Sign in Subscribe
By Andy Davidson in bgp

ASN32 is still broken

In December 2008, I complained that the internet was broken for 4-byte ASN speakers. Together with Rob Shakir and Jonathan Oddy, we've been meticulously dissecting a vulnerability that could bring global networking to its knees.

Some brutally technical context: Every network on the internet needs a unique identifier. Currently, these Autonomous System Numbers (ASNs) range from 1 to 65,535—we're approaching 50,000 in use. RFC4893 was the community's elegant solution to expand this numbering system.

BGP (Border Gateway Protocol) allows large networks to configure internal 'confederations'—essentially virtual divisions within their network. The standard explicitly forbids these internal confederation IDs from being passed between networks in BGP messages.

But what happens when that rule is accidentally broken?

AS196629 is announcing routes to AS35320, who are not stripping confederation information from their large-ASN BGP messages. Learn this prefix via AS6886, and you're fine. Learn it via AS35320, and you're receiving a network-destroying message.

We tested this on a Cisco 7200 router with first-generation ASN4 support, peering with NetSumo's research network (AS15653). The results were surgical in their destruction:

*Jan 16 11:29:58.531: %BGP-5-ADJCHANGE: neighbor 193.239.32.2 Up
*Jan 16 11:30:02.595: %BGP-6-ASPATH: Invalid AS path (65044 65048 65062) 3.21 23456 received from 193.239.32.2: Confederation found in AS4_PATH
*Jan 16 11:30:02.595: %BGP-5-ADJCHANGE: neighbor 193.239.32.2 Down BGP Notification sent

The standard currently mandates that if confederation ASNs appear in the ASN4 part of a BGP message, the connection between networks should be severed. This means a network that doesn't understand large ASNs can forward a broken message to a network that does—resulting in the receiving network tearing down its session.

The consequence? If this happens across all transit sessions, a network will lose its entire internet connectivity.

The message I reported in December is still leaking. Cisco honours the RFC precisely, which means a misconfigured message can disconnect an entire network from the internet.

We need to change BGP error handling behaviour. The current standard provides a simple mechanism to potentially "break the internet"—just waiting for unsuspecting network upgrades.

The internet is held together by protocols, trust, and an extraordinary amount of duct tape. Stay vigilant, network warriors!

[Edit: We presented on this flaw and way forward at NANOG45]

Subscribe to andyd.net

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe