Someone at fido.net having some bgp config issues? Jan 30 18:34:51 EST: %BGP-6-ASPATH: Long AS path 6461 3356 6770 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 received from ... I got this today from 2 of 3 transit providers (6461 and 3356). ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
At 10:23 PM 30-01-05 -0500, Jon Lewis wrote:
Someone at fido.net having some bgp config issues?
Looks like someone probing for a buffer overflow on a world-wide basis. -Hank
Jan 30 18:34:51 EST: %BGP-6-ASPATH: Long AS path 6461 3356 6770 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 received from ...
I got this today from 2 of 3 transit providers (6461 and 3356).
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
+++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
On Mon, Jan 31, 2005 at 07:19:14AM +0200, Hank Nussbacher wrote:
At 10:23 PM 30-01-05 -0500, Jon Lewis wrote:
Someone at fido.net having some bgp config issues?
Looks like someone probing for a buffer overflow on a world-wide basis.
-Hank
Jan 30 18:34:51 EST: %BGP-6-ASPATH: Long AS path 6461 3356 6770 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 received from ...
Router(config-router)#bgp maxas-limit ? <1-2000> Number of ASes in the AS-PATH attribute Router(config-router)#bgp maxas-limit 50 Easy to fix/reject. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Specifically, they have the ability to tickle a legacy cisco bug with AS path length. This bug was supposedly mitigated in code and I believe my previous company is still filtering AS path length (UUNET) of 100 or greater. A valid AS-Path of greater than 100 has not yet been found (which was why the filters were in place). On 1/31/05 8:53 AM, "Jared Mauch" <jared@puck.nether.net> wrote:
On Mon, Jan 31, 2005 at 07:19:14AM +0200, Hank Nussbacher wrote:
At 10:23 PM 30-01-05 -0500, Jon Lewis wrote:
Someone at fido.net having some bgp config issues?
Looks like someone probing for a buffer overflow on a world-wide basis.
-Hank
Jan 30 18:34:51 EST: %BGP-6-ASPATH: Long AS path 6461 3356 6770 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 received from ...
Router(config-router)#bgp maxas-limit ? <1-2000> Number of ASes in the AS-PATH attribute
Router(config-router)#bgp maxas-limit 50
Easy to fix/reject.
- jared
Well, long as-path of 100 is certain to be invalid (result of misconfig if not direct probe for vulnerability). Would it be good to recommend for ISPs filter at some as-path size as its easy easy and does not consume router resources? Would would be good as-path size to filter on, just to be certain no valid route is filtered (just in case allow possible growth of as-path up to 2x what it is now)? On Mon, 31 Jan 2005, Blaine Christian wrote:
Specifically, they have the ability to tickle a legacy cisco bug with AS path length. This bug was supposedly mitigated in code and I believe my previous company is still filtering AS path length (UUNET) of 100 or greater.
A valid AS-Path of greater than 100 has not yet been found (which was why the filters were in place).
On 1/31/05 8:53 AM, "Jared Mauch" <jared@puck.nether.net> wrote:
On Mon, Jan 31, 2005 at 07:19:14AM +0200, Hank Nussbacher wrote:
At 10:23 PM 30-01-05 -0500, Jon Lewis wrote:
Someone at fido.net having some bgp config issues?
Looks like someone probing for a buffer overflow on a world-wide basis.
-Hank
Jan 30 18:34:51 EST: %BGP-6-ASPATH: Long AS path 6461 3356 6770 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 received from ...
Router(config-router)#bgp maxas-limit ? <1-2000> Number of ASes in the AS-PATH attribute
Router(config-router)#bgp maxas-limit 50
Easy to fix/reject.
- jared
On Mon, 31 Jan 2005, Christopher L. Morrow wrote:
Well, long as-path of 100 is certain to be invalid (result of misconfig if
just curious, why would it be invalid?
Its invalid in practice. You can build network with as-path larger then 100 in your lab, but in real world, we do not have this. Of course you might say that its possible that we have less then 100 networks and each one is prepending several of their own as# and real number of networks is something like 20, but even that is too many and each network as-prepending 5 of their own AS is also rather unlikely. One thing I want to note to cisco and other vendor engineers is that one easy way to deal with it might be good if there was a way to "cut" number of as-prepends - i.e. for long as-path with number of same as## in sequence, it might be good if router could automaticly cut the number from 10+ to say 3 for long as-path, i.e. I'd like to have this available: neighbor x.x.x.x max-aspath-sequence 3 Then backbones could set this for their customers and we'll not have these long sequences appearing in at-large bgp table. -- William Leibzon Elan Networks william@elan.net
On Mon, 31 Jan 2005, william(at)elan.net wrote:
On Mon, 31 Jan 2005, Christopher L. Morrow wrote:
Well, long as-path of 100 is certain to be invalid (result of misconfig if
just curious, why would it be invalid?
Its invalid in practice. You can build network with as-path larger then 100 in your lab, but in real world, we do not have this.
Of course you might say that its possible that we have less then 100 networks and each one is prepending several of their own as# and real number of networks is something like 20, but even that is too many and each network as-prepending 5 of their own AS is also rather unlikely.
so, 'dumb' but not 'invalid'... There might very well be networks (say not on the internet) where as-paths longer than 100 might be required. Saying: "they are invalid" isn't correct. Saying: "The use of as-path longer than 100 on today's Internet isn't helpful" is correct, or so say you and atleast blaine.
so, 'dumb' but not 'invalid'... There might very well be networks (say not on the internet) where as-paths longer than 100 might be required. Saying: "they are invalid" isn't correct. Saying: "The use of as-path longer than 100 on today's Internet isn't helpful" is correct, or so say you and atleast blaine.
All I can honestly say is that I never saw valid advertisements > 100 used on the Internet. I can not think of a good use in the Internet provider space for an AS that long but who knows what may happen in the future. The reason we set it to 100 was that we wanted to give plenty of room for growth; realizing we were not going to be perfect about predicting future needs. We could have set it lower but 100 was a nice round number <grin>. I stopped recording all advertisements a few months ago but I suspect we are still sub 50 and I am sure someone on this thread probably has that info at their finger tips. Since the bug itself revolved around an 8 bit variable it may even be safe to set things at 200. If you are in a core role and you set the limit at something like 254 you may have trouble prepending your AS as it could tip you over the edge (WRT the potential for triggering that specific bug). Regards and, I believe, congratulations Chris! Blaine P.S. Nothing in the above constitutes a recommendation to apply configurations to routers. Use your own judgement and track your BGP table for a few months before playing with these knobs.
On Mon, Jan 31, 2005 at 09:37:57AM -0800, Blaine Christian wrote:
Specifically, they have the ability to tickle a legacy cisco bug with AS path length. This bug was supposedly mitigated in code and I believe my previous company is still filtering AS path length (UUNET) of 100 or greater.
In recent years there have been issues with memory allocation on the order of path-length ~50. Similar to bogon filters, it is recommended to take a survey of sane path lengths before and your own needs before deploying. Potentially useful data in this regard is tracked by [suprise] cymru http://www.cymru.com/BGP/asnpalen01.html In cisco-land, the max as-length was an undocumented command until last year or so. a popular value appears to be in the 40-50 range from folks I know using it. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
participants (7)
-
Blaine Christian
-
Christopher L. Morrow
-
Hank Nussbacher
-
Jared Mauch
-
Joe Provo
-
Jon Lewis
-
william(at)elan.net