvpn.se/ / \ NO Word docs in e-mail
It's just a personal opinion, but I would think that if someone is going to make the rest of the net suffer the ugliness of a nnnnn nnnnn nnnnn nnnnn nnnnn nnnnn nnnnn nnnnn nnnnn nnnnn nnnnn nnnnn prepend, then it's not unreasonable they should have to look at the ugliness in their config file as well :) The use of a multiplier just makes it too painless to inflict all that ugliness on everyone else without having to look at it first... On Fri, Feb 20, 2009 at 8:58 AM, Mathias Sundman <mathias@openvpn.se> wrote:
On Fri, 20 Feb 2009, Mikael Abrahamsson wrote:
On Fri, 20 Feb 2009, Dorn Hetzel wrote:
Replacing what is conventially thought to be a string with an integer
multiplier seems a massive violation of the principle of least astonishment.
3. Prepend number of times entered modulo 256, is just broken.
In v3.20 of RouterOS (Mikrotik) it seems to fixed (havn't checked earlier releases), so they must have been running an old version of RouterOS if that was the platform they was using in this case, that I think someone was indicating.
[admin@router1] /routing filter> set 1 set-bgp-prepend=20912 value of set-bgp-prepend out of range (0..16)
[admin@router1] /routing filter> set 1 set-bgp-prepend=17 value of set-bgp-prepend out of range (0..16)
I think having an option to prepend the AS-PATH with an integer multiplier is pretty convenient, just as they have checks like bgp-as-path-length=0 to check the lengh of AS-PATHs without writing regexps. But there should of course also be normal text prepends and regexp checks. With a check that no more than 16 are added, like the current version enforces misstakes like this shouldn't be possible.
-- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign OpenVPN GUI for Windows X NO HTML/RTF in e-mail http://openvpn.se/ / \ NO Word docs in e-mail
From the end-user perspective, it makes sense to make the "prepend" parameter an integer. The only thing an end-user really needs is routing policy (primary/backup selection) and sometimes AS path prepending is the only solution. Allowing them to insert third-party AS numbers into the AS path increases their confusion (assuming they were never exposed to Cisco IOS). Obviously, the number of prepends has to be limited to something sensible (10 seems a good number, and it looks like Mikrotik has implemented that restriction).
The "set as-path prepend last-as" is a completely different story; it's used to do proxy prepending for your customers. Ivan Pepelnjak http://blog.ioshints.info
-----Original Message----- From: Mikael Abrahamsson [mailto:swmike@swm.pp.se] Sent: Friday, February 20, 2009 3:06 PM To: nanog@nanog.org Subject: Re: Lots of prepends - AS20912 case
On Fri, 20 Feb 2009, Dorn Hetzel wrote:
Replacing what is conventially thought to be a string with an integer multiplier seems a massive violation of the principle of least astonishment.
On a Cisco running 12.0S:
route-map test1 set as-path prepend last-as ? <1-10> number of last-AS prepends
Cisco seems to be doing more sensible limits, but I do agree that the feature makes sense.
There are two ways of handling when someone puts in a very high number to number of prepends:
1. Say "out of limit" and disallow it in the config checker. 2. Actually prepend the number of times specified.
The option done here:
3. Prepend number of times entered modulo 256, is just broken.
-- Mikael Abrahamsson email: swmike@swm.pp.se
If we really want bgp for idiots, perhaps a checkbox for "make this (slightly,more,greatly) less preferred for incoming traffic" would do the job :) Then again, perhaps people who want the results of their local configuration distributed to the ends of the earth should at least read a book or two... -Dorn On Fri, Feb 20, 2009 at 10:35 AM, Ivan Pepelnjak <ivan.pepelnjak@zaplana.net
wrote:
From the end-user perspective, it makes sense to make the "prepend" parameter an integer. The only thing an end-user really needs is routing policy (primary/backup selection) and sometimes AS path prepending is the only solution. Allowing them to insert third-party AS numbers into the AS path increases their confusion (assuming they were never exposed to Cisco IOS). Obviously, the number of prepends has to be limited to something sensible (10 seems a good number, and it looks like Mikrotik has implemented that restriction).
The "set as-path prepend last-as" is a completely different story; it's used to do proxy prepending for your customers.
Ivan Pepelnjak http://blog.ioshints.info
-----Original Message----- From: Mikael Abrahamsson [mailto:swmike@swm.pp.se] Sent: Friday, February 20, 2009 3:06 PM To: nanog@nanog.org Subject: Re: Lots of prepends - AS20912 case
On Fri, 20 Feb 2009, Dorn Hetzel wrote:
Replacing what is conventially thought to be a string with an integer multiplier seems a massive violation of the principle of least astonishment.
On a Cisco running 12.0S:
route-map test1 set as-path prepend last-as ? <1-10> number of last-AS prepends
Cisco seems to be doing more sensible limits, but I do agree that the feature makes sense.
There are two ways of handling when someone puts in a very high number to number of prepends:
1. Say "out of limit" and disallow it in the config checker. 2. Actually prepend the number of times specified.
The option done here:
3. Prepend number of times entered modulo 256, is just broken.
-- Mikael Abrahamsson email: swmike@swm.pp.se
Hi, .-- My secret spy satellite informs me that at Fri, 20 Feb 2009, Giuliano Peritore wrote:
I think that the case of AS47868 is the same, because I seed the modulo was involved too.
For those interested, I made an overview of longest AS paths observed per day, starting with February 1st. I added a feature that checks if number of prepends matches the low-order 8 bits of the offending AS number. Indicating that it's likely caused by the same Mikrotik bug/feature. The list can be found here: http://bgpmon.net/maxASpath.php Interesting is that the first time this was observed was actually on February 9th (251 prepends by AS45307). Apparently the impact was not as widespread as this week. Cheers, Andree
participants (8)
-
Andree Toonk -
Dorn Hetzel -
Giuliano Peritore -
Ivan Pepelnjak -
Jon Lewis -
Mathias Sundman -
Mikael Abrahamsson -
Tomas Caslavsky