> > Which in theory opens a new attack vector for the future. > What is the attack vector you foresee for a route sitting as hidden with the potentially offending attributes stripped off?
On Thu, Aug 31, 2023 at 4:27 AM Tobias Heister via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > Hi, > > Am 30.08.2023 um 18:09 schrieb heasley via juniper-nsp: > > Tue, Aug 29, 2023 at 03:42:41PM -0700, David Sinn via juniper-nsp: > >> A network I operate is going with: > >> > >> bgp-error-tolerance { > >> malformed-route-limit 0; > >> } > >> > >> The thoughts being that there is no real reason to retain the malformed > route and the default of 1000 is arbitrary. We haven't really seen a rash > of them, so adjusting the logging hasn't proven needed yet. > > > > It does seem arbitrary. retaining all seems like a better choice, > > operationally. allowing the operator diagnose why a route is missing; > > show route .... hidden. > > Which in theory opens a new attack vector for the future. > > As the update is malformed it could do $something to the handling in > e.g. RPD or other daemons by processing them somehow wrong. By not > holding or further process any of them that could (maybe, hopefully?) be > minimized. > > Of course proper code and handling of malformed things would be even > better, but you know ... > > regards > Tobias > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp