RE: Default route with object tracking
To be absolutely safe, choose 4-5 of the ideas, track all of them and use a composite track object to combine them :) You can find a lot more details (including the oscillating routing problem) here: http://www.nil.com/ipcorner/SmallSiteMultiHoming/ http://wiki.nil.com/Small_site_multihoming Good luck! Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Andrey Gordon [mailto:andrey.gor...@gmail.com] Sent: Monday, February 01, 2010 4:14 PM To: Nanog Subject: Default route with object tracking Hi list. I'd like to setup my default routes to the Interwebz to be conditional on reachability of something on the Interwebz. I got two different ISPs (no BGP). I'm trying to figure out what would be a reliable object to track? Meaning, it's probably not reasonable to track my ISPs default gateway, since it does not protect me from someone on the ISP side screwing up. I'm thinking of tracking something like google.com, but am not sure if after I resolve google.com for the first time, it will be simply tracking an arbitrary server (or some load balancer). I wanted to see what experienced folks think is a reliable tracking target. Any comments are much appreciated. thank you, - Andrey Gordon [andrey.gor...@gmail.com]
RE: BGP testbed tools
This is how you can do it with Quagga: http://wiki.nil.com/Use_Quagga_to_generate_BGP_routes You could write a Perl (or whatever your favorite scripting language is) script to get Quagga/IOS configuration from live BGP data, but it would be non-trivial and the resulting configuration would be enormous. I know there was a similar discussion months ago on the NANOG mailing list; browse the archives. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info -Original Message- From: Ben Jencks [mailto:b...@bjencks.net] Sent: Tuesday, January 12, 2010 9:28 PM To: nanog@nanog.org Subject: BGP testbed tools This is obviously a rookie question, but I haven't found anything by searching. I'm looking to set up a small testbed to simulate our internal network topology, and I want to have a realistic BGP table from the fake upstream routers. Ideally what I'd like to do is dump the BGP table from our production routers, strip the immediate neighbor AS, and load the table into Quagga or OpenBGPD to advertise. I'm running into two problems: how do you dump BGP tables in a machine-parseable format from IOS, and how do you make the route server advertise the routes as they were in the original table, including the full AS-path, communities, etc? If Quagga/OpenBGPD aren't the right tools, I'm happy to use something else. This seems like it would be a pretty standard thing to do, but none of the tools I've found seem aimed at this sort of testbed. Thanks! -Ben Jencks
RE: Consumer-grade dual-homed connectivity options?
At home, I currently run two DSL lines. Right now, we just have two separate LANs, one connected to each line, with my wife's devices attached to one, and my devices attached to the other. For a while now, I've been thinking about setting up a load-balancing routing solution to give both of us access to both lines. If you decide to use an IOS-based router, you'll find most what you need here: http://wiki.nil.com/Small_site_multihoming Ivan Pepelnjak blog.ioshints.info / www.ioshints.info
RE: Routing to multiple uplinks
Am I right in assuming that you're establishing application-layer sessions to two hosts with two different IP addresses (outside of your control) which provide (close to) identical services? If so, there's not much you can do outside of the application itself (at least if you want a semi-robust solution). You could try (reverse) load balancer, but even then the application session would have to be disconnected before being switched over to the other host. As stated before Path A and Path B are two distinct paths they do however provide identical services but application state is not preserved. A new session and state must be established if a user decides to switch between paths. Ivan Pepelnjak blog.ioshints.info / www.ioshints.info
RE: fight club :) richard bennett vs various nanogers, on paid peering
Oh wait, those billions got pocketed - if the massive fiber buildout had happened, we'd have so much bandwidth that neutrality wouldn't be an issue... Maybe this is how the fiber got used :)) http://en.wikipedia.org/wiki/RFoG
RE: MPLS Services
This might give you some ideas (also solves the overlapping customer address problem): http://www.nil.com/ipcorner/FlexExtraImplement/ Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Kenny Sallee [mailto:kenny.sal...@gmail.com] Sent: Friday, August 28, 2009 6:28 PM To: nanog@nanog.org Subject: MPLS Services Questions for the community: from a Application Service Provider perspective - how / can one provide application access to a group of Enterprises where the ASP provider provides ASP like applications to all Enterprise customers who have multiple locations and who may or may not have overlapping addresses? Each Enterprise is it's own business and we cannot allow connectivity between each other We've struggled internally with this. MPLS and using BGP communities seems to be the solution. But I am trying to understand / think through the configuration of it from a CE and PE side perspective. Lab configs to follow but here's what I'm thinking: - From the CE side we could ask for 2 frame PVC's - each in it's own VRF on the PE side. Call 1 VRF private and 2nd VRF public. In the Private VRF advertise all CE routes between customer A for example. Each CE customer would have their own VRF on the MPLS providers network. - From the CE, In Public VRF advertise a network range we provide the clients and NAT traffic destined for the shared environment to the public range - On each CE router only permit route updates on the Public VRF for BGP communities that belong to that customer and our shared segments. Could also do this with just route filtering by ACL/prefix lists. On the Private VRF no need to filter incoming but filter outgoing to contain routing domain consistency (only send updates for CE networks) - In the Public VRF from ASP side - advertise all shared services routes. Accept all updates on Public VRF. No access to Private VRF's here. Thoughts? Thanks, Kenny
RE: OSPF vs IS-IS vs PrivateAS eBGP
Configure eBGP from your edge to the client edge using private-AS. Since I already have copy/paste templates (thanks to RANCID), I make it a habit to ensure filters are at both ends. Goes without saying that BCP-38 is followed, and strict is deployed everywhere possible. peer-group and regexes are handy. If you're starting from scratch, use peer templates, they are slightly more versatile than the peer groups and allow (limited) inheritance. Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: OSPF vs IS-IS vs PrivateAS eBGP
Do not EVER run an SPF routing protocol with your customer. They can insert anything they want into it (due to configuration mistake, malicious intent or third-party hijacking) and your whole network (or at least the other customers) will be affected. Just to give you a few examples: * They could hijack the host route to your DNS server and spoof every other customer of yours that uses your DNS * They could hijack the host route to your POP3 server and collect the usernames and passwords of your residential users * Company A could hijack the host route to the web server of company B. * They could insert a better default route than you do and at least some of your routers will listen to them. * If they ever make a total mess and start flapping their LSAs, your whole network will be affected and all your routers will burn CPU running SPF algorithm. If you absolutely insist on not using BGP (but then BGP is the only currently available routing protocol designed to handle routing in scenarios where the two parties don't necessarily trust each other), use RIP. It's safer than OSPF, at least you can filter the incoming updates. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Clue Store [mailto:cluest...@gmail.com] Sent: Wednesday, August 19, 2009 5:13 PM To: nanog@nanog.org Subject: OSPF vs IS-IS vs PrivateAS eBGP Hi All, I know this has been discussed probably many times on this list, but I was looking for some specifics about what others are doing in the following situations. I would like to run an IGP (currently OSPF) to our customers that are multi-homed in a non-mpls environment. They are multi-homed with small prefixes that are swipped from my ARIN allocations. OSPF has been flaky at best under certain conditions and I am thinking of making the move to IS-IS. I have also seen others going to private AS and running eBGP. This seems a bit much, but if it works, i'd make the move to it as I like bgp the most (all of the BGP knobs give me the warm and fuzzies :). I'd also like to see what folks are using in a MPLS network?? OSPFv3 or IS-IS or right to MP-BGP and redist static from the CE to PE??? On and off list are welcome. I'll make a summary after I gather the info. Thanks, Clue
RE: Anyone else seeing (invalid or corrupt AS path) 3 bytes E01100 ?
Anybody have a handy route-map that will deny anything with a as-path longer than say 15-20? ;-) http://wiki.nil.com/Filter_excessively_prepended_BGP_paths Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: Anyone else seeing (invalid or corrupt AS path) 3 bytes E01100 ?
Ivan- Thanks for posting this how-to on excessive as prepends. I have a couple of questions that some of the less BGP savvy out their may find helpfull 1. In my enviornment, we are not doing full routes. We have partial routes from AS209 and then fail to AS7263. Is their any advantage for someone like me to do this, as we are not providing any IP transit so we are not passing the route table to anyone else? You could do it to protect your BGP table, but as you're not a transit AS, it does not make much sense. 2. When I run the sh ip bgp quote-regexp _([0-9]+)_\1_\1_\1_\1_ \1_ | begin Network I am seeing many many ASes that would be filtered by this access-list. Obviously a lot of people are prepend-happy. What happens to those networks, are they unreachable from my AS, or do I just route those networks to my upstream provider and let them deal with it? If I understood correctly, you're using a default route toward AS7263, which means that anything that is not in your BGP table (and consequently your IP routing table) will be sent out of your AS via the default route. If you're getting the paths you're filtering from AS209 that means that more traffic will go to AS7263. 3. This last question is a little OT, but relates to your access list In the event of some kind if DOS attack coming from one of a few AS numbers (in this case we will use 14793), what is the feesability of using ip as-path access-list 100 deny _([0-9]+)_\1_\1_\1_\1_ ip as-path access-list 100 deny 14793 ip as-path access-list 100 permit .* Would this have any affect at all, or would my pipe from my upstream still be congested with garbage traffic ? No. You cannot influence the inbound traffic apart from not advertising some of your prefixes to some of your neighbors or giving them hints with BGP communities or AS-path prepending. Whatever you do with BGP on your routers influences only the paths the outbound traffic is taking. What you'd actually need is remote-triggered black hole. Search the Nanog archives for RTBH, you'll find a number of links in a message from Frank Bulk sent a few days ago. Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: Data Center QoS equipment breaking http 1.1?
Facts first: name-based virtual hosts depend on the HOST header in the HTTP/1.1 request to select the virtual web server. I poured over my configs (I've done this config countless times), and saw this in the apache docs: http://httpd.apache.org/docs/2.2/vhosts/name-based.html Some operating systems and network equipment implement bandwidth management techniques that cannot differentiate between hosts unless they are on separate IP addresses. Thanslated into networking engineerese: since the QoS equipment (including routers unless you use HTTB NBAR) cannot peer into contents of the TCP session, it cannot find the HOST header and thus cannot decide which virtual host the traffic belongs to, making it impossible to enforce per-virtual-host QoS policies. So, I installed lynx on the server, and sure enough, it worked perfectly fine there, just not from anywhere outside eSecuredata's network that I could see. Can anyone shed any light on this particular practice, of this company in particular? What you're experiencing usually means only one thing: they're using a box that messes with HTTP headers. It could be a misconfigured DPI box, a transparent (broken) HTTP proxy or a custom-developed wizardry. Configure the Apache logs (http://httpd.apache.org/docs/2.2/logs.html) to log the virtual host name in the HTTP request (the %{host}i directive) or use Wireshark on your client and the server to inspect it. If you find out they're messing with the HOST header (as suspected) switch the provider immediately. Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: BGP Growth projections
Let me be the devil's advocate: why would you need full Internet routing? Taking reasonably sized neighborhoods of your upstreams (AS paths up to X AS numbers) plus a default to your best upstream might do the trick. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Mark Radabaugh [mailto:m...@amplex.net] Sent: Friday, July 10, 2009 6:42 PM To: nanog list Subject: BGP Growth projections I'm looking for new core routers for a small ISP and having a hard time finding something appropriate and reasonably priced. We don't have huge traffic levels (1Gb) and are mostly running Ethernet interfaces to upstreams rather than legacy interfaces (when did OC3 become legacy?). Lot's of choices for routers that can handle the existing BGP tables - but not so much in small platforms (1-10Gb traffic) if you assume that IPv6 is going to explode the routing table in the next 5 years.The manufacturers still seem to think low traffic routers don't need much memory or CPU. What projections are you using regarding the default free zone over the next 5 years when picking new hardware? -- Mark Radabaugh Amplex 419.837.5015 x21 m...@amplex.net
RE: Multi site BGP Routing design
I am thinking the multiple ASN route is the cleanest but the idea of letting a default gateway (via static route maybe) out the local upstream connection to reach the other site when the backnet link is down sounds like it would work with minimal to no headaches but it just some how seems like a duct tape job. Does this sort of technique have any significant flaws or concerns associated with it? It's a static route, so you're never sure the remote end (upstream router) is truly alive. In this respect, it would be much better to receive default route over BGP (if the upstream carrier is willing to implement it). On the other hand, it's a last-resort mechanism, so you'd only use it if everything else fails (and you don't care how reliable it is). Just make sure it's well documented and understood ... and think about what will happen when you add a third carrier to one of the sites. Last but not least, you could use reliable static routing (static route tied to ping tests). http://blog.ioshints.info/2007/02/reliable-static-routing.html http://blog.ioshints.info/search?q=static+routing Just my $0.002 :) Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: Multi site BGP Routing design
To rephrase the OP's question, would it be BCP to acquire a second ASN, and without further de-aggregating, continue advertising each site's IP space to the DFZ, but from dissimilar ASs as opposed to the same one? This would definitely be the best approach. You're not introducing new IP prefixes and you're not extending AS paths, so the net effect on the global BGP routing is zero (OK, you might have to use the 4 byte AS number :). Just make sure that both ISPs you connect to allow you to advertise transit prefixes. If site A public link goes down, but the private link is up, site B will advertise its own address space plus site A's address space with an extra AS number in the AS path (and the upstream ISP might filter that). Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: Multi-homed clients and BGP timers
For BFD to work, you need: * ISR + 12.4(15)T (or later) * 7200 with 12.4T or 12.2SRx * 7600/6500/GSR + 12.2SRB (or later) * ASR A complete list is at the bottom of this document: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html You'll find some more BFD details and usage guidelines here: http://www.nil.com/ipcorner/bfd/ Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ Correct me if I'm wrong, but wasn't this exactly the type of situation that BFD was designed to detect and help with? I don't know, but I'm printing it[1] anyway to take home and read. It's been mentioned a few times, and clearly worth learning about. Thanks, Steve [1] http://bgp.potaroo.net/ietf/all-ids/draft-ietf-bfd-v4v6-1hop-09.txt
RE: Multi-homed clients and BGP timers
If you want to converge a little fast than BGP holdtimes here and the fiber link is directly between the routers, you might look at something akin to Cisco's bgp fast-external-fallover, which immediately resets the session if the link layer is reset or lost. For fast external fallover, your physical interface has to go down. Inside your network you could use BGP fast fallover (which drops BGP session after the IGP route to the neighbor is lost), details are here: http://www.nil.com/ipcorner/DesigningBGPNetworks/ Fast fallover with EBGP multihop is described here: http://wiki.nil.com/EBGP_load_balancing_with_EBGP_session_between_loopback_i nterfaces Ivan http://www.ioshints.info/about http://blog.ioshints.info/
Two interfaces one subnet (summary)
Anyone else want to unconfused Ben? I obviously cannot. The numerous misconceptions propagated in this thread prompted me to go through the relevant sections of RFC 1122 and write a short article on multihomed IP host issues. http://wiki.nil.com/Multihomed_IP_hosts Your contributions, either as an e-mail reply or direct wiki edit are most welcome. After the kinks have been ironed out, I'll add figures illustrating the points in the text. ** I would prefer wiki edits although I have to admit the registration is a bit of a pain and the anonymous edits are not allowed. Thanks in advance to anyone who decides to contribute :) Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: IXP
I like would to know what are best practices for an internet exchange. I have some concerns about the following; Can the IXP members use RFC 1918 ip addresses for their peering? No. Those IP addresses will at least appear on traceroutes; also, it might not be such a good idea to use the same RFC1918 space (accidentally) on different IXPs. This will get your skin crawling (thing IGP, or at least config databases)... IXPs can usually get a v4 and a v6 block for their peering grid easily. Anyone with a decently configured firewall would block IP packets with source address from RFC1918 coming from the Internet. Your IXP would appear as a black hole in traceroute printout because the ICMP replies sent from the IXP IP addresses would be blocked. A while ago I've described a few more caveats in an article (see http://blog.ioshints.info/2008/08/private-ip-addresses-in-public-networks.ht ml). Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: BGP and ios upgrade question
According to Cisco feature navigator, ios version 12.4(24)T (c1841-ipbasek9-mz.124-24.T.bin) can run in the 1841 and supports BGP (note that feature set is IPBASE): 1) It is common that a version with an IPBASE feature set supports BGP (some docs says that bgp support is included in SP services feature set)? Moving BGP into the IP Base feature set is a recent change. http://6200networks.com/2008/06/02/bgp-support-on-isr/ 2) Will ios version 12.4(24)T run OK in the 1841? I think the response will be YES because Cisco feature navigator says that it is supported and the router has the DRAM and FLASH needed by 14.4(24)T. Yes. Although I wouldn't necessarily use 12.4(24)T, the latest maintenance build of 12.4(15)T should be more stable. http://6200networks.com/2008/09/23/extended-support-for-cisco-ios-software%C 2%AE-release-12415t/ 3) Must the customer pay in order to download 12.4(24)T or he can download if he has a valid Cisco maintenance contract for that router? It's my understanding that you can download any software of the feature set you're entitled to use if you have SmartNet. Hope it helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: ISIS route summarization
The short answer is NO. L2 IS-IS is a single SPF domain and all routers are supposed to have identical view of the network. If you want IS-IS-provided aggregation, you need to use L1 and L2. There are only two protocols that allow unlimited levels of aggregation: BGP and EIGRP :) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Monday, February 23, 2009 10:26 PM To: nanog@nanog.org Subject: ISIS route summarization In a level2 only ISIS network (not using multiple areas due to MPLS limitations), is there a better method for handling aggregate routes than creating an aggregate and redistributing it into ISIS for each router? Primarily Cisco/Juniper based. Cisco I believe has an aggregate option in ISIS (similar to OSPF) and Juniper has a separate aggregate function which can be distributed into ISIS. Neither can do summarization per say unless they cross between levels; unless I'm mistaken. Offlist input is fine. Just trying to double check my brain while setting up IPv6 on the access edges. Link state does have it's limitations. ;) -Jack
RE: FW: Ctrl+Shift+6 then X
Just configure a different escape character with terminal escape x. For example, term esc 3 will make Ctrl/C the escape character (and Ctrl/C+X the escape sequence). Ctrl/^ is somewhat hard to get on some terminal emulators :) Ivan If anyone can tell me how to resolve this issue there's a strong possibility of a fedex'd beer. Using Putty or any other ssh/telnet terminal I find that Ctrl+Shift+6 then X (on a cisco) works only sometimes after beating your keyboard multiple times with a hammer, has anyone else come across or had a solution to this problem
RE: Lots of prepends - AS20912 case
From the end-user perspective, it makes sense to make the prepend parameter an integer. The only thing an end-user really needs is routing policy (primary/backup selection) and sometimes AS path prepending is the only solution. Allowing them to insert third-party AS numbers into the AS path increases their confusion (assuming they were never exposed to Cisco IOS). Obviously, the number of prepends has to be limited to something sensible (10 seems a good number, and it looks like Mikrotik has implemented that restriction). The set as-path prepend last-as is a completely different story; it's used to do proxy prepending for your customers. Ivan Pepelnjak http://blog.ioshints.info -Original Message- From: Mikael Abrahamsson [mailto:swm...@swm.pp.se] Sent: Friday, February 20, 2009 3:06 PM To: nanog@nanog.org Subject: Re: Lots of prepends - AS20912 case On Fri, 20 Feb 2009, Dorn Hetzel wrote: Replacing what is conventially thought to be a string with an integer multiplier seems a massive violation of the principle of least astonishment. On a Cisco running 12.0S: route-map test1 set as-path prepend last-as ? 1-10 number of last-AS prepends Cisco seems to be doing more sensible limits, but I do agree that the feature makes sense. There are two ways of handling when someone puts in a very high number to number of prepends: 1. Say out of limit and disallow it in the config checker. 2. Actually prepend the number of times specified. The option done here: 3. Prepend number of times entered modulo 256, is just broken. -- Mikael Abrahamssonemail: swm...@swm.pp.se
RE: anyone else seeing very long AS paths?
According to publicly available bug toolkit, CSCee30718 did not touch the maxas limit. The hard-coded maxas-limit in recent IOS releases is 254 (not 75 as suggested in a previous e-mail). Classic IOS (I did not test XE, XR or NX) can handle inbound updates with AS path lengths above 255, but fails miserably when it has to send an oversized update (producing invalid BGP UPDATE message), resulting in a flapping BGP session (anyone who wants to test this behavior and report/fix this bug can get all the files needed to reproduce it). The hard-coded maxas-limit prevents this behavior (254 + my AS = 255), but if you use AS-path prepending on outbound update, you're fried. The __ONLY__ way to be on the safe side is to configure bgp maxas-limit, otherwise someone who knows you're doing AS-path prepending on major peering sessions (and no inbound AS-path filtering) can selectively target your peering points. I've summarized everything I've discovered in various stress tests today (well, not the targeted attack :) in this article: http://wiki.nil.com/Limit_the_maximum_BGP_AS-path_length Feel free to improve it:) Ivan http://blog.ioshints.info -Original Message- From: German Martinez [mailto:gmart...@ajax.opentransit.net] Sent: Tuesday, February 17, 2009 7:55 PM To: Michael Ulitskiy Cc: nanog@nanog.org Subject: Re: anyone else seeing very long AS paths? On Tue Feb 17, 2009, Michael Ulitskiy wrote: Hello, CSCee30718 - it removes the default value of bgp max-as from the router. The solution is introduced in CSCeh13489 BGP shouldn't propogate an update w excessive AS Path 255 Symptoms: A router may reset its Border Gateway Protocol (BGP) session. Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255. Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log. This workaround has been suggested previously by Hank. Anyone knows about any possible CPU impacts in case that you implement bgp maxas? Thanks German My bgp speaking devices are a couple of 7200s running 12.2(40). Not the newest IOS out there, but it's been doing the job just fine up until yesterday. Yesterday, when that malformed announcement hit my routers they didn't crash, but they did reset bgp sessions (even though I didn't accept the route) and they kept doing so until I got my upstream to filter it out. According to cisco bug toolkit CSCdr54230 should be fixed in 12.2, so obviously it's not enough. Does anybody know what IOS version has fix this problem, 'cause I couldn't find this info at CCO? Thanks, Michael On Tuesday 17 February 2009 10:21:07 am Etaoin Shrdlu wrote: Jared Mauch wrote: On Tue, Feb 17, 2009 at 08:07:36AM +0200, Hank Nussbacher wrote: They will keep trying and until a vast majority of ISPs implement maxas, this will keep happening. Or until people who are still running multi-year old cisco code actually upgrade? This seems to primarily impact: 1) Old cisco code 2) PC based bgp daemons Both of which likely just need to be upgraded. I actually suspect that a lot of people who dropped their bgp sessions did not notice something happened, and still will not upgrade their codeI suspect these people don't even know they have a bgp speaking device anymore. On the other hand, the fact that various entities have gone out of their way to advertise that they're running old hardware/out-of-date software has been noted elsewhere. I'd strongly suggest, if you're reading NANOG, that you update, before someone less pleasant and friendly than myself finds you. Please.
RE: anyone else seeing very long AS paths?
As far as I understand the issues :) There are two limits: the first one @ 128 AS numbers (where BGP switches to the 'extended length' of BGP attribute), the other one @ 256 AS numbers (where BGP has to use two AS_SEQUENCE segments). Old IOS releases break on the first boundary when processing INBOUND update. bgp maxas-limit cannot save you, as the router drops UPSTREAM BGP session before the update is fully processed. New IOS releases accept all INBOUND updates. Prefixes with AS-path length above 254 are never valid (the long printout contains maxas-limit status). bgp maxas-limit works on inbound updates and thus drops whatever you feel is oversized. New IOS release fail when sending OUTBOUND updates. If you've configured bgp maxas-limit, you're safe. If not, your DOWNSTREAM BGP session will be dropped by your neighbor receiving invalid BGP update. If your customers are using old IOS, there was nothing they could do to prevent the BGP session reset (apart from upgrading, obviously :). Who was the actual culprit depends on the AS-path length ... See above. Does this make sense? I know it's complex :) Ivan -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Tuesday, February 17, 2009 8:31 PM To: Ivan Pepelnjak Cc: nanog@nanog.org Subject: Re: anyone else seeing very long AS paths? Ivan Pepelnjak wrote: Classic IOS (I did not test XE, XR or NX) can handle inbound updates with AS path lengths above 255, but fails miserably when it has to send an oversized update (producing invalid BGP UPDATE message), resulting in a flapping BGP session (anyone who wants to test this behavior and report/fix this bug can get all the files needed to reproduce it). Just to reconfirm. The issue arrives with sending an update, not receiving? So if an ISP does not have a limit and their IOS cannot handle this, they will send an invalid BGP UPDATE to the downstream peers causing them to reset regardless of their max as-path settings? Just trying to reconfirm, so I can inform my customers if there was anything they could do to prevent it, or if it is actually their provider that instigated the peer reset by sending invalid updates. -Jack
RE: anyone else seeing very long AS paths?
We were dropping ALL prefixes and the eBGP session was still resetting. Upstream or downstream? 1) bgp maxas-limit 75 had no effect mitigating this problem on the IOS we were using. That is: it was previously verified to be working just fine to drop paths longer than 75, but once we started receiving paths 255 then BGP started resetting. I was able to receive BGP paths longer than 255 on IOS release 12.2SRC. The paths were generated by Quagga BGP daemon. 12.2SRC causes the downstream session to break when the installed AS-path length is close to 255 and you use downstream AS-path prepending. In your case, I'm assuming you were hit with an older bug (probably at the 128 AS-path length boundary). It would be very hard to generate just the right AS-path length to unintentionally break your upstream EBGP session (as I said before, it's a nice targeted attack if you know your downstream topology). If your IOS is vulnerable to the older bugs that break inbound processing of AS paths longer than 128, there's nothing you can do on your end. The internal BGP checks reject the inbound update before the inbound filters (or bgp maxas-limit) can touch it and reset the upstream BGP session. Hope this helps Ivan Disclaimer: as I don't have internal access to Cisco, all of the above is a result of lab tests.