[rbak-nsp] BGP Flapping after flag recive

Yury Shefer shefys at gmail.com
Wed Jan 31 01:27:27 EST 2018 

It would be great to capture the packet before it gets into the SmartEdge.
It seems that there is some memory/packet corruption problem:

the total length of update message is correct and it is 77 bytes. But the
total path attribute length is incorrect - in the log it is 0x32(50B) and
it should be 0x23(35B).

0x1+0xe+0x4+0x8+0x8=0x23

I tried to parse your packet quickly in the notepad:

BGP HEADER:
ffff ffff ffff ffff ffff ffff ffff ffff #MARKER
004d   #LENGTH: 77B
02   #BGP UPDATE


UPDATE MESSAGE:
00 00   #Unfeasible routes length
00 32  #Total path attributes length 50B - SHOULD BE 0x23 (35B) <<<<<

40 01   #Attribute type:
   b‭01000000 - FLAGS: well known, transitive, complete, attr lengh is 1
octet
   b00000001‬  - TYPE(1): ORIGIN
01  #Attribute length: 1B
00  #Origin type: IGP

40 02  #Attribute type:
   ‭b01000000 - FLAGS: well known, transitive, complete, attr lengh is 1
octet
   b00000010‬  - TYPE(2): AS PATH
0e   #Attribute Length: 14B
02  #AS_PATH Type: AS_SEQ
03   #AS_PATH Segment length: 3 ASes
0000 232a AS9002
0000 0c97 AS3223
0003 0fcb AS200651

4003 Attribute Type:
    ‭b01000000 -FLAGS: well known, transitive, complete, attr lengh is 1
octet
    b00000011‬  -TYPE(3): NEXT_HOP
04   Attribute Length: 4B
57f5f580 IP Address: 87.245.245.128

e007 Attribute Type:
  ‭b11100000  -FLAGS: optional, transitive, partial, attr lengh is 1 octet
  b00000111‬  -TYPE(7): AGGREGATOR
08   Attribute Lengh: 8B
0003 0fcb 5d72 28a2   #Aggregated by AS200651
      IP:93.114.40.162

c008 Attribute Type:
  b‭11000000  -FLAGS: optional, transitive, complete, attr lengh 1 oct
  b00001000‬  -TYPE(8): COMMUNITY
08  Attribute length: 8B
232a 232a 232a fc91  Attrubute value:
      9002:9002 (RETN Peer's route)
      9002:64657 (RETN Netherlands)

NLRI:
17 b964 54   185.100.84.0/23



On Tue, Jan 30, 2018 at 5:17 AM, Olivier Benghozi <
olivier.benghozi at wifirst.fr> wrote:

> By manually decoding I can see it's AS Path 9002 3223 200651 (200651 being
> 3.4043 for a SmartEdge), prefix 185.100.84.0/23, with an aggregator
> attribute that seems fine, and two communities.
> I don't see what is wrong, though, but it would be necessary to check
> every field and notably the lengths and so on.
>
>
> Le 30 janv. 2018 à 13:57, Marcin Kuczera <marcin at leon.pl> a écrit :
>
> On 2018-01-30 13:23, Michał Przywuski wrote:
>
> I found something like this :
>
> [BGP]Dareek#sh bgp malform update
> Jan 30 02:34:31 Malformed UPDATE msg (nbr 87.245.245.128, context
> 0x4008010a, 77 bytes, repeated 14 times, reason: Invalid msg) -
>  ffff ffff ffff ffff ffff ffff ffff ffff 004d 0200 0000 3240 0101 0040
> 020e 0203 0000 232a 0000 0c97 0003 0fcb 4003 0457 f5f5 80e0 0708 0003 0fcb
> 5d72 28a2 c008 0823
> 2a23 2a23 2afc 9117 b964 54
>
>
> So, take RFC and try to analyse this.
> Or maybe somehow try to import it into wireshark..
>
> --
Yury.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20180130/2fe2d11b/attachment.html>

More information about the redback-nsp mailing list