Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Mitigation techniques for BGP updates containing malformed attributes

0

0

Article ID: JSA10491 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 5.0
Legacy Advisory Id:
PSN-2011-09-380
Product Affected:
Effective on all Junos routers configured for BGP
Problem:

Recently, there have been a number of occurrences of corrupt optional, transitive attributes being sent via BGP into the Internet. Routers that do not recognize the optional attribute ignore them and pass them along. The first router along the path that does understand the attribute and determines it to be corrupt will send a NOTIFICATION and close the BGP session. One such type of optional, transitive attribute with sparse vendor support is ATTR_SET (type code 128), as defined in draft-ietf-l3vpn-ibgp. Note that Junos 8.x and earlier does not include support for 4-byte ASNs and therefore would not recognize corruption in attributes specific to 4-byte ASNs.

Releases prior to Junos 9.1 that do understand and support the corrupted transitive attributes would tear down the session, in accordance with RFC 4271. In later releases of Junos 9.x, an enhancement was added to allow sessions to survive corrupted updates, depending on the value of the Partial bit. Refer to PSN-2010-10-969 for more information about the selective leniency added in Junos 9.x.

Starting with Junos 10.2, an additional configuration option was added to allow a router to completely drop specific path attributes: 'bgp-drop-path-attributes'. This configuration option can be extremely useful in fine-tuning path attributes from BGP updates during inbound processing, allowing customers to filter invalid or undesired path attributes. Since the drop action takes effect during inbound processing, all issues relating to processing of corrupt transitive attributes are mitigated.
Solution:

Routers running Junos 10.2 or later may selectively drop specific BGP path attributes that have been identified to cause peer flapping. For example:

[edit protocols bgp]
user@junos# set drop-path-attributes 128

This option should be configured for each routing instance. For those customers with many routing instances, 'groups' can be leveraged to simplify the configuration. For example:

groups {
    path-attributes {
        protocols {
            bgp {
                drop-path-attributes 128;
            }
        }
        routing-instances {
            <*> {
                protocols {
                    bgp {
                        drop-path-attributes 128;
                    }
                }
            }
        }                              
    }
}
apply-groups [ path-attributes ];


Dropping the path attributes has the additional benefit of protecting downstream routers from the corruption.
Note that this command is hidden from CLI auto-completion and must be entered in full.

Caution: Before configuring routers to drop specific path attributes, be sure that the specified attributes are not required for the normal operation of your network.

04-Oct-2011 Update: The associated configuration option 'bgp-ignore-path-attributes' has been removed from this notice. Ignoring BGP path attributes may not protect the router in all cases and situations.
Severity Level:
None

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search