[c-nsp] BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Eloy Paris]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rob,

Eloy Paris from the Cisco PSIRT here. Please see below (inline) for
some comments regarding the issue you brought up in your email to the
cisco-nsp and nanog mailing lists this past Jan. 16th:

On Fri Jan 16 07:57:52 2009, Rob Shakir wrote:

> Strict RFC 4893 (4-byte ASN support) BGP4 implementations are
> vulnerable to a session reset by distant (not directly connected)
> ASes. This vulnerability is a feature of the standard, and unless
> immediate action is taken an increasingly significant number of
> networks will be open to attack. Accidental triggering of this
> vulnerability has already been seen in the wild, although the limited
> number of RFC 4893 deployments has limited its effect.
>
> Summary:
> It is possible to cause BGP sessions to remotely reset by injecting
> invalid data into the AS4_PATH attribute provided to store 4-byte ASN
> paths. Since AS4_PATH is an optional transitive attribute, the invalid
> data will be transited through many intermediate ASes which will not
> examine the content. To be vulnerable, an operator does not have to
> be actively using 4-byte AS support. This problem was first reported
> by Andy Davidson on NANOG in December 2008 [0], furthermore we have
> been able to demonstrate that a device running Cisco IOS release
> 12.0(32)S12 behaves as per this description.
>
> Details:

[...]

Cisco Bug CSCsx10140 was filed for Cisco IOS. Cisco IOS behaves exactly
as you described - upon receipt of AS_CONFED_SEQUENCE data in the
AS4_PATH attribute IOS will send a NOTIFICATION message to the peer,
which causes a termination of the BGP session. After the fix for this
bug IOS will ignore AS_CONFED_SEQUENCE data in the AS4_PATH attribute of
received BGP UPDATE messages and continue to process the UPDATE. This is
the new behavior that the revised RFC 4893 will require.

CSCsx18598 was filed for Cisco IOS XR. Cisco IOS XR doesn't reset the
session but accepts and forwards the invalid AS4_PATH data, so this bug
was filed to change this behavior.

CSCsx23179 was filed for Cisco NX-OS (for the Nexus switches.) Cisco
NX-OS behaves like IOS (it will reset the BGP session when it sees
AS_CONFED_SEQUENCE data in the AS4_PATH attribute), and this bug was
filed to change this and have the BGP implementation in Cisco NX-OS
follow the revised RFC 4893.

The Release Notes for each bug may have some additional
information. These are available via the Bug Toolkit on cisco.com
(http://tools.cisco.com/Support/BugToolKit)

To date, the only version of Cisco IOS that supports 4-byte AS numbers
is 12.0(32)S12, released in late December. A fix to the 12.0(32)Sxx
branch has been committed so the next 12.0(32)S-based release will have
the fix. 12.0(32)SY8 is coming out soon, and it will also have support
for 4-byte AS numbers, as well as the fix for the problem.

Thanks for bringing attention to this issue and for working with us,
specifically with the Cisco TAC, to get to the bottom of it and test
the proposed fix.

Cheers,

- -- 

Eloy Paris
Cisco PSIRT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmR9OoACgkQagjTfAtNY9jv5ACgg3fKuuWKv38h8F8d8QHBML5J
CTsAnAnGMB/fBIQhk5z4E922JlhHVU5A
=FSOP
-----END PGP SIGNATURE-----