Knowledge Search


×
 

BGP Malformed AS-4 Byte Transitive Attributes Drop BGP Sessions

  [JSA10422] Show Article Properties


Legacy Advisory Id:
PSN-2010-01-626
Product Affected:
All JUNOS Devices
Problem:
This Security Advisory updates PSN-2009-01-200.

Several issues with JUNOS sending & receiving malformed BGP 4-Byte transitive attributes have been seen operationally on the Internet. JUNOS routers which receive these malformed attributes will strictly comply with the BGP specs and drop the BGP session. This issue has been previously addressed a prior Security Advisory - PSN-2009-01-200 (BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH). This Security Advisory provides an update and further details from an extensive audit to remediate this issue.

As previously mentioned, when sending a BGP UPDATE message, JUNOS may include the following segment types in the AS4_path attribute:
* AS_CONFED_SEQUENCE{*}
* AS_CONFED_SET{*}

This inclusion is in violation of RFC 4893.

When the BGP UPDATE message is received by a BGP peer that is capable of processing the AS4_PATH attribute, the receiving peer determines that the AS4_PATH attribute is malformed and clears the BGP session (as is required by Section 6 of RFC 4271). Clearing the BGP session may cause service disruption. This problem is amplified by the transitive, optional nature of the AS4_PATH attribute. When a BGP speaker that cannot process the AS4_PATH attribute receives an UPDATE message containing a malformed AS4_PATH attribute, it may relay that malformed attribute to its BGP peers, causing those BGP sessions to reset.

This issue was mentioned on the NANOG mailing list (http://www.merit.edu/mail.archives/nanog/msg14393.html) and at the NANOG 45 Conference (http://www.nanog.org/meetings/nanog45/presentations/Monday/Davidson_asn4_breaks_light_N45.pdf).

Juniper has validated the work done by Andy Davidson, NetSumo (andy.davidson@netsumo.com), Jonathan Oddy, Hostway UK (jonathan.oddy@hostway.co.uk), and Rob Shakir, GX Networks (rjs@eng.gxn.net).

A fix has been completed and applied to all images which has yet to reach End of Engineering (EOE). Additionally, resilience has been added to BGP to have it more tolerant to malformed transitive attributes - protecting BGP sessions which should not be pulled down. This additional resiliency capabilities is currently in the IETF's IDR working group (see Error Handling for Optional Transitive BGP Attributes at www.ietf.org).

Solution:
Customers are recommended to upgrade JUNOS through planned and methodical upgrade processes.

All JUNOS software releases built on or after January 21, 2009 has fixed malformed BGP transitive attribute issues. This specifically includes 9.1R4, 9.2-20090130-SR, 9.2R4, 9.3-20090227-SR, 9.3R3, 9.4R1, and all subsequent releases.

The PRs for this issue are 417046.

This only impact JUNOS from 9.1R1 forward. 4-byte ASNs were introduced in JUNOS in 9.1R1 (released before 20090126).

Implementation:
How to obtain Service Releases:

Security vulnerabilities are fixed in the next available Maintenance Release of each supported JUNOS version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory notices will indicate which Maintenance and/or Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
Related Links:
CVSS Score:
7.1. (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."