Re: JunOS/FRR/Nokia et al BGP critical issue

[Bjørn Mork <bjorn () mork no>]

Eugeniu Patrascu <eugen () imacandi net> writes:
> On Fri, Sep 1, 2023 at 12:56 PM Bjørn Mork <bjorn () mork no> wrote:
>
> > But there's obviously not been enough thought applied to realize that
> > optional transitive attributes must be considered evil by default. They
> > can only be used after extremely careful parsing.
>
> Yeah, no.
> The logic is that if you understand them, you treat them according to
> whatever routing policy you have and then pass them along.

That's where you get into problems, depending on your defintition of
"understand" and "treat".  This implies parsing unvalidated input.

Understanding RFC compliant attributes is a minor part of that task.
The real problem is dealing with absolutely anything, including values
specifically designed to attack your parser, or policy, or whatever logic
you apply to the attribute value.

> If you don't,
> you just pass them along and that's it. Nothing more, nothing less.

This is obviously not a problem.

You may be acting as a proxy for attacking your peers, but there's
nothing you can do about that without breaking the protocol.

> > This is the BGP version of
> >
> >  select * from mytable where field = $unvalidated_user_input;
>
> No here as well. Because passing along a transitive attribute you don't
> understand does not affect you in any way.

I didn't say so either.

Those who _believe_ they understand it is the problem.

And I'm slowly starting to see why we still have so many implementations
where the optional transitive problem has been pretty much ignored.


Bjørn