Specifically, they have the ability to tickle a legacy cisco bug with AS
path length. This bug was supposedly mitigated in code and I believe my
previous company is still filtering AS path length (UUNET) of 100 or
greater.
A valid AS-Path of greater than 100 has not yet been found (which was why
the filters were in place).
Well, long as-path of 100 is certain to be invalid (result of misconfig if
not direct probe for vulnerability). Would it be good to recommend for
ISPs filter at some as-path size as its easy easy and does not consume
router resources? Would would be good as-path size to filter on, just to
be certain no valid route is filtered (just in case allow possible growth
of as-path up to 2x what it is now)?
In recent years there have been issues with memory allocation on
the order of path-length ~50. Similar to bogon filters, it is
recommended to take a survey of sane path lengths before and your
own needs before deploying. Potentially useful data in this
regard is tracked by [suprise] cymru http://www.cymru.com/BGP/asnpalen01.html
In cisco-land, the max as-length was an undocumented command until
last year or so. a popular value appears to be in the 40-50 range
from folks I know using it.
Its invalid in practice. You can build network with as-path larger then
100 in your lab, but in real world, we do not have this.
Of course you might say that its possible that we have less then 100
networks and each one is prepending several of their own as# and real
number of networks is something like 20, but even that is too many and
each network as-prepending 5 of their own AS is also rather unlikely.
One thing I want to note to cisco and other vendor engineers is that one
easy way to deal with it might be good if there was a way to "cut" number
of as-prepends - i.e. for long as-path with number of same as## in sequence,
it might be good if router could automaticly cut the number from 10+ to
say 3 for long as-path, i.e. I'd like to have this available:
neighbor x.x.x.x max-aspath-sequence 3
Then backbones could set this for their customers and we'll not have these
long sequences appearing in at-large bgp table.
so, 'dumb' but not 'invalid'... There might very well be networks (say not
on the internet) where as-paths longer than 100 might be required. Saying:
"they are invalid" isn't correct. Saying: "The use of as-path longer than
100 on today's Internet isn't helpful" is correct, or so say you and
atleast blaine.
so, 'dumb' but not 'invalid'... There might very well be networks (say not
on the internet) where as-paths longer than 100 might be required. Saying:
"they are invalid" isn't correct. Saying: "The use of as-path longer than
100 on today's Internet isn't helpful" is correct, or so say you and
atleast blaine.
All I can honestly say is that I never saw valid advertisements > 100 used
on the Internet. I can not think of a good use in the Internet provider
space for an AS that long but who knows what may happen in the future. The
reason we set it to 100 was that we wanted to give plenty of room for
growth; realizing we were not going to be perfect about predicting future
needs. We could have set it lower but 100 was a nice round number <grin>.
I stopped recording all advertisements a few months ago but I suspect we are
still sub 50 and I am sure someone on this thread probably has that info at
their finger tips.
Since the bug itself revolved around an 8 bit variable it may even be safe
to set things at 200. If you are in a core role and you set the limit at
something like 254 you may have trouble prepending your AS as it could tip
you over the edge (WRT the potential for triggering that specific bug).
Regards and, I believe, congratulations Chris!
Blaine
P.S. Nothing in the above constitutes a recommendation to apply
configurations to routers. Use your own judgement and track your BGP table
for a few months before playing with these knobs.