BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

Hi Rob,

Eloy Paris from the Cisco PSIRT here. Please see below (inline) for
some comments regarding the issue you brought up in your email to the
cisco-nsp and nanog mailing lists this past Jan. 16th:

Strict RFC 4893 (4-byte ASN support) BGP4 implementations are
vulnerable to a session reset by distant (not directly connected)
ASes. This vulnerability is a feature of the standard, and unless
immediate action is taken an increasingly significant number of
networks will be open to attack. Accidental triggering of this
vulnerability has already been seen in the wild, although the limited
number of RFC 4893 deployments has limited its effect.

It is possible to cause BGP sessions to remotely reset by injecting
invalid data into the AS4_PATH attribute provided to store 4-byte ASN
paths. Since AS4_PATH is an optional transitive attribute, the invalid
data will be transited through many intermediate ASes which will not
examine the content. To be vulnerable, an operator does not have to
be actively using 4-byte AS support. This problem was first reported
by Andy Davidson on NANOG in December 2008 [0], furthermore we have
been able to demonstrate that a device running Cisco IOS release
12.0(32)S12 behaves as per this description.



Cisco Bug CSCsx10140 was filed for Cisco IOS. Cisco IOS behaves exactly
as you described - upon receipt of AS_CONFED_SEQUENCE data in the
AS4_PATH attribute IOS will send a NOTIFICATION message to the peer,
which causes a termination of the BGP session. After the fix for this
bug IOS will ignore AS_CONFED_SEQUENCE data in the AS4_PATH attribute of
received BGP UPDATE messages and continue to process the UPDATE. This is
the new behavior that the revised RFC 4893 will require.

CSCsx18598 was filed for Cisco IOS XR. Cisco IOS XR doesn't reset the
session but accepts and forwards the invalid AS4_PATH data, so this bug
was filed to change this behavior.

CSCsx23179 was filed for Cisco NX-OS (for the Nexus switches.) Cisco
NX-OS behaves like IOS (it will reset the BGP session when it sees
AS_CONFED_SEQUENCE data in the AS4_PATH attribute), and this bug was
filed to change this and have the BGP implementation in Cisco NX-OS
follow the revised RFC 4893.

The Release Notes for each bug may have some additional
information. These are available via the Bug Toolkit on

To date, the only version of Cisco IOS that supports 4-byte AS numbers
is 12.0(32)S12, released in late December. A fix to the 12.0(32)Sxx
branch has been committed so the next 12.0(32)S-based release will have
the fix. 12.0(32)SY8 is coming out soon, and it will also have support
for 4-byte AS numbers, as well as the fix for the problem.

Thanks for bringing attention to this issue and for working with us,
specifically with the Cisco TAC, to get to the bottom of it and test
the proposed fix.


- --

Eloy Paris