Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

JUNOSe tears down BGP session when receiving an UPDATE message with AS4_PATH attribute containing illegal AS_CONFED_SEQUENCE or AS_CONFED_SET types



Article ID: JSA10397 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
Product Affected:
ERX 310/700/705/1410/1440, E120, E320

When an E-series router running an affected release of JUNOSe receives a BGP UPDATE message containing an AS4_PATH attribute which itself contains an AS_CONFED_SEQUENCE or AS_CONFED_SET type, the BGP session to the peer is torn down; it is considered illegal per RFC 4893. While the stated reaction is technically correct, it is undesirable and is inconsistent with the "de facto" behavior of other BGP implementations.

The E-series router terminates the session via a NOTIFICATION message that includes Code 3 (Update Message Error) and Subcode 9 (error with optional attribute). This causes the BGP session to "flap" -- to reconnect and fail again repeatedly -- because the erroneous but otherwise passable UPDATE message is immediately transmitted by the peer again each time after the connection is re-established.

This issue is tracked internally as CQ 88706.

No other Juniper Networks products are affected by this vulnerability.

The following JUNOSe software releases (used on E-series routers) contain modified code to ignore the illegal extended attribute: 8.1.4p0-4, 8.2.4p0-7, 9.0.2p0-1, 9.1.2p0-1, 9.2.1p0-1, 9.3.0p0-1, 10.0.0

If bgpMessages logging is enabled at WARNING level or lower, the following log message will be displayed:

WARNING 01/01/2008 19:34:52 bgpMessages (default, UPDATE message from peer in core: new-as-path contains segment type confed-sequence (not allowed)

In order to stop the BGP session flaps, a per-neighbor configuration option exists that will cause JUNOSe to ignore any illegal or incorrectly formatted attributes:
ERX(config)#router bgp <AS#>
ERX(config-router)#neighbor <x.x.x.x> lenient
Note that the workaround is less ideal than the recommended software upgrade. When 'lenient' is configured, the BGP session does not drop, but the contents of the update are ignored. In patched releases of JUNOSe, the BGP update is "repaired", ignoring the illegal attribute and consuming the reachability changes found in the remainder of the update.

Juniper Networks recommends that 'lenient' switch only be used as a temporary workaround while plans are made to upgrade to a later release of JUNOSe.
Severity Level:
Severity Assessment:
Receipt of BGP malformed attributes can cause BGP sessions to drop. While this behavior is technically correct according to RFC 4893, it is undesirable in production networks.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search