[j-nsp] Juniper BGP invalid attributes

Barry Greene bgreene at juniper.net
Wed Mar 18 10:29:39 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 
> 1) Routers shouldn't be leaking confederation information 
> into AS4_PATH. 
> This is the issue that Juniper covers under PSN-2009-01-200, 
> and all code built after 2009-01-26 appears to be fixed in 
> this regard. This is the same issue that was reported back in 
> December. The root issue tonight is an AS4_PATH of "( 65490 
> 65410 ) 8758 196621" associated with prefix 193.5.68.0/23, 
> and the BGP update is captured here:

196621 is Quagga
8758 is Foundery
6830 is Juniper - whom we're working with on a work around and fixed
code. 

 
> http://www.paste-it.net/public/p698b04/
> 
> 2) Some routers will drop the BGP session upon receipt of an 
> AS4_PATH with the leaked confederation information. I've 
> heard quite a few reports of this behavior causing impact to 
> DSL users connected to Juniper ERX/E-series boxes running 
> JUNOSe. I'm not an ERX user myself, but I'm told one way to 
> work around this issue is to configure "neighbor x.x.x.x lenient".

This one is PSN-2008-12-130 which was pushed out on 2009-03-04. We will
be
working on a new way to push out Security Advisories, since this one
seems
not to have been received by the people who needed it.

> 3) There appears to be another unrelated issue under JUNOS 
> 9.1R1 (and possibly other versions, but NOT 9.2 images as 
> originally thought) wherein the router accepted the invalid 
> AS4_PATH attribute, but then propagated an extremely 
> corrupted version of the update to its neighbors, causing 
> them (all bgp neighbors, even non-AS4 speakers) to drop the 
> BGP session with the 9.1R1 routers upon receipt. This is what 
> was captured here:
> 
> http://www.paste-it.net/public/o83f44b/


This one is a new one and are interested to get more information so we
can
track it down. We've been diving into the depths of how BGP handles
malformed mandatory and optional transitive attributes since Dec's
incident. If you have not seen it, please look through a Internet Draft
to
chance some behavior:

Error Handling for Optional Transitive BGP Attributes 
draft-scudder-idr-optional-transitive-01.txt

Barry

Barry Raveendran Greene
Director, Juniper Security Incident Response Team (SIRT)

Tel (Office): +1 408 936-6887
Tel (Cell): +1 408 218-4669
E-mail: bgreene at juniper.net
! 
Chat Locations:
AIM: Barry R Greene
MSN: BarryRGreene
Yahoo: BarryRGreene
Skype: barrygreene
Jabber: barryrgreene at jabber.tisf.net
MSN: BarryRGreene at hotmail.com

PGP: 0x16BF45F3


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wsBVAwUBScEFP1Vuk3AWv0XzAQi8Xgf/Svndq6fPktMIBUXfXP2ci7hlrcLv6bq/
JfWz+ZSiBfFjHL9Kp4nnYX3jutAsONzN9Nw3SHIOr2ZOwgx+Rx/sUc0RAjax4DAD
NJFWOoms/UYfV/v6Yhg1lTUED5N3gxMscaY3Cfn54tkvdLPSPBiDyZAIWfnKJMhC
KmU2B/TegEJ1QW2GQsJQSQIR1S9v6OV7tiGEMLgR3x7LQ5RNyJ/s5rY00EBZEJ/9
Zbxq8mykHCJDoinwcQPrV/JkouhREZWPqkb8na8/NEZfz6QlnqwsBnKXjgUdBMrt
dlXG2s27qBqPfuRjo5YPTFBVqj+U05Mdlyo1AE3XZ2oLl/5CJQqrcQ==
=OLOk
-----END PGP SIGNATURE-----


More information about the juniper-nsp mailing list