[111943] in North American Network Operators' Group
Re: anyone else seeing very long AS paths?
daemon@ATHENA.MIT.EDU (German Martinez)
Tue Feb 17 14:13:21 2009
Date: Tue, 17 Feb 2009 14:20:59 -0500
From: German Martinez <gmartine@ajax.opentransit.net>
To: Mike Lewinski <mike@rockynet.com>
In-Reply-To: <499B09DA.9090100@rockynet.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue Feb 17, 2009, Mike Lewinski wrote:
> bgp max-as will NOT protect you from this exploit (but if you are not=20
> vulnerable it should prevent you from propogating it).
Are you trying to say that the receiving bgp speaker will drop the session
no matter what but it won't forward the update?
Here is what I have found on Cisco's website
bgp maxas-limit
To configure Border Gateway Protocol (BGP) to discard routes that have a
number of as-path segments that exceed the specified value,
use the bgp maxas-limit command in router configuration
mode. To return the router to default operation, use the no form of=20
this command.=20
Usage Guidelines
The bgp maxas-limit command is used to limit the number of as-path segments
that are permitted in inbound routes. If a route is received with an as-path
segment that exceeds the configured limit, the BGP routing process will
discard the route.=20
I heard about people running this command that were not impacted=20
>
> As far as I can tell the ONLY defense for a vulnerable IOS is to not run=
=20
> BGP. Dropping every received route with a filter on 0/0 does not mitigate=
=20
> the attack - as soon as that bogus as-path is received the BGP session=20
> resets, even if the route is never actually installed (and as far as I ca=
n=20
> tell the only real effect of the "bgp maxas-limit 75" is to cause all pat=
hs=20
> with more than 75 ASN to not be installed in the routing table).
>
--Dxnq1zWXvFF0Q93v
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkmbDhsACgkQg3JAVb2nAONsGgCfZbnLgfjWbtOS0koPTPx/KIQi
PSoAn1mhfGDFoVyDNjKJwldNryopTwWo
=+I1A
-----END PGP SIGNATURE-----
--Dxnq1zWXvFF0Q93v--
