: ...but just to be safe I added it to all my routers. I
: don't know where I came up with the magical 75 number,
: but it definitely seems reasonable that anything with
: 75+ ASNs in the path probably don't deserve to be in
: my table.
Wasn't that it made me feel safe, but I do have to worry about my downstream customers who did exhibit the bug. As a provider, it falls within my goals to limit damage that might occur downstream in my customers' networks. Any time a bug in BGP that can be passed along rears its ugly head, I take notice and see what changes I might need to make to protect my downstream customers.
To date, I haven't seen any of them affect my routers. I have also looked into issues with dampening, as I don't generally dampen myself, but some of the downstream BGP routers can't handle the processor load when things become extremely unstable.
Jack
In theory, nothing. In practice:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080af150f.shtml
https://bugzilla.quagga.net/show_bug.cgi?id=396
http://tools.cisco.com/security/center/viewAlert.x?alertId=17670
It's one of those belt+braces things that's now considered good practice.
Nick
If it's not a private AS, and it is the one that I own, who cares? AS-Path is the best mandatory value that is completely within my control to manipulate, which explains its proliferation in the network. I'd rather do it myself than have to rely on someone else.
That being said, I've found that more vendors are manipulating local preference values themselves, but offer local preference and other attributes to be set upstream. Which now has shifted the de-facto standards of MED and AS-PATH to the back burner.
Sincerely,
Brian A . Rettke
RHCT, CCDP, CCNP, CCIP
Network Engineer, CableONE Internet Services
Ignorance of BGP? There's a known cisco bug that causes BGP session resets when as as-path length exceeds 255. I've been running with bgp maxas-limit 75 for years as a "just in case there are other bugs & I find it very hard to believe anyone legitimately needs an as-path length anywhere near that long". Worst case, someone is silly with their number of prepends, we don't see their route. I can't say how long I've been doing this...it predates our rancid setup, which means >6 years. Though it's caused numerous dropped routes, it hasn't generated a single complaint.
In your opinion, is filtering of BGP routes based on prefix length also a sign of ignorance? Everyone should just be letting all the crap through?
it very hard to believe anyone legitimately needs an as-path length
anywhere near that long". Worst case, someone is silly with their
number
of prepends, we don't see their route. I can't say how long I've been
doing this...it predates our rancid setup, which means >6 years.
Though
it's caused numerous dropped routes, it hasn't generated a single
complaint.In your opinion, is filtering of BGP routes based on prefix length
also
a
sign of ignorance? Everyone should just be letting all the crap
through?
There is the argument that anyone with that many prepends doesn't really
want you to see that route anyway and if anything changed on their end
where they really wanted people to see the route and use it, they would
reduce the prepends.
Ezzactly. Of course, the victim of the dropped route has no easy way to figure
out that you've dropped his route, and continues to cruise along oblivious to
what happened...
Unless they actually want to talk to one of our customers or one of our customers wants to talk to them.
Speaking of prepends, what's the community opinion on prepending someone else's ASN on your routes for TE purposes if you're announcing routes you don't want certain AS's to see, but don't have a communities knob that works for those networks? I was pretty negative on the idea until I was in the situation of having a working knob taken away. Nobody's complaining about it...probably not even noticing it.
Per usual, I'm some people look on it with distaste, though I feel that is an emotional response and not a technical viewpoint, as it is a perfect way of handling hinge case workarounds that are usually temporary in nature.
Jack
I admit it. I'm feeling smug today.
Nick