Hi Chris, Thanks for your detail information! Regarding the following message: > Message data: 144 bytes > FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 00900200 00007540 01010040 02220208 > 00000D1C 0000232A 00002458 000210AA > 00024F1E 00021B5D 000003D8 00060A11 > 400304D5 F2494980 04040000 0000C008 > 1C0D1C00 020D1C00 160D1C00 640D1C00 > 7B0D1C01 F70D1C03 850D1C08 13E0281C > 00000000 00000000 00000000 00000000 > 00000000 00000000 00000000 182DC6B8
We can find the BGP attribute data that causes the problem as follows: > E0281C > 00000000 00000000 00000000 00000000 > 00000000 00000000 00000000 Semantically, this is a "complete" BGP Path Attribute: Flags=0xE0 Type=0x28, it is defined in RFC8669. (https://datatracker.ietf.org/doc/rfc8669/) Length=0x1C The Value field, as indicated by Length, does indeed occupy 28 bytes, although they are all zeros. Some network operating systems may try to parse the TLV carried in this attribute per RFC8669 and find that there is no valid TLV, so resulting in an error. Other operating systems found that the attribute was semantically correct but the content was incorrect, so they ignored the attribute and no BGP session interruption occurred. I'm curious how this strange attribute was generated. Was it the result of a test initiated by someone? Was it an attempt to test the robustness of the BGP protocol on the Internet? Cheers, Shunwan > -----Original Message----- > From: Chris Welti via NANOG [mailto:[email protected]] > Sent: Thursday, May 22, 2025 8:09 PM > To: North American Network Operators Group <[email protected]> > Cc: Niels den Otter <[email protected]>; Chris Welti > <[email protected]> > Subject: Re: BGP malformed update/attribute list > > Hi Niels, > > For what it's worth, thats what we saw here on our AS3356 uplink: > > > Total Update messages received: 281003910 > Malformed Update messages received: 6 > First received: May 20 09:01:52.256 > Last received: May 20 09:02:12.529 (2d04h ago) > Memory allocation failures: 0 > First failure: --- > Last failure: --- (never) > Error-handling session resets: 0 > First reset: --- > Last reset: --- (never) > Discarded attributes: 6 > > Since session establishment: > Update messages received: 37579519 > Final actions: > None: 0, DiscardMsg: 0, Reset: 0 > TreatAsWdrOrReset: 0, TreatAsWdr: 0, DiscardAttr: 6 > LocalRepair: 0 > > Malformed messages stored: 5 (current index: 0) > > Malformed message #1 > Received: May 20 09:02:12.529 > Error flags: 0x00080000 > Discarded attributes: 1 > Final action: DiscardAttr > > Error elements: 1 > [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, > Length 28) > Error data: [e0281c00] (4 bytes) > Action: DiscardAttr > > NLRIs: "IPv4 Unicast" <15 chars> > 140.150.9.0/24 > > Reset/notification information: > Reason "None", Postit type "Update malformed" > Notification code 3, sub-code 1 > Notification data [e0281c00000000000000000000000000] (16 > bytes) > > Message data: 136 bytes > FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 00880200 00006D40 01010040 021A0206 > 00000D1C 0000232A 00002458 000210AA > 00024F1E 00021B5D 400304D5 F2494980 > 04040000 0000C008 1C0D1C00 020D1C00 > 160D1C00 640D1C00 7B0D1C01 F70D1C03 > 850D1C08 13E0281C 00000000 00000000 > 00000000 00000000 00000000 00000000 > 00000000 188C9609 > > Malformed message #2 > Received: May 20 09:02:12.529 > Error flags: 0x00080000 > Discarded attributes: 1 > Final action: DiscardAttr > > Error elements: 1 > [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, > Length 28) > Error data: [e0281c00] (4 bytes) > Action: DiscardAttr > > NLRIs: "IPv4 Unicast" <68 chars> > 138.113.116.0/24 163.171.104.0/24 163.1 > 71.102.0/24 163.171.103.0/24 > > Reset/notification information: > Reason "None", Postit type "Update malformed" > Notification code 3, sub-code 1 > Notification data [e0281c00000000000000000000000000] (16 > bytes) > > Message data: 152 bytes > FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 00980200 00007140 01010040 021E0207 > 00000D1C 0000232A 00002458 000210AA > 00024F1E 00021B5D 0000D6D2 400304D5 > F2494980 04040000 0000C008 1C0D1C00 > 020D1C00 160D1C00 640D1C00 7B0D1C01 > F70D1C03 850D1C08 13E0281C 00000000 > 00000000 00000000 00000000 00000000 > 00000000 00000000 188A7174 18A3AB68 > 18A3AB66 18A3AB67 > > Malformed message #3 > Received: May 20 09:02:10.106 > Error flags: 0x00080000 > Discarded attributes: 1 > Final action: DiscardAttr > > Error elements: 1 > [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, > Length 28) > Error data: [e0281c00] (4 bytes) > Action: DiscardAttr > > NLRIs: "IPv4 Unicast" <109 chars> > 103.87.71.0/24 103.160.154.0/24 103.87. > 70.0/24 103.160.54.0/24 110.44.172.0/22 > 103.52.2.0/24 203.84.138.0/24... > > Reset/notification information: > Reason "None", Postit type "Update malformed" > Notification code 3, sub-code 1 > Notification data [e0281c00000000000000000000000000] (16 > bytes) > > Message data: 184 bytes > FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 00B80200 00006D40 01010040 021A0206 > 00000D1C 0000232A 00002458 000210AA > 00024F1E 00021B5D 400304D5 F2494980 > 04040000 0000C008 1C0D1C00 020D1C00 > 160D1C00 640D1C00 7B0D1C01 F70D1C03 > 850D1C08 13E0281C 00000000 00000000 > 00000000 00000000 00000000 00000000 > 00000000 18675747 1867A09A 18675746 > 1867A036 166E2CAC 18673402 18CB548A > 18CB5489 18A014DE 1867A037 18CA38AC > 186E2CAA 18673403 > > Malformed message #4 > Received: May 20 09:01:57.313 > Error flags: 0x00080000 > Discarded attributes: 1 > Final action: DiscardAttr > > Error elements: 1 > [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, > Length 28) > Error data: [e0281c00] (4 bytes) > Action: DiscardAttr > > NLRIs: "IPv4 Unicast" <15 chars> > 156.230.0.0/16 > > Reset/notification information: > Reason "None", Postit type "Update malformed" > Notification code 3, sub-code 1 > Notification data [e0281c00000000000000000000000000] (16 > bytes) > > Message data: 139 bytes > FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 008B0200 00007140 01010040 021E0207 > 00000D1C 0000232A 00002458 000210AA > 00024F1E 00021B5D 000003D8 400304D5 > F2494980 04040000 0000C008 1C0D1C00 > 020D1C00 160D1C00 640D1C00 7B0D1C01 > F70D1C03 870D1C08 13E0281C 00000000 > 00000000 00000000 00000000 00000000 > 00000000 00000000 109CE6 > > Malformed message #5 > Received: May 20 09:01:57.312 > Error flags: 0x00080000 > Discarded attributes: 1 > Final action: DiscardAttr > > Error elements: 1 > [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, > Length 28) > Error data: [e0281c00] (4 bytes) > Action: DiscardAttr > > NLRIs: "IPv4 Unicast" <16 chars> > 45.198.184.0/24 > > Reset/notification information: > Reason "None", Postit type "Update malformed" > Notification code 3, sub-code 1 > Notification data [e0281c00000000000000000000000000] (16 > bytes) > > Message data: 144 bytes > FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF > 00900200 00007540 01010040 02220208 > 00000D1C 0000232A 00002458 000210AA > 00024F1E 00021B5D 000003D8 00060A11 > 400304D5 F2494980 04040000 0000C008 > 1C0D1C00 020D1C00 160D1C00 640D1C00 > 7B0D1C01 F70D1C03 850D1C08 13E0281C > 00000000 00000000 00000000 00000000 > 00000000 00000000 00000000 182DC6B8 > > Cheers, > Chris > > On 22.05.2025 08:29, Niels den Otter via NANOG wrote: > > Hallo Randy, > > > > That's interesting. At exact the same moment this is what our Juniper > > routers reported; > > > > --- > > May 20 07:01:51 router rpd[34930]: %DAEMON-4: > > bgp_read_v4_update:13937: NOTIFICATION sent to a.b.c.d (Internal AS > > xxx): code 3 (Update Message Error) subcode 131 (invalid), Data: 00 00 > > 00 00 00 00 May 20 07:01:51 router rpd[34930]: %DAEMON-3: Received > malformed update from a.b.c.d (Internal AS xxx) May 20 07:01:51 router > rpd[34930]: %DAEMON-3: Family inet-vpn-unicast, prefix > a.b.c.d:32767:156.230.0.0/40 (label 114) May 20 07:01:51 router > rpd[34930]: %DAEMON-3: Malformed Attribute PREFIX_SID(40) flag 0x80 > length 28 error 131 (TLV length error). > > --- > > > > Appears to be another prefix? Unfortunately we don't have a BMP dump of > this packet. > > > > > > > > * > > Niels > > > > ________________________________ > > Van: Randy Bush via NANOG <[email protected]> > > Verzonden: woensdag 21 mei 2025 22:47 > > Aan: Simon Lockhart via NANOG <[email protected]> > > CC: Randy Bush <[email protected]> > > Onderwerp: Re: BGP malformed update/attribute list > > > > just to aol, and other posts did not show full nlri > > > > May 20 07:01:51 r2.f00 16869308: RP/0/RSP0/CPU0:May 20 07:01:51.437 : > > bgp[1059]: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE > message > > received from neighbor 123.45.67.89 (VRF: default) - message length > > 106 bytes, error flags 0x000c0000, action taken "DiscardAttr". Error > > details: "Error 0x00040000, Field "Attr-length", Attribute 40 (Flags > > 0xe0, Length 28), Data [e0281c]". NLRIs: [IPv4 Unicast] 45.198.25.0/24 > > > > randy > > _______________________________________________ > > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/56 > > PKKMWIL7WN5T2VQTDL7M23RFSZO6I3/ > > _______________________________________________ > > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/JL > > S5CHUGXNY6C55ZA4SVQO6CJU6KBTG5/ > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/IGG5VK > 7BADZMQLYRND6L7YKHK7FTHYAD/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/CSDTO64UPEZT2MLL4KSCDJGTHUHBRDPF/
