Did your BGP crash today?

Richard A Steenbergen ras at e-gerbil.net
Fri Aug 27 21:23:09 UTC 2010

On Fri, Aug 27, 2010 at 01:43:39PM -0700, Clay Fiske wrote:
> If -everyone- dropped the session on a bad attribute, it likely 
> wouldn't make it far enough into the wild to cause these problems in 
> the first place.

And if everyone filtered their BGP customers there would be no routing 
leaks, but we've seen how well that works. :)

The "if anything bad happens, drop the session" method of protection is 
only effective if EVERY BGP implementation catches EVERY malformed 
update EVERY time, which just doesn't match up with reality. Not only 
that, but a healthy number of the bgp update issues over the years have 
actually been the result of implementations detecting perfectly valid 
things as invalid, which means by definition the implementations which 
get it right and don't drop the session act as carriers and spread the 
problem route globally. How long as we going to continue to act like 
this method of protection is actually working?

Lets be reasonable, if your basic bgp message format is malformed you're 
going to need to drop the session. If the packet is corrupted or the 
size of the message doesn't match whats in the tlv, you're not going to 
be able to continue and you'll have to drop the session. But there are 
still a huge number of potential issues where it would be perfectly safe 
to drop the update you didn't like, and support for this could easily be 
negotiated and the sending side informed of the issue by a soft 
notification extension. I have yet to see a single argument against this 
which isn't political or philosophical in nature.

Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the NANOG mailing list