-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rob, Eloy Paris from the Cisco PSIRT here. Please see below (inline) for some comments regarding the issue you brought up in your email to the cisco-nsp and nanog mailing lists this past Jan. 16th: On Fri Jan 16 07:57:52 2009, Rob Shakir wrote:

Strict RFC 4893 (4-byte ASN support) BGP4 implementations are vulnerable to a session reset by distant (not directly connected) ASes. This vulnerability is a feature of the standard, and unless immediate action is taken an increasingly significant number of networks will be open to attack. Accidental triggering of this vulnerability has already been seen in the wild, although the limited number of RFC 4893 deployments has limited its effect.

Summary: It is possible to cause BGP sessions to remotely reset by injecting invalid data into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. To be vulnerable, an operator does not have to be actively using 4-byte AS support. This problem was first reported by Andy Davidson on NANOG in December 2008 [0], furthermore we have been able to demonstrate that a device running Cisco IOS release 12.0(32)S12 behaves as per this description.

Details:

[...] Cisco Bug CSCsx10140 was filed for Cisco IOS. Cisco IOS behaves exactly as you described - upon receipt of AS_CONFED_SEQUENCE data in the AS4_PATH attribute IOS will send a NOTIFICATION message to the peer, which causes a termination of the BGP session. After the fix for this bug IOS will ignore AS_CONFED_SEQUENCE data in the AS4_PATH attribute of received BGP UPDATE messages and continue to process the UPDATE. This is the new behavior that the revised RFC 4893 will require. CSCsx18598 was filed for Cisco IOS XR. Cisco IOS XR doesn't reset the session but accepts and forwards the invalid AS4_PATH data, so this bug was filed to change this behavior. CSCsx23179 was filed for Cisco NX-OS (for the Nexus switches.) Cisco NX-OS behaves like IOS (it will reset the BGP session when it sees AS_CONFED_SEQUENCE data in the AS4_PATH attribute), and this bug was filed to change this and have the BGP implementation in Cisco NX-OS follow the revised RFC 4893. The Release Notes for each bug may have some additional information. These are available via the Bug Toolkit on cisco.com (http://tools.cisco.com/Support/BugToolKit) To date, the only version of Cisco IOS that supports 4-byte AS numbers is 12.0(32)S12, released in late December. A fix to the 12.0(32)Sxx branch has been committed so the next 12.0(32)S-based release will have the fix. 12.0(32)SY8 is coming out soon, and it will also have support for 4-byte AS numbers, as well as the fix for the problem. Thanks for bringing attention to this issue and for working with us, specifically with the Cisco TAC, to get to the bottom of it and test the proposed fix. Cheers, - -- Eloy Paris Cisco PSIRT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmR9OoACgkQagjTfAtNY9jv5ACgg3fKuuWKv38h8F8d8QHBML5J CTsAnAnGMB/fBIQhk5z4E922JlhHVU5A =FSOP -----END PGP SIGNATURE-----