[77662] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: long as path games?

daemon@ATHENA.MIT.EDU (william(at)elan.net)
Mon Jan 31 13:12:08 2005

Date: Mon, 31 Jan 2005 10:16:50 -0800 (PST)
From: "william(at)elan.net" <william@elan.net>
To: Blaine Christian <blaine@blaines.net>
Cc: Jared Mauch <jared@puck.nether.net>,
	Hank Nussbacher <hank@mail.iucc.ac.il>, Jon Lewis <jlewis@lewis.org>,
	<nanog@nanog.org>
In-Reply-To: <BE23ACF5.A464%blaine@blaines.net>
Errors-To: owner-nanog-outgoing@merit.edu



Well, long as-path of 100 is certain to be invalid (result of misconfig if 
not direct probe for vulnerability). Would it be good to recommend for 
ISPs filter at some as-path size as its easy easy and does not consume  
router resources? Would would be good as-path size to filter on, just to
be certain no valid route is filtered (just in case allow possible growth
of as-path up to 2x what it is now)?

On Mon, 31 Jan 2005, Blaine Christian wrote:

> Specifically, they have the ability to tickle a legacy cisco bug with AS
> path length.  This bug was supposedly mitigated in code and I believe my
> previous company is still filtering AS path length (UUNET) of 100 or
> greater. 
> 
> A valid AS-Path of greater than 100 has not yet been found (which was why
> the filters were in place).
> 
> On 1/31/05 8:53 AM, "Jared Mauch" <jared@puck.nether.net> wrote:
> 
> > On Mon, Jan 31, 2005 at 07:19:14AM +0200, Hank Nussbacher wrote:
> >> 
> >> At 10:23 PM 30-01-05 -0500, Jon Lewis wrote:
> >> 
> >>> Someone at fido.net having some bgp config issues?
> >> 
> >> Looks like someone probing for a buffer overflow on a world-wide basis.
> >> 
> >> -Hank
> >> 
> >> 
> >>> Jan 30 18:34:51 EST: %BGP-6-ASPATH: Long AS path 6461 3356 6770 8282 8282
> >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282
> >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282
> >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282
> >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282
> >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282
> >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282
> >>> received from ...
> > 
> > Router(config-router)#bgp maxas-limit ?
> >   <1-2000>  Number of ASes in the AS-PATH attribute
> > 
> > Router(config-router)#bgp maxas-limit 50
> > 
> > Easy to fix/reject.
> > 
> > - jared
home help back first fref pref prev next nref lref last post