Re: AS PATH limits

[William Herrin]

On Sun, Oct 1, 2017 at 1:05 AM, Ken Chase  wrote:

> I don't quite understand the exact situation that causes the issue - our
> cogent facing router (quagga .99.22 debian) was receiving the route but
> that
> session stayed up - it was it while sending or the other igp router (also
> quagga .99.22) receiving (I think the latter) that was crashing their
> session.
> Not quite sure why the cogent session didn't crash as well (or first,
> before
> propagating the bad route).
>

Hi Ken,

Technically the route is not bad, just really inconsiderate.

The bug happens when quagga sends the the long-AS path route to a peer. As
I understand it, when the announcement is larger than one segment, Quagga
double-counts the some of the bytes when computing the number of bytes in
the AS path. It receives the announcement just fine, but then it corrupts
what it sends to the neighbor who then chokes.

Bug and patch here:
https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: AS PATH limits

[Mikael Abrahamsson]

On Sun, 1 Oct 2017, Hank Nussbacher wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1572
Quagga 0.99.11 and earlier affected.
Fixed in 2009.


It was fixed in other OSes as well after this, I presume:

http://blog.ipspace.net/2009/02/root-cause-analysis-oversized-as-paths.html

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: AS PATH limits

[Hank Nussbacher]

On 01/10/2017 04:28, Christopher Morrow wrote:
> On Sat, Sep 30, 2017 at 12:47 PM, Ken Chase  wrote:
>
>> I dont see that as the solution. Someone else will offend again.
>>
>> However, I also don't see trusting major backbones as our filters (for many
>> other reasons). Our software should be handling what's effectively a
>> buffer overflow
>> or equivalent (beware long paths that are actually shellcode).
>>
>> Quagga among others seems to be subject to this bug, pre 0.99.23 or so
>> (.99.24+ seems ok). So upgrading is a solution.
>>
>>
> ii  quagga  0.99.22.4-3ubu i386   BGP/OSPF/RIP routing
> daemon
>
> interestingly enough that isn't crashlooping nor is it bouncing bgp
> sessions:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1572
Quagga 0.99.11 and earlier affected.
Fixed in 2009.

-Hank


> 192.168.100.100  4 MYASN 16427178864000 2d23h32m
> 672475
>
> and it's happily showing me the route even...
>
> There was also some chatter on the quagga mailing list on how it's more
>> pleasant to stab your eyeballs out rather than constructing extremely long
>> regexp's that might work as a filter.
>>
>> https://lists.quagga.net/pipermail/quagga-users/2017-September/thread.html
>>
>> /kc
>>
>>
>> On Sat, Sep 30, 2017 at 05:30:03PM +0200, Niels Raijer said:
>>   >My message to NANOG about this from 12:31 UTC today is still in the
>> moderation queue. I had opened a support case with Cogent before writing my
>> message to NANOG and Cogent has let me know approximately 40 minutes ago
>> that they have contacted their customer.
>>   >
>>   >Niels
>>   >
>>   >
>>   >
>>   >On 30 Sep 2017, at 17:09, sth...@nethelp.no wrote:
>>   >
>>   >>> If you're on cogent, since 22:30 UTC yesterday or so this has been
>> happening
>>   >>> (or happened).
>>   >>
>>   >> Still happening here. I count 562 prepends (563 * 262197) in the
>>   >> advertisement we receive from Cogent. I see no good reason why we
>>   >> should accept that many prepends.
>>   >>
>>   >> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>>   >
>>
>> --
>> Ken Chase - m...@sizone.org  Guelph Canada
>>

Re: AS PATH limits

[Ken Chase]

I don't quite understand the exact situation that causes the issue - our
cogent facing router (quagga .99.22 debian) was receiving the route but that
session stayed up - it was it while sending or the other igp router (also
quagga .99.22) receiving (I think the latter) that was crashing their session.
Not quite sure why the cogent session didn't crash as well (or first, before
propagating the bad route).

At any rate, we should likely take this discussion to the quagga-users-l

/kc


On Sat, Sep 30, 2017 at 09:28:28PM -0400, Christopher Morrow said:
  >ii  quagga  0.99.22.4-3ubu i386   BGP/OSPF/RIP routing
  >daemon
  >
  >interestingly enough that isn't crashlooping nor is it bouncing bgp
  >sessions:
  >192.168.100.100  4 MYASN 16427178864000 2d23h32m
  >672475
  >
  >and it's happily showing me the route even...

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: AS PATH limits

[Christopher Morrow]

On Sat, Sep 30, 2017 at 12:47 PM, Ken Chase  wrote:

> I dont see that as the solution. Someone else will offend again.
>
> However, I also don't see trusting major backbones as our filters (for many
> other reasons). Our software should be handling what's effectively a
> buffer overflow
> or equivalent (beware long paths that are actually shellcode).
>
> Quagga among others seems to be subject to this bug, pre 0.99.23 or so
> (.99.24+ seems ok). So upgrading is a solution.
>
>
ii  quagga  0.99.22.4-3ubu i386   BGP/OSPF/RIP routing
daemon

interestingly enough that isn't crashlooping nor is it bouncing bgp
sessions:
192.168.100.100  4 MYASN 16427178864000 2d23h32m
672475

and it's happily showing me the route even...

There was also some chatter on the quagga mailing list on how it's more
> pleasant to stab your eyeballs out rather than constructing extremely long
> regexp's that might work as a filter.
>
> https://lists.quagga.net/pipermail/quagga-users/2017-September/thread.html
>
> /kc
>
>
> On Sat, Sep 30, 2017 at 05:30:03PM +0200, Niels Raijer said:
>   >My message to NANOG about this from 12:31 UTC today is still in the
> moderation queue. I had opened a support case with Cogent before writing my
> message to NANOG and Cogent has let me know approximately 40 minutes ago
> that they have contacted their customer.
>   >
>   >Niels
>   >
>   >
>   >
>   >On 30 Sep 2017, at 17:09, sth...@nethelp.no wrote:
>   >
>   >>> If you're on cogent, since 22:30 UTC yesterday or so this has been
> happening
>   >>> (or happened).
>   >>
>   >> Still happening here. I count 562 prepends (563 * 262197) in the
>   >> advertisement we receive from Cogent. I see no good reason why we
>   >> should accept that many prepends.
>   >>
>   >> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>   >
>
> --
> Ken Chase - m...@sizone.org  Guelph Canada
>

ISC DLV Registry now running a signed empty zone

[Dan Mahoney (Gushi)]

All,

Just to let people know via this list:

As of DNS-OARC 27 (where the change was done live) ISC's DLV Registry has
now been replaced with a signed empty zone (SOA/NS/A/TXT/DNSKEY/RRSIG),
which will be auto-re-signed with the same keys for the forseeable future.

The IP address for the old DLV web-ui now redirects to ISC's main page,
but if anyone needs a copy of the last-known zone contents for historical
purposes, please reach out.

Thanks to the community for your support.

-Dan Mahoney
ISC Operations Group

--

Notes:  This was sent from my personal domain because that's what I keep 
subscribed to NANOG, but I'm speaking in this post as an ISC Employee.


I will be at NANOG San Jose, I have blue hair and am hard to 
miss.


(Also sent to a couple dns-related lists, apologies for duplicates).

Re: Long BGP AS paths

[William Herrin]

On Sat, Sep 30, 2017 at 6:34 PM, Ken Chase  wrote:

> The quagga thread I read specifically indicates that some (most?) versions
> don't
> accept the {n,m} regexp repeat format. Thus the regexps as long as the
> path you want to filter... :/
>

Howdy,

If it was configured with --enable-pcreposix I believe it supports the
regex. Most installs that come straight from a Linux distro used this flag.

Regards,
Bill


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Long BGP AS paths

[Job Snijders]

On Sat, 30 Sep 2017 at 15:33, William Herrin  wrote:

> To the chucklehead who started announcing a 2200+ byte AS path yesterday
> around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
> that's present in all versions released in the last decade. Your
> announcement causes routers based on Quagga to send a malformed update to
> their neighbors, collapsing the entire BGP session. Every 30 seconds or so.
>
> For everyone else: please consider filtering BGP announcements with
> stupidly long AS paths.



Nowhere in the BGP RFCs it says it is okay for the software to crash. Bugs
happen. You patch and move on. :-)

>

Re: Long BGP AS paths

[Ken Chase]

The quagga thread I read specifically indicates that some (most?) versions don't
accept the {n,m} regexp repeat format. Thus the regexps as long as the
path you want to filter... :/

..or upgrade.

/kc


On Sat, Sep 30, 2017 at 06:29:36PM -0400, William Herrin said:
  >To the chucklehead who started announcing a 2200+ byte AS path yesterday
  >around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
  >that's present in all versions released in the last decade. Your
  >announcement causes routers based on Quagga to send a malformed update to
  >their neighbors, collapsing the entire BGP session. Every 30 seconds or so.
  >
  >For everyone else: please consider filtering BGP announcements with
  >stupidly long AS paths. There's no need nor excuse for them to be present
  >in the DFZ and you could have saved me a painful Saturday.
  >
  >Cisco:
  >
  >router bgp XXX
  > bgp maxas-limit 50
  >
  >
  >Juniper:
  >https://kb.juniper.net/InfoCenter/index?page=content&id=KB29321
  >
  >
  >Quagga:
  >
  >ip as-path access-list maxas-limit50 deny ^([{},0-9]+ ){50}
  >ip as-path access-list maxas-limit50 permit .*
  >
  >
  >Regards,
  >Bill Herrin
  >
  >
  >-- 
  >William Herrin  her...@dirtside.com  b...@herrin.us
  >Dirtside Systems . Web: 

-- 
Ken Chase - m...@sizone.org Guelph Canada

Long BGP AS paths

[William Herrin]

To the chucklehead who started announcing a 2200+ byte AS path yesterday
around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
that's present in all versions released in the last decade. Your
announcement causes routers based on Quagga to send a malformed update to
their neighbors, collapsing the entire BGP session. Every 30 seconds or so.

For everyone else: please consider filtering BGP announcements with
stupidly long AS paths. There's no need nor excuse for them to be present
in the DFZ and you could have saved me a painful Saturday.

Cisco:

router bgp XXX
 bgp maxas-limit 50


Juniper:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29321


Quagga:

ip as-path access-list maxas-limit50 deny ^([{},0-9]+ ){50}
ip as-path access-list maxas-limit50 permit .*


Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Hurricane Maria: Summary of communication status - and lack of

[Sean Donelan]

On Sat, 30 Sep 2017, Sean Donelan wrote:

The first public statement I've seen from LibertyPR was yesterday. Their
network was completely down.  They've restored some of their main 
infrastructure, i.e. cable headends and main fiber connections.

100% of subscribers are out of service.

I've seen pictures on twitter of LibertyPR crews fixing cables and poles on 
the island.


Liberty cable Puerto Rico has put out a press release today.

LibertyPR is opening one public WiFi hot spot in Bahia Urbana in San Juan 
from 3pm to 7pm Saturday, and 8am to 7pm daily starting Sunday.


Additional hot spots will be announced by LibertyPR via press release in 
the future.


I guess this is a sign LibertyPR's public relations office is back in 
operation.

Re: Hurricane Maria: Summary of communication status - and lack of

[Sean Donelan]

On Sat, 30 Sep 2017, Phil Rosenthal wrote:

Has anyone heard anything about Liberty Cablevision / AS14638?


The first public statement I've seen from LibertyPR was yesterday. Their
network was completely down.  They've restored some of their main 
infrastructure, i.e. cable headends and main fiber connections.

100% of subscribers are out of service.

I've seen pictures on twitter of LibertyPR crews fixing cables and poles 
on the island.

Re: Hurricane Maria: Summary of communication status - and lack of

[Sean Donelan]

The Government of Puerto Rico has created a map of working cell sites in 
puerto Rico. I'm not certain about the source of the information. 
Cellular carriers usually object/refuse to release details about their 
operations.


http://status.pr/Maps

The map shows most working cell sites are in metro areas around San Juan. 
As I guessed, one or two cell sites in each county/municipality around the 
island.  There are almost no working cell sites covering the interior of 
the island.


Comparing the map to census bureau population maps indicates the working 
cell sites are in high population areas, which is necessary for disaster 
triage. Satellite phones are being distributed to mayors in the other 
counties/municipalities.

Re: AS PATH limits

[Ken Chase]

I dont see that as the solution. Someone else will offend again.

However, I also don't see trusting major backbones as our filters (for many
other reasons). Our software should be handling what's effectively a buffer 
overflow
or equivalent (beware long paths that are actually shellcode).

Quagga among others seems to be subject to this bug, pre 0.99.23 or so
(.99.24+ seems ok). So upgrading is a solution.

There was also some chatter on the quagga mailing list on how it's more
pleasant to stab your eyeballs out rather than constructing extremely long
regexp's that might work as a filter.

https://lists.quagga.net/pipermail/quagga-users/2017-September/thread.html

/kc


On Sat, Sep 30, 2017 at 05:30:03PM +0200, Niels Raijer said:
  >My message to NANOG about this from 12:31 UTC today is still in the 
moderation queue. I had opened a support case with Cogent before writing my 
message to NANOG and Cogent has let me know approximately 40 minutes ago that 
they have contacted their customer. 
  >
  >Niels 
  >
  >
  >
  >On 30 Sep 2017, at 17:09, sth...@nethelp.no wrote:
  >
  >>> If you're on cogent, since 22:30 UTC yesterday or so this has been 
happening
  >>> (or happened).
  >> 
  >> Still happening here. I count 562 prepends (563 * 262197) in the
  >> advertisement we receive from Cogent. I see no good reason why we
  >> should accept that many prepends.
  >> 
  >> Steinar Haug, Nethelp consulting, sth...@nethelp.no
  >

-- 
Ken Chase - m...@sizone.org  Guelph Canada

Re: Peering at public exchange authentication

[Dave Temkin]

Talks about GSRs and Sup720's, but still relevant today.
https://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf

-Dave

On Fri, Sep 29, 2017 at 11:05 AM, BRAD RAYMO  wrote:

> Its up to you and how you want to manage your sessions. Some networks
> require it, some prefer it but do not require it, and others do not want to
> use it at all.
>
> On Fri, Sep 29, 2017 at 10:41 AM, craig washington <
> craigwashingto...@hotmail.com> wrote:
>
> > Hello all,
> >
> >
> > Wondering your views or common practices for using authentication via BGP
> > at public exchange locations.
> >
> > Just for example, lets say you peer with 5 people in the TELX in Atlanta,
> > do you require them to all use authentication for the BGP session?
> >
> > Ive seem some use it and some not use it, is it just a preference?
> >
> >
>

Re: AS PATH limits

[jim deleskie]

Maybe the next best path had, had 562 prepends? :)



On Sat, Sep 30, 2017 at 12:09 PM,  wrote:

> > If you're on cogent, since 22:30 UTC yesterday or so this has been
> happening
> > (or happened).
>
> Still happening here. I count 562 prepends (563 * 262197) in the
> advertisement we receive from Cogent. I see no good reason why we
> should accept that many prepends.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>

Re: AS PATH limits

[sthaug]

> If you're on cogent, since 22:30 UTC yesterday or so this has been happening
> (or happened).

Still happening here. I count 562 prepends (563 * 262197) in the
advertisement we receive from Cogent. I see no good reason why we
should accept that many prepends.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: AS PATH limits

[Ken Chase]

If you're on cogent, since 22:30 UTC yesterday or so this has been happening
(or happened).

*> 186.177.184.0/23 38.*.*.*45050 0 174 262206 262206 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 ?

oddly, i see other pops with 174 sources giving a more sane route (even 6939
is giving us a route that goes thru 174 after 2 hops). 'Sup, 174?

Wonder if this is just stuck in the router Im looking at and the update
process is failing because the route is too long to process properly for
removal or something. mmm, bugs!)

/kc
-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Hurricane Maria: Summary of communication status - and lack of

[Rod Beck]

The whole thing is a disgrace.



From: NANOG  on behalf of Phil Rosenthal 

Sent: Saturday, September 30, 2017 3:47 PM
To: Jean-Francois Mezei
Cc: nanog@nanog.org
Subject: Re: Hurricane Maria: Summary of communication status - and lack of

Has anyone heard anything about Liberty Cablevision / AS14638?

Our Netflow stats show a traffic drop to zero at the moment of landfall of 
Maria, late on 9/19, and a continued flat line at zero until now. Almost 11 
days without a single packet exchanged. This is (as far as I am aware), the #2 
largest ISP in Puerto Rico.

By comparison, Claro’s traffic certainly has dropped by a large degree, but it 
always stayed at least slightly above zero, and is roughly at 10% of normal 
traffic levels today.

-Phil

Re: Hurricane Maria: Summary of communication status - and lack of

[Phil Rosenthal]

Has anyone heard anything about Liberty Cablevision / AS14638?

Our Netflow stats show a traffic drop to zero at the moment of landfall of 
Maria, late on 9/19, and a continued flat line at zero until now. Almost 11 
days without a single packet exchanged. This is (as far as I am aware), the #2 
largest ISP in Puerto Rico.

By comparison, Claro’s traffic certainly has dropped by a large degree, but it 
always stayed at least slightly above zero, and is roughly at 10% of normal 
traffic levels today.

-Phil