subject:"AS PATH limits"

Re: AS PATH limits

2017-12-23 Thread Baldur Norddahl

Den 23. dec. 2017 01.02 skrev "Nick Hilliard" :


This isn't about sympathy or caring or not caring or anything else, but
the uncomfortable fact that with a pool this large, mistakes are going
to happen from time to time, whether we like it or not.


 It is not even a mistake but just some uninformed guy thinking I really
want this to be a path of last resort, so I will write a real large number
in this field.

Re: AS PATH limits

2017-12-22 Thread Nick Hilliard

Ken Chase wrote:
> (And I'd fix it _right now_, but it's at my major customer's 
> discretion.

ok, so this is a customer management problem. If this is the only
customer on that router, then ok, if they want to continue putting
themselves at risk of service loss, I guess that would be their concern.

If there's anyone else connected to this router, then you would probably
want to consider moving them off it, because you seem to have said
that you may not have full control of your business assets. If this is
the case, it isn't a good situation to be in and will lead to issues
like this turning into serious longer term problems.

> read the first table on page 3 and then explain the philosophy of
> not caring about this as a general issue affecting the entire
> internet. That's not, to date, been the attitude I've seen in here or
> elsewhere amongst admins, and I dont see why we should start now.

Globally, there are 59000 ASNs announcing a total of 670k ipv4 prefixes
and 45k ipv6 routes. If any one of those prefixes is announced anywhere
in the world with an oddball as-path, then this puts vulnerable
versions of quagga at risk of service loss.

This isn't about sympathy or caring or not caring or anything else, but
the uncomfortable fact that with a pool this large, mistakes are going
to happen from time to time, whether we like it or not. It's as-path
length this time, but on previous occasions it's been attribute size, or
incorrect attribute combos or, well, a small catalog of other problems
that have caused bgp session failure globally over the years.

It's each of our responsibility to ensure that our systems are resistant
to problems like this, not other peoples' responsibility to ensure that
our networks don't get hit by third party misconfigs.

Nick

Re: AS PATH limits

2017-12-22 Thread William Herrin

On Fri, Dec 22, 2017 at 5:57 PM, Scott Weeks  wrote:

> Well, that's a brilliant platitude, but what do you do
> when it breaks over and over until the other guy upgrades?
> ---
>
>
> Filter that network out of your tables until it's fixed? :)

Good luck with that since the BGP session collapses in the process of
receiving that corrupted data. That's the bug. The other guy's router could
filter the prefix but if he doesn't he fouls the BGP session to everybody
he tries to peer it to.

Regards.
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web:

Re: AS PATH limits

2017-12-22 Thread Ken Chase

Ive found some other stuff that's totally busted, but screw those who havent
patched their systems. We should not help them at all as knowlegeable stewards
of big chunks of bandwidth, we should just write stuff about how silly they
are instead:

 https://www.usenix.org/system/files/conference/woot14/woot14-kuhrer.pdf

read the first table on page 3 and then explain the philosophy of not caring
about this as a general issue affecting the entire internet. That's not, to
date, been the attitude I've seen in here or elsewhere amongst admins, and I
dont see why we should start now.

(And I'd fix it _right now_, but it's at my major customer's discretion. I've
explained the risks, he's taken them to heart. He too is an actual seasoned
admin (with quagga experience), but turned off his AS least year and got out of
the game. He has his reasons for waiting a bit longer.)

/kc

On Fri, Dec 22, 2017 at 11:11:44PM +, Nick Hilliard said:
  >William Herrin wrote:
  >> On Fri, Dec 22, 2017 at 5:45 PM, Nick Hilliard  wrote:
  >> If you've been hit with a known service-affecting problem that can
  >> easily recur without warning and which will be service affecting if it
  >> hits again, common sense suggests that it would be a good idea to
  >> upgrade to a version of code which isn't affected.
  >> 
  >> Well, that's a brilliant platitude, but what do you do when it breaks
  >> over and over until the other guy upgrades?
  >
  >I dunno, maybe shake our fists and rage a bit about the existence of
  >service affecting bugs?  It's not like we haven't all been in this
  >position at one stage or another.
  >
  >The point was, though, that there's been several months since this bug
  >was discussed on nanog-l way back in balmy september, and given the fact
  >that it can completely wipe out connectivity without warning for those
  >affected, it would have been a good idea to deal with the problem in an
  >orderly way at the time rather than letting it interfere with eggnog and
  >seasonal good cheer, at one of the times of year where chunks of the
  >world are busy taking well-deserved holidays.
  >
  >On which point, seasonal cheers to all.
  >
  >Nick
  >

-- 
Ken Chase - k...@heavycomputing.ca skype:kenchase23 +1 416 897 6284 Toronto 
Canada
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: AS PATH limits

2017-12-22 Thread Nick Hilliard

William Herrin wrote:
> On Fri, Dec 22, 2017 at 5:45 PM, Nick Hilliard  wrote:
> If you've been hit with a known service-affecting problem that can
> easily recur without warning and which will be service affecting if it
> hits again, common sense suggests that it would be a good idea to
> upgrade to a version of code which isn't affected.
> 
> Well, that's a brilliant platitude, but what do you do when it breaks
> over and over until the other guy upgrades?

I dunno, maybe shake our fists and rage a bit about the existence of
service affecting bugs?  It's not like we haven't all been in this
position at one stage or another.

The point was, though, that there's been several months since this bug
was discussed on nanog-l way back in balmy september, and given the fact
that it can completely wipe out connectivity without warning for those
affected, it would have been a good idea to deal with the problem in an
orderly way at the time rather than letting it interfere with eggnog and
seasonal good cheer, at one of the times of year where chunks of the
world are busy taking well-deserved holidays.

On which point, seasonal cheers to all.

Nick

Re: AS PATH limits

2017-12-22 Thread Ken Chase

Push harder on upgrading. "Dec 30" is my earliest window I got from my customer
after previously pushing with previous events (didnt help that Cogent said "yeah
we agree these are silly, we'll be filtering more aggressively" -- this time it
snuck in from the less busy side of our network).

It's not even going to be service impacting, if we do everything correctly,
but *who knows for sure* :) Course more long path events occurring ARE service
impacting more than the risk during upgrade, so go figure.

Customers! Cant live with em, cant afford to live without em!

Nonetheless, I do think that backbones should be filtering ridiculous AS paths
just as a matter of course. Everyone fix their own stuff, and everyone help
the next guy downstream by stomping on sillyness. Generally been an internet 
mindset
that I've seen since even before the great renaming...

/kc

On Fri, Dec 22, 2017 at 05:50:36PM -0500, William Herrin said:
  >On Fri, Dec 22, 2017 at 5:45 PM, Nick Hilliard  wrote:
  >
  >> William Herrin wrote:
  >> > The AS path lengths we're talking about are unreasonable.
  >>
  >> "unreasonable" is a peculiar word to use here :-)
  >>
  >> It's the internet and you can't expect other people not to do silly
  >> things from time to time.  This is a known problem and it isn't even the
  >> first time it's been discussed on nanog-l.
  >>
  >> If you've been hit with a known service-affecting problem that can
  >> easily recur without warning and which will be service affecting if it
  >> hits again, common sense suggests that it would be a good idea to
  >> upgrade to a version of code which isn't affected.
  >
  >
  >Well, that's a brilliant platitude, but what do you do when it breaks over
  >and over until the other guy upgrades?
  >
  >-Bill
  >
  >
  >
  >
  >-- 
  >William Herrin  her...@dirtside.com  b...@herrin.us
  >Dirtside Systems . Web: 

/kc
--
Ken Chase - m...@sizone.org Guelph Canada

Re: AS PATH limits

2017-12-22 Thread Scott Weeks



--- b...@herrin.us wrote:
From: William Herrin 

Well, that's a brilliant platitude, but what do you do 
when it breaks over and over until the other guy upgrades?
---



Filter that network out of your tables until it's fixed? :)

scott

Re: AS PATH limits

2017-12-22 Thread William Herrin

On Fri, Dec 22, 2017 at 5:45 PM, Nick Hilliard  wrote:

> William Herrin wrote:
> > The AS path lengths we're talking about are unreasonable.
>
> "unreasonable" is a peculiar word to use here :-)
>
> It's the internet and you can't expect other people not to do silly
> things from time to time.  This is a known problem and it isn't even the
> first time it's been discussed on nanog-l.
>
> If you've been hit with a known service-affecting problem that can
> easily recur without warning and which will be service affecting if it
> hits again, common sense suggests that it would be a good idea to
> upgrade to a version of code which isn't affected.


Well, that's a brilliant platitude, but what do you do when it breaks over
and over until the other guy upgrades?

-Bill




-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web:

Re: AS PATH limits

2017-12-22 Thread Nick Hilliard

Ken Chase wrote:
> quagga 0.99.22.4, yes i need to upgrade, as my other
> router on 0.99.23.1 seems ok.

All unpatched versions of quagga between 0.99.2 and 1.2.2 are affected.

Nick

Re: AS PATH limits

2017-12-22 Thread Nick Hilliard

William Herrin wrote:
> The AS path lengths we're talking about are unreasonable.

"unreasonable" is a peculiar word to use here :-)

It's the internet and you can't expect other people not to do silly
things from time to time.  This is a known problem and it isn't even the
first time it's been discussed on nanog-l.

If you've been hit with a known service-affecting problem that can
easily recur without warning and which will be service affecting if it
hits again, common sense suggests that it would be a good idea to
upgrade to a version of code which isn't affected.

Nick

Re: AS PATH limits

2017-12-22 Thread William Herrin

On Fri, Dec 22, 2017 at 12:40 PM, Nick Hilliard  wrote:

> What router software version are you running that barfs on long as-paths?
>

Hi Nick,

Versions of quagga up until the very most recent release corrupt the
transmission of routes with very long AS paths. They add up the packet
length wrong. The neighbors of any router brand then barf on the malformed
data and terminate the BGP session.

Your peer running quagga must either upgrade or filter long AS paths or you
will receive corrupt data and terminate the BGP session. There's nothing
that -you- can do about it.

The AS path lengths we're talking about are unreasonable. They indicate a
high probability of misconfiguration at the origin. There's no legitimate
cause for them to exist on the pubic Internet at all. It would be
reasonable to treat them like when peers offer /32 prefixes and just say no.

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web:

Re: AS PATH limits

2017-12-22 Thread Mike Tancsa

On 12/22/2017 12:46 PM, Ken Chase wrote:
> quagga 0.99.22.4, yes i need to upgrade, as my other
> router on 0.99.23.1 seems ok. now coordinating with
> customers to get it upgraded is a different issue.

Will that version of quagga not support a filter list?

e.g
neighbor 38.xx.yy.zz filter-list maxas-limit65 in


ip as-path access-list maxas-limit65 deny ^([{},0-9]+ ){65}
ip as-path access-list maxas-limit65 permit .*

---Mike

> 
> /kc
> 
> 
> On Fri, Dec 22, 2017 at 05:40:28PM +, Nick Hilliard said:
>   >What router software version are you running that barfs on long as-paths?
>   >
>   >Nick
>   >
>   >Ken Chase wrote:
>   >> And again this morn at 08:35:19 EST (13:35 UTC). I dont have access to 
> the
>   >> router that fed us the long route, so I cant tell what it was (since we 
> never
>   >> consumed it before barfing).
>   >> 
>   >> Let's hope for no more over holiday season...
>   >> 
>   >> /kc
>   >> 
>   >> 
>   >> On Fri, Oct 13, 2017 at 05:02:42PM -0400, Ken Chase said:
>   >>   > It is happening AGAIN.
>   >>   >
>   >>   >And of course it started on a friday aft 15 min before quittin' time 
> in EDT:
>   >>   >
>   >>   >Last time it was 186.177.184.0/23   0 174 262206 262206 262197 262197 
>   >>   >
>   >>   >*> 186.176.186.0/23 38.x.x.x 45050 0 174 262206 
> 262206 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
>   >262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262
>   >197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
>   > 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197

Re: AS PATH limits

2017-12-22 Thread Ken Chase

quagga 0.99.22.4, yes i need to upgrade, as my other
router on 0.99.23.1 seems ok. now coordinating with
customers to get it upgraded is a different issue.

/kc


On Fri, Dec 22, 2017 at 05:40:28PM +, Nick Hilliard said:
  >What router software version are you running that barfs on long as-paths?
  >
  >Nick
  >
  >Ken Chase wrote:
  >> And again this morn at 08:35:19 EST (13:35 UTC). I dont have access to the
  >> router that fed us the long route, so I cant tell what it was (since we 
never
  >> consumed it before barfing).
  >> 
  >> Let's hope for no more over holiday season...
  >> 
  >> /kc
  >> 
  >> 
  >> On Fri, Oct 13, 2017 at 05:02:42PM -0400, Ken Chase said:
  >>   > It is happening AGAIN.
  >>   >
  >>   >And of course it started on a friday aft 15 min before quittin' time in 
EDT:
  >>   >
  >>   >Last time it was 186.177.184.0/23   0 174 262206 262206 262197 262197 
  >>   >
  >>   >*> 186.176.186.0/23 38.x.x.x 45050 0 174 262206 
262206 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
  >262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262
  >197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
  > 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 26
  >2197 262197 262197 262197 262197 262197 262197 262197 262197 ?

Re: AS PATH limits

2017-12-22 Thread Nick Hilliard

What router software version are you running that barfs on long as-paths?

Nick

Ken Chase wrote:
> And again this morn at 08:35:19 EST (13:35 UTC). I dont have access to the
> router that fed us the long route, so I cant tell what it was (since we never
> consumed it before barfing).
> 
> Let's hope for no more over holiday season...
> 
> /kc
> 
> 
> On Fri, Oct 13, 2017 at 05:02:42PM -0400, Ken Chase said:
>   > It is happening AGAIN.
>   >
>   >And of course it started on a friday aft 15 min before quittin' time in 
> EDT:
>   >
>   >Last time it was 186.177.184.0/23   0 174 262206 262206 262197 262197 
>   >
>   >*> 186.176.186.0/23 38.x.x.x 45050 0 174 262206 262206 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262
197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 26
2197 262197 262197 262197 262197 262197 262197 262197 262197 ?
>   >
>   >/kc
>   >--
>   >Ken Chase - m...@sizone.org Guelph Canada
>

Re: AS PATH limits

2017-12-22 Thread Ken Chase

And again this morn at 08:35:19 EST (13:35 UTC). I dont have access to the
router that fed us the long route, so I cant tell what it was (since we never
consumed it before barfing).

Let's hope for no more over holiday season...

/kc


On Fri, Oct 13, 2017 at 05:02:42PM -0400, Ken Chase said:
  > It is happening AGAIN.
  >
  >And of course it started on a friday aft 15 min before quittin' time in EDT:
  >
  >Last time it was 186.177.184.0/23   0 174 262206 262206 262197 262197 
  >
  >*> 186.176.186.0/23 38.x.x.x 45050 0 174 262206 262206 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 ?
  >
  >/kc
  >--
  >Ken Chase - m...@sizone.org Guelph Canada

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: AS PATH limits

2017-10-13 Thread Job Snijders

Has anyone tried calling them?

Kind regards,

Job

On Fri, 13 Oct 2017 at 23:03, Ken Chase  wrote:

>  It is happening AGAIN.
>
> And of course it started on a friday aft 15 min before quittin' time in
> EDT:
>
> Last time it was 186.177.184.0/23   0 174 262206 262206 262197 262197
>
> *> 186.176.186.0/23 38.x.x.x 45050 0 174 262206
> 262206 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197
> 262197 262197 262197 262197 ?
>
> /kc
> --
> Ken Chase - m...@sizone.org Guelph Canada
>

Re: AS PATH limits

2017-10-13 Thread Ken Chase

 It is happening AGAIN.

And of course it started on a friday aft 15 min before quittin' time in EDT:

Last time it was 186.177.184.0/23   0 174 262206 262206 262197 262197 

*> 186.176.186.0/23 38.x.x.x 45050 0 174 262206 262206 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 ?

/kc
--
Ken Chase - m...@sizone.org Guelph Canada

Re: AS PATH limits

2017-10-02 Thread Ken Chase

Got this reply from cogent:

"We have isolated a BGP Routing discrepancy on the Backbone. That routing has 
been removed 
from the Network."

So apparently they agree they shouldn't just accept this bogosity. Good on em.

/kc
-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: AS PATH limits

2017-10-02 Thread Jörg Kost


Its also happily announced onwards, e.g. by Telia:

Oct  2 07:25:09:E:BGP: From Peer ... received Long AS_PATH= AS_SEQ(2) 
1299 174 262206 262206 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 ... 
attribute length (567) More than configured MAXAS-LIMIT 64


On 30 Sep 2017, at 17:09, sth...@nethelp.no wrote:

If you're on cogent, since 22:30 UTC yesterday or so this has been 
happening

(or happened).


Still happening here. I count 562 prepends (563 * 262197) in the
advertisement we receive from Cogent. I see no good reason why we
should accept that many prepends.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: AS PATH limits

2017-10-02 Thread Baldur Norddahl

Den 2. okt. 2017 00.44 skrev "Randy Bush" :

looks to me as if 262206 is trying a silly tactic to down-pref inbound
from cogent.  as cogent probably prefers customers to peers, it may not
be working as 262206 expected, so they keep pounding with the same
hammer hoping for a miracle.

cogent accepts it as they are being paid to do so; normal practice.

perhaps our ire should be directed at 262206, not cogent?  has anyone
tried to contact them?

randy


It is amazing how well the DFZ works given half the participants (*) have
no clue how. If that is what they want, all they need is to split that /23
into two /24 and only announce that on their other transit.

(*) I should probably include myself in that half.

Regards

Baldur

Re: AS PATH limits

2017-10-01 Thread Randy Bush

looks to me as if 262206 is trying a silly tactic to down-pref inbound
from cogent.  as cogent probably prefers customers to peers, it may not
be working as 262206 expected, so they keep pounding with the same
hammer hoping for a miracle.

cogent accepts it as they are being paid to do so; normal practice.

perhaps our ire should be directed at 262206, not cogent?  has anyone
tried to contact them?

randy

Re: AS PATH limits

2017-09-30 Thread William Herrin

On Sun, Oct 1, 2017 at 1:05 AM, Ken Chase  wrote:

> I don't quite understand the exact situation that causes the issue - our
> cogent facing router (quagga .99.22 debian) was receiving the route but
> that
> session stayed up - it was it while sending or the other igp router (also
> quagga .99.22) receiving (I think the latter) that was crashing their
> session.
> Not quite sure why the cogent session didn't crash as well (or first,
> before
> propagating the bad route).
>

Hi Ken,

Technically the route is not bad, just really inconsiderate.

The bug happens when quagga sends the the long-AS path route to a peer. As
I understand it, when the announcement is larger than one segment, Quagga
double-counts the some of the bytes when computing the number of bytes in
the AS path. It receives the announcement just fine, but then it corrupts
what it sends to the neighbor who then chokes.

Bug and patch here:
https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web:

Re: AS PATH limits

2017-09-30 Thread Mikael Abrahamsson


On Sun, 1 Oct 2017, Hank Nussbacher wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1572
Quagga 0.99.11 and earlier affected.
Fixed in 2009.


It was fixed in other OSes as well after this, I presume:

http://blog.ipspace.net/2009/02/root-cause-analysis-oversized-as-paths.html

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: AS PATH limits

2017-09-30 Thread Hank Nussbacher

On 01/10/2017 04:28, Christopher Morrow wrote:
> On Sat, Sep 30, 2017 at 12:47 PM, Ken Chase  wrote:
>
>> I dont see that as the solution. Someone else will offend again.
>>
>> However, I also don't see trusting major backbones as our filters (for many
>> other reasons). Our software should be handling what's effectively a
>> buffer overflow
>> or equivalent (beware long paths that are actually shellcode).
>>
>> Quagga among others seems to be subject to this bug, pre 0.99.23 or so
>> (.99.24+ seems ok). So upgrading is a solution.
>>
>>
> ii  quagga  0.99.22.4-3ubu i386   BGP/OSPF/RIP routing
> daemon
>
> interestingly enough that isn't crashlooping nor is it bouncing bgp
> sessions:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1572
Quagga 0.99.11 and earlier affected.
Fixed in 2009.

-Hank


> 192.168.100.100  4 MYASN 16427178864000 2d23h32m
> 672475
>
> and it's happily showing me the route even...
>
> There was also some chatter on the quagga mailing list on how it's more
>> pleasant to stab your eyeballs out rather than constructing extremely long
>> regexp's that might work as a filter.
>>
>> https://lists.quagga.net/pipermail/quagga-users/2017-September/thread.html
>>
>> /kc
>>
>>
>> On Sat, Sep 30, 2017 at 05:30:03PM +0200, Niels Raijer said:
>>   >My message to NANOG about this from 12:31 UTC today is still in the
>> moderation queue. I had opened a support case with Cogent before writing my
>> message to NANOG and Cogent has let me know approximately 40 minutes ago
>> that they have contacted their customer.
>>   >
>>   >Niels
>>   >
>>   >
>>   >
>>   >On 30 Sep 2017, at 17:09, sth...@nethelp.no wrote:
>>   >
>>   >>> If you're on cogent, since 22:30 UTC yesterday or so this has been
>> happening
>>   >>> (or happened).
>>   >>
>>   >> Still happening here. I count 562 prepends (563 * 262197) in the
>>   >> advertisement we receive from Cogent. I see no good reason why we
>>   >> should accept that many prepends.
>>   >>
>>   >> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>>   >
>>
>> --
>> Ken Chase - m...@sizone.org  Guelph Canada
>>

Re: AS PATH limits

2017-09-30 Thread Ken Chase

I don't quite understand the exact situation that causes the issue - our
cogent facing router (quagga .99.22 debian) was receiving the route but that
session stayed up - it was it while sending or the other igp router (also
quagga .99.22) receiving (I think the latter) that was crashing their session.
Not quite sure why the cogent session didn't crash as well (or first, before
propagating the bad route).

At any rate, we should likely take this discussion to the quagga-users-l

/kc


On Sat, Sep 30, 2017 at 09:28:28PM -0400, Christopher Morrow said:
  >ii  quagga  0.99.22.4-3ubu i386   BGP/OSPF/RIP routing
  >daemon
  >
  >interestingly enough that isn't crashlooping nor is it bouncing bgp
  >sessions:
  >192.168.100.100  4 MYASN 16427178864000 2d23h32m
  >672475
  >
  >and it's happily showing me the route even...

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: AS PATH limits

2017-09-30 Thread Christopher Morrow

On Sat, Sep 30, 2017 at 12:47 PM, Ken Chase  wrote:

> I dont see that as the solution. Someone else will offend again.
>
> However, I also don't see trusting major backbones as our filters (for many
> other reasons). Our software should be handling what's effectively a
> buffer overflow
> or equivalent (beware long paths that are actually shellcode).
>
> Quagga among others seems to be subject to this bug, pre 0.99.23 or so
> (.99.24+ seems ok). So upgrading is a solution.
>
>
ii  quagga  0.99.22.4-3ubu i386   BGP/OSPF/RIP routing
daemon

interestingly enough that isn't crashlooping nor is it bouncing bgp
sessions:
192.168.100.100  4 MYASN 16427178864000 2d23h32m
672475

and it's happily showing me the route even...

There was also some chatter on the quagga mailing list on how it's more
> pleasant to stab your eyeballs out rather than constructing extremely long
> regexp's that might work as a filter.
>
> https://lists.quagga.net/pipermail/quagga-users/2017-September/thread.html
>
> /kc
>
>
> On Sat, Sep 30, 2017 at 05:30:03PM +0200, Niels Raijer said:
>   >My message to NANOG about this from 12:31 UTC today is still in the
> moderation queue. I had opened a support case with Cogent before writing my
> message to NANOG and Cogent has let me know approximately 40 minutes ago
> that they have contacted their customer.
>   >
>   >Niels
>   >
>   >
>   >
>   >On 30 Sep 2017, at 17:09, sth...@nethelp.no wrote:
>   >
>   >>> If you're on cogent, since 22:30 UTC yesterday or so this has been
> happening
>   >>> (or happened).
>   >>
>   >> Still happening here. I count 562 prepends (563 * 262197) in the
>   >> advertisement we receive from Cogent. I see no good reason why we
>   >> should accept that many prepends.
>   >>
>   >> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>   >
>
> --
> Ken Chase - m...@sizone.org  Guelph Canada
>

Re: AS PATH limits

2017-09-30 Thread Ken Chase

I dont see that as the solution. Someone else will offend again.

However, I also don't see trusting major backbones as our filters (for many
other reasons). Our software should be handling what's effectively a buffer 
overflow
or equivalent (beware long paths that are actually shellcode).

Quagga among others seems to be subject to this bug, pre 0.99.23 or so
(.99.24+ seems ok). So upgrading is a solution.

There was also some chatter on the quagga mailing list on how it's more
pleasant to stab your eyeballs out rather than constructing extremely long
regexp's that might work as a filter.

https://lists.quagga.net/pipermail/quagga-users/2017-September/thread.html

/kc

On Sat, Sep 30, 2017 at 05:30:03PM +0200, Niels Raijer said:
  >My message to NANOG about this from 12:31 UTC today is still in the 
moderation queue. I had opened a support case with Cogent before writing my 
message to NANOG and Cogent has let me know approximately 40 minutes ago that 
they have contacted their customer. 
  >
  >Niels 
  >
  >
  >
  >On 30 Sep 2017, at 17:09, sth...@nethelp.no wrote:
  >
  >>> If you're on cogent, since 22:30 UTC yesterday or so this has been 
happening
  >>> (or happened).
  >> 
  >> Still happening here. I count 562 prepends (563 * 262197) in the
  >> advertisement we receive from Cogent. I see no good reason why we
  >> should accept that many prepends.
  >> 
  >> Steinar Haug, Nethelp consulting, sth...@nethelp.no
  >

-- 
Ken Chase - m...@sizone.org  Guelph Canada

Re: AS PATH limits

2017-09-30 Thread jim deleskie

Maybe the next best path had, had 562 prepends? :)



On Sat, Sep 30, 2017 at 12:09 PM,  wrote:

> > If you're on cogent, since 22:30 UTC yesterday or so this has been
> happening
> > (or happened).
>
> Still happening here. I count 562 prepends (563 * 262197) in the
> advertisement we receive from Cogent. I see no good reason why we
> should accept that many prepends.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>

Re: AS PATH limits

2017-09-30 Thread sthaug

> If you're on cogent, since 22:30 UTC yesterday or so this has been happening
> (or happened).

Still happening here. I count 562 prepends (563 * 262197) in the
advertisement we receive from Cogent. I see no good reason why we
should accept that many prepends.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: AS PATH limits

2017-09-30 Thread Ken Chase

If you're on cogent, since 22:30 UTC yesterday or so this has been happening
(or happened).

*> 186.177.184.0/23 38.*.*.*45050 0 174 262206 262206 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 262197 
262197 262197 ?

oddly, i see other pops with 174 sources giving a more sane route (even 6939
is giving us a route that goes thru 174 after 2 hops). 'Sup, 174?

Wonder if this is just stuck in the router Im looking at and the update
process is failing because the route is too long to process properly for
removal or something. mmm, bugs!)

/kc
-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: AS PATH limits

2017-09-22 Thread craig washington

Thank you all very much for the feedback.

As always it is much appreciated.

From: Tom Beecher <beec...@beecher.cc>
Sent: Wednesday, September 20, 2017 8:01 PM
To: craig washington
Cc: nanog@nanog.org
Subject: Re: AS PATH limits

Too many prepends = any more than you really need for what you're trying to 
accomplish. :)

I've cutoff paths as short as 4 to as long as 8 before in different jobs for 
different reasons.

On Tue, Sep 19, 2017 at 9:33 AM, craig washington 
<craigwashingto...@hotmail.com<mailto:craigwashingto...@hotmail.com>> wrote:
Hello world.

I was wondering and forgive me if this discussions has already taken place.

How many AS PATHS are too many?

Meaning how do we determine how many to filter on transit links or public 
peering links?

Thanks in advance

RE: AS PATH limits

2017-09-21 Thread Jakob Heitz (jheitz)

The consequence of keeping a route with a long AS_PATH is that it uses a little 
more memory.
Also, if you send it on, you will add one ASN and may exceed the maximum BGP 
message size and not be able to send it.
Even that is no reason to drop the incoming route.
The consequence of dropping the route is that someone loses connectivity 
because you dropped it.

The need for limiting AS_PATH length stemmed from this incident:
https://dyn.com/blog/the-flap-heard-around-the-world/

This bug has long been fixed, so it should not happen again.
However, if you want to be extra cautious, because unpatched routers may still 
be out there,
then 200 should not drop any normal route. Just keep an eye on what you are 
dropping

Thanks,
Jakob


Date: Tue, 19 Sep 2017 13:33:03 +
From: craig washington <craigwashingto...@hotmail.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Subject: AS PATH limits
Message-ID:

<sn1pr0701mb206268455259cc64fc0d8ed7a8...@sn1pr0701mb2062.namprd07.prod.outlook.com>

Content-Type: text/plain; charset="iso-8859-1"

Hello world.

I was wondering and forgive me if this discussions has already taken place.

How many AS PATHS are too many?

Meaning how do we determine how many to filter on transit links or public 
peering links?


Thanks in advance

Re: AS PATH limits

2017-09-20 Thread Tom Beecher

Too many prepends = any more than you really need for what you're trying to
accomplish. :)

I've cutoff paths as short as 4 to as long as 8 before in different jobs
for different reasons.

On Tue, Sep 19, 2017 at 9:33 AM, craig washington <
craigwashingto...@hotmail.com> wrote:

> Hello world.
>
> I was wondering and forgive me if this discussions has already taken place.
>
> How many AS PATHS are too many?
>
> Meaning how do we determine how many to filter on transit links or public
> peering links?
>
>
> Thanks in advance
>
>
>

Re: AS PATH limits

2017-09-20 Thread jim deleskie

In my MUCH younger days, I may have helped abuse the global table via
prepends, but never to that level  :)

On Wed, Sep 20, 2017 at 4:36 PM, Randy Bush  wrote:

> > Below is an example showing an excessive amount of prepending for prefix
> > 185.135.134.0/23 at 2017-09-18 20:20:05 UTC.
>
> and they are probably still wondering why it does not achieve what they
> want.
>
> randy
>

Re: AS PATH limits

2017-09-20 Thread Randy Bush

> Below is an example showing an excessive amount of prepending for prefix
> 185.135.134.0/23 at 2017-09-18 20:20:05 UTC. 

and they are probably still wondering why it does not achieve what they
want.

randy

Re: AS PATH limits

2017-09-20 Thread Tim Evens



An AS_PATH is encoded with one or more segments. Each segment has a
maximum size of 255 entries (8 bit segment length). The absolute limit
will depend on the complete BGP message size, which is limited to 4096
and extended via draft-ietf-idr-bgp-extended-messages. 

The longest as_path at this time (changes frequently though) is 51
entries, but in the past we have seen as many as 501. 

Below is an example showing an excessive amount of prepending for prefix
185.135.134.0/23 at 2017-09-18 20:20:05 UTC. 

as_path_count: 501
as_path: 38726 9957 17604 7922 6830 197451 197451 197451 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
207239 207239 207239 207239 207239 207239 207239 207239 207239 207239
201228 

--Tim 

On 19.09.2017 06:33, craig washington wrote: 

> Hello world.
> 
> I was wondering and forgive me if this discussions has already taken place.
> 
> How many AS PATHS are too many?
> 
> Meaning how do we determine how many to filter on transit links or public 
> peering links?
> 
> Thanks in advance

Re: AS PATH limits

2017-09-20 Thread valdis . kletnieks

On Tue, 19 Sep 2017 13:33:03 -, craig washington said:

> How many AS PATHS are too many?

Well - how many do you see when things are operating nominally?

How many do you regard as "the other end is obviously too crazy to listen to"?

Add them up and divide by two.

Of course, the hard part is quantifying those two values - the network
engineers for the AS I work for probably have a different tolerance level for
such shenanigans than the guys running a Tier 1/1.5/more-than-2 network (and
*those* guys almost certainly have different tolerances based on which of their
peers and transits they're talking to)



pgp1ui9n8a73S.pgp
Description: PGP signature

AS PATH limits

2017-09-20 Thread craig washington

Hello world.

I was wondering and forgive me if this discussions has already taken place.

How many AS PATHS are too many?

Meaning how do we determine how many to filter on transit links or public 
peering links?


Thanks in advance

38 matches

Mail list logo