Re: Long BGP AS paths

2017-10-02 Thread Tim Evens 


Yikes, my bad. In the CSV file it didn't seem so large. I setup a
dashboard where you can browse the longest as paths for the selected
time period. check out
demo-rv.snas.io:3000/dashboard/db/top-as-paths?orgId=2 [3]. Change the
time range to see those longer paths. They are no longer current in the
last hour since cogent filtered them. 

--Tim 

On 01.10.2017 14:29, Tim Evens wrote: 

> The outliers are >100. Based on several peering points, <= 60 should be
> fine. See attached CSV file that shows the top 120 distinct AS Paths
> seen for the past month. Looks like 55644 likes to prepend a lot which
> is pushing the length above 50. 
> 
> --Tim 
> 
> On 01.10.2017 09:16, marcel.duregards--- via NANOG wrote:
> What would be a recommended value for a maximum as-path filter ? 50 ? On the 
> DFZ I've only 11 prefixes longer than 30 as-path, so for safety I would also 
> assume 50 as a max is well enough. Any advice ? Regards, - Marcel On 
> 01.10.2017 00:29, William Herrin wrote: To the chucklehead who started 
> announcing a 2200+ byte AS path yesterday around 18:27 EDT, I beg of you: 
> STOP. You've triggered a bug in Quagga that's present in all versions 
> released in the last decade. Your announcement causes routers based on Quagga 
> to send a malformed update to their neighbors, collapsing the entire BGP 
> session. Every 30 seconds or so. For everyone else: please consider filtering 
> BGP announcements with stupidly long AS paths. There's no need nor excuse for 
> them to be present in the DFZ and you could have saved me a painful Saturday. 
> Cisco: router bgp XXX bgp maxas-limit 50 Juniper: 
> https://kb.juniper.net/InfoCenter/index?page=content=KB29321 [1] [1] 
> Quagga: ip as-path access-list maxas-limit50 deny
^([{},0-9]+ ){50} ip as-path access-list maxas-limit50 permit .* Regards, Bill 
Herrin .

Links:
--
[1] https://kb.juniper.net/InfoCenter/index?page=contentid=KB29321
[2]



Links:
--
[1] https://kb.juniper.net/InfoCenter/index?page=contentid=KB29321
[2]
https://kb.juniper.net/InfoCenter/index?page=contentamp;id=KB29321
[3] demo-rv.snas.io:3000/dashboard/db/top-as-paths?orgId=2

Re: Long BGP AS paths

2017-10-01 Thread Tim Evens 


Looks like attachments do not work in the mailer. See below, a bit ugly,
but it's CSV so you should be able to cut/paste it to check it out. 

timestamp,as_path_length,as_path
2017-09-29 22:26:40.00,568, 2518 2914 174 262206 262206 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197
2017-09-29 22:26:39.00,568, 393406 6453 174 262206 262206 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
262197 262197 262197 262197 262197 262197 262197

Re: Long BGP AS paths

2017-10-01 Thread Scott Weeks 



> Nowhere in the BGP RFCs it says it is okay for the 
> software to crash.

:: we could send a community to signal that it's ok 
:: to crash

Call it the ECB.  (Evil Crash Bit).  ;-)

scott

Re: Long BGP AS paths

2017-10-01 Thread Randy Bush 
> Nowhere in the BGP RFCs it says it is okay for the software to crash.

we could send a community to signal that it's ok to crash

randy

Re: Long BGP AS paths

2017-10-01 Thread William Herrin 
On Sun, Oct 1, 2017 at 1:06 PM, Kelly Dowd  wrote:

> On Sun, Oct 1, 2017 at 12:29 AM, William Herrin  wrote:
>
>> To the chucklehead who started announcing a 2200+ byte AS path yesterday
>> around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
>>
>
> Is this better or worse than the "chucklehead" who is running buggy
> routing kit and complaining about what is a perfectly valid configuration?
>

Hi Kelly,

Show me a reasonable use case for an AS path that's much longer than the
Internet is wide and I'll withdraw my complaint.

Your software has bugs too. You just didn't get bitten. This time.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web:

Re: Long BGP AS paths

2017-10-01 Thread Tim Evens 


The outliers are >100. Based on several peering points, <= 60 should be
fine. See attached CSV file that shows the top 120 distinct AS Paths
seen for the past month. Looks like 55644 likes to prepend a lot which
is pushing the length above 50. 

--Tim 

On 01.10.2017 09:16, marcel.duregards--- via NANOG wrote: 

> What would be a recommended value for a maximum as-path filter ?
> 
> 50 ?
> 
> On the DFZ I've only 11 prefixes longer than 30 as-path, so for safety I
> would also assume 50 as a max is well enough. Any advice ?
> 
> Regards,
> -
> Marcel
> 
> On 01.10.2017 00:29, William Herrin wrote:
> 
>> To the chucklehead who started announcing a 2200+ byte AS path yesterday 
>> around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga 
>> that's present in all versions released in the last decade. Your 
>> announcement causes routers based on Quagga to send a malformed update to 
>> their neighbors, collapsing the entire BGP session. Every 30 seconds or so. 
>> For everyone else: please consider filtering BGP announcements with stupidly 
>> long AS paths. There's no need nor excuse for them to be present in the DFZ 
>> and you could have saved me a painful Saturday. Cisco: router bgp XXX bgp 
>> maxas-limit 50 Juniper: 
>> https://kb.juniper.net/InfoCenter/index?page=content=KB29321 [1] Quagga: 
>> ip as-path access-list maxas-limit50 deny ^([{},0-9]+ ){50} ip as-path 
>> access-list maxas-limit50 permit .* Regards, Bill Herrin
> 
> .



Links:
--
[1] https://kb.juniper.net/InfoCenter/index?page=contentid=KB29321

Re: Long BGP AS paths

2017-10-01 Thread Jon Lewis 

On Sun, 1 Oct 2017, sth...@nethelp.no wrote:


Could you list which prefix(es) you saw were being announced with these
long AS paths?


186.177.184.0/23 - still being announced with 533 occurrences of 262197
in the AS path.


aut-num: AS262197
owner:   MILLICOM CABLE COSTA RICA S.A.
ownerid: CR-ACCR1-LACNIC
responsible: Jonathan Cisneros
address: 350mts Oeste del Ministerio de Agricultura, frente a entrada 
principal UCIMED, Sabana Oeste, 0, 0

address: 10108 - San Jos� - SJ
country: CR
phone:   +50 2 2790099 []
owner-c: JOC63
routing-c:   JOC63
abuse-c: ATR9
created: 20130709
changed: 20140804

Anyone care to bet on whether they're using a Mikrotik and did

/routing filter add set-bgp-prepend=262197

and this somehow got truncated to fewer than the "requested" 262197 
prepends?  I'm seeing 562 prepends...which doesn't seem to work out to any 
obvious amount of bitwise truncation/wrap.


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Long BGP AS paths

2017-10-01 Thread sthaug 
> Could you list which prefix(es) you saw were being announced with these
> long AS paths?

186.177.184.0/23 - still being announced with 533 occurrences of 262197
in the AS path.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: Long BGP AS paths

2017-10-01 Thread Mark Price 
Hi Bill,

Could you list which prefix(es) you saw were being announced with these
long AS paths?


Mark



On Sat, Sep 30, 2017 at 6:29 PM, William Herrin  wrote:

> To the chucklehead who started announcing a 2200+ byte AS path yesterday
> around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
> that's present in all versions released in the last decade. Your
> announcement causes routers based on Quagga to send a malformed update to
> their neighbors, collapsing the entire BGP session. Every 30 seconds or so.
>
> For everyone else: please consider filtering BGP announcements with
> stupidly long AS paths. There's no need nor excuse for them to be present
> in the DFZ and you could have saved me a painful Saturday.
>
> Cisco:
>
> router bgp XXX
>  bgp maxas-limit 50
>
>
> Juniper:
> https://kb.juniper.net/InfoCenter/index?page=content=KB29321
>
>
> Quagga:
>
> ip as-path access-list maxas-limit50 deny ^([{},0-9]+ ){50}
> ip as-path access-list maxas-limit50 permit .*
>
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 
>

Re: Long BGP AS paths

2017-10-01 Thread marcel.duregards--- via NANOG 
What would be a recommended value for a maximum as-path filter ?

50 ?

On the DFZ I've only 11 prefixes longer than 30 as-path, so for safety I
would also assume 50 as a max is well enough. Any advice ?

Regards,
-
Marcel



On 01.10.2017 00:29, William Herrin wrote:
> To the chucklehead who started announcing a 2200+ byte AS path yesterday
> around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
> that's present in all versions released in the last decade. Your
> announcement causes routers based on Quagga to send a malformed update to
> their neighbors, collapsing the entire BGP session. Every 30 seconds or so.
> 
> For everyone else: please consider filtering BGP announcements with
> stupidly long AS paths. There's no need nor excuse for them to be present
> in the DFZ and you could have saved me a painful Saturday.
> 
> Cisco:
> 
> router bgp XXX
>  bgp maxas-limit 50
> 
> 
> Juniper:
> https://kb.juniper.net/InfoCenter/index?page=content=KB29321
> 
> 
> Quagga:
> 
> ip as-path access-list maxas-limit50 deny ^([{},0-9]+ ){50}
> ip as-path access-list maxas-limit50 permit .*
> 
> 
> Regards,
> Bill Herrin
> 
> 

.

Re: Long BGP AS paths

2017-09-30 Thread William Herrin 
On Sat, Sep 30, 2017 at 6:34 PM, Ken Chase  wrote:

> The quagga thread I read specifically indicates that some (most?) versions
> don't
> accept the {n,m} regexp repeat format. Thus the regexps as long as the
> path you want to filter... :/
>

Howdy,

If it was configured with --enable-pcreposix I believe it supports the
regex. Most installs that come straight from a Linux distro used this flag.

Regards,
Bill


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web:

Re: Long BGP AS paths

2017-09-30 Thread Job Snijders 
On Sat, 30 Sep 2017 at 15:33, William Herrin  wrote:

> To the chucklehead who started announcing a 2200+ byte AS path yesterday
> around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
> that's present in all versions released in the last decade. Your
> announcement causes routers based on Quagga to send a malformed update to
> their neighbors, collapsing the entire BGP session. Every 30 seconds or so.
>
> For everyone else: please consider filtering BGP announcements with
> stupidly long AS paths.



Nowhere in the BGP RFCs it says it is okay for the software to crash. Bugs
happen. You patch and move on. :-)

>

Re: Long BGP AS paths

2017-09-30 Thread Ken Chase 
The quagga thread I read specifically indicates that some (most?) versions don't
accept the {n,m} regexp repeat format. Thus the regexps as long as the
path you want to filter... :/

..or upgrade.

/kc


On Sat, Sep 30, 2017 at 06:29:36PM -0400, William Herrin said:
  >To the chucklehead who started announcing a 2200+ byte AS path yesterday
  >around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga
  >that's present in all versions released in the last decade. Your
  >announcement causes routers based on Quagga to send a malformed update to
  >their neighbors, collapsing the entire BGP session. Every 30 seconds or so.
  >
  >For everyone else: please consider filtering BGP announcements with
  >stupidly long AS paths. There's no need nor excuse for them to be present
  >in the DFZ and you could have saved me a painful Saturday.
  >
  >Cisco:
  >
  >router bgp XXX
  > bgp maxas-limit 50
  >
  >
  >Juniper:
  >https://kb.juniper.net/InfoCenter/index?page=content=KB29321
  >
  >
  >Quagga:
  >
  >ip as-path access-list maxas-limit50 deny ^([{},0-9]+ ){50}
  >ip as-path access-list maxas-limit50 permit .*
  >
  >
  >Regards,
  >Bill Herrin
  >
  >
  >-- 
  >William Herrin  her...@dirtside.com  b...@herrin.us
  >Dirtside Systems . Web: 

-- 
Ken Chase - m...@sizone.org Guelph Canada