anyone else seeing very long AS paths?
ip at ioshints.info
Tue Feb 17 19:58:48 UTC 2009
> We were dropping ALL prefixes and the eBGP session was still
Upstream or downstream?
> 1) "bgp maxas-limit 75" had no effect mitigating this problem
> on the IOS we were using. That is: it was previously verified
> to be working just fine to drop paths longer than 75, but
> once we started receiving paths >
> 255 then BGP started resetting.
I was able to receive BGP paths longer than 255 on IOS release 12.2SRC. The
paths were generated by Quagga BGP daemon.
12.2SRC causes the downstream session to break when the installed AS-path
length is close to 255 and you use downstream AS-path prepending.
In your case, I'm assuming you were hit with an older bug (probably at the
128 AS-path length boundary). It would be very hard to generate just the
right AS-path length to unintentionally break your upstream EBGP session (as
I said before, it's a nice targeted attack if you know your downstream
If your IOS is vulnerable to the older bugs that break inbound processing of
AS paths longer than 128, there's nothing you can do on your end. The
internal BGP checks reject the inbound update before the inbound filters (or
bgp maxas-limit) can touch it and reset the upstream BGP session.
Hope this helps
Disclaimer: as I don't have internal access to Cisco, all of the above is a
result of lab tests.
More information about the NANOG