nanog mailing list archives
RE: anyone else seeing very long AS paths?
From: "Ivan Pepelnjak" <ivan.pepelnjak () zaplana net>
Date: Tue, 17 Feb 2009 20:24:38 +0100
According to publicly available bug toolkit, CSCee30718 did not touch the maxas limit. The hard-coded maxas-limit in recent IOS releases is 254 (not 75 as suggested in a previous e-mail). Classic IOS (I did not test XE, XR or NX) can handle inbound updates with AS path lengths above 255, but fails miserably when it has to send an oversized update (producing invalid BGP UPDATE message), resulting in a flapping BGP session (anyone who wants to test this behavior and report/fix this bug can get all the files needed to reproduce it). The hard-coded maxas-limit prevents this behavior (254 + my AS = 255), but if you use AS-path prepending on outbound update, you're fried. The __ONLY__ way to be on the safe side is to configure "bgp maxas-limit", otherwise someone who knows you're doing AS-path prepending on major peering sessions (and no inbound AS-path filtering) can selectively target your peering points. I've summarized everything I've discovered in various stress tests today (well, not the targeted attack :) in this article: http://wiki.nil.com/Limit_the_maximum_BGP_AS-path_length Feel free to improve it:) Ivan http://blog.ioshints.info
-----Original Message----- From: German Martinez [mailto:gmartine () ajax opentransit net] Sent: Tuesday, February 17, 2009 7:55 PM To: Michael Ulitskiy Cc: nanog () nanog org Subject: Re: anyone else seeing very long AS paths? On Tue Feb 17, 2009, Michael Ulitskiy wrote: Hello, CSCee30718 - it removes the default value of bgp max-as from the router. The solution is introduced in CSCeh13489 BGP shouldn't propogate an update w excessive AS Path > 255 Symptoms: A router may reset its Border Gateway Protocol (BGP) session. Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255. Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log. This workaround has been suggested previously by Hank. Anyone knows about any possible CPU impacts in case that you implement bgp maxas? Thanks GermanMy bgp speaking devices are a couple of 7200s running 12.2(40). Not the newest IOS out there, but it's been doing the jobjust fine up until yesterday.Yesterday, when that malformed announcement hit my routersthey didn'tcrash, but they did reset bgp sessions (even though I didn't accept the route) and they kept doing so until I got my upstreamto filter it out.According to cisco bug toolkit CSCdr54230 should be fixedin 12.2, so obviously it's not enough.Does anybody know what IOS version has fix this problem,'cause I couldn't find this info at CCO?Thanks, Michael On Tuesday 17 February 2009 10:21:07 am Etaoin Shrdlu wrote:Jared Mauch wrote:On Tue, Feb 17, 2009 at 08:07:36AM +0200, Hank Nussbacher wrote:"They" will keep trying and until a vast majority of ISPs implement maxas, this will keep happening.Or until people who are still runningmulti-year old cisco codeactually upgrade? This seems to primarily impact: 1) Old cisco code 2) PC based bgp daemonsBoth of which likely just need to be upgraded. Iactually suspectthat a lot of people who dropped their bgp sessions didnot noticesomething happened, and still will not upgrade their code....I suspect these people don't even know they have a bgp speaking device anymore.On the other hand, the fact that various entities havegone out oftheir way to advertise that they're running oldhardware/out-of-datesoftware has been noted elsewhere. I'd strongly suggest,if you're reading NANOG,that you update, before someone less pleasant and friendly than myself finds you. Please.
Current thread:
- Re: anyone else seeing very long AS paths?, (continued)
- Re: anyone else seeing very long AS paths? Florian Weimer (Feb 17)
- Re: anyone else seeing very long AS paths? Jared Mauch (Feb 17)
- Re: anyone else seeing very long AS paths? Etaoin Shrdlu (Feb 17)
- Re: anyone else seeing very long AS paths? Adrian Chadd (Feb 17)
- Re: anyone else seeing very long AS paths? Michael Ulitskiy (Feb 17)
- Re: anyone else seeing very long AS paths? German Martinez (Feb 17)
- Re: anyone else seeing very long AS paths? Mike Lewinski (Feb 17)
- Re: anyone else seeing very long AS paths? German Martinez (Feb 17)
- Re: anyone else seeing very long AS paths? Jack Bates (Feb 17)
- Re: anyone else seeing very long AS paths? Leland E. Vandervort (Feb 17)
- RE: anyone else seeing very long AS paths? Ivan Pepelnjak (Feb 17)
- Re: anyone else seeing very long AS paths? Jack Bates (Feb 17)
- Re: anyone else seeing very long AS paths? Mike Lewinski (Feb 17)
- RE: anyone else seeing very long AS paths? Ivan Pepelnjak (Feb 17)
- Re: anyone else seeing very long AS paths? Rodney Dunn (Feb 17)
- Re: anyone else seeing very long AS paths? German Martinez (Feb 17)
- Re: anyone else seeing very long AS paths? Rodney Dunn (Feb 17)
- Re: anyone else seeing very long AS paths? Rodney Dunn (Feb 19)
- Re: anyone else seeing very long AS paths? Rodney Dunn (Feb 20)
- Followup: anyone else seeing very long AS paths? Ivan Pepelnjak (Feb 20)
- RE: anyone else seeing very long AS paths? Ivan Pepelnjak (Feb 17)