Re: JunOS/FRR/Nokia et al BGP critical issue

Wed, 30 Aug 2023 08:35:17 -0700 

Tom Beecher wrote on 8/30/23 8:22 AM:


     vendors should adopt RFC7606


Yes

      and not be absolutely awful at responding to vulnerability
    reporting.



1. This isn't exactly new. It's been possible to do this since the 
original days of BGP.

Literally the first thing that came into my mind was the as-set issue 
from 2 decades ago where some vendors passed it, others dropped sessions..

2. Probably not wise to assume that's accurate just because he thinks 
that is true.



On Wed, Aug 30, 2023 at 11:02 AM <je...@iglou.com 
<mailto:je...@iglou.com>> wrote:


    Fair update. To be clear, though, the main point of the article
    stands, and is maybe even strengthened by the update. A corrupted
    attribute def can cause the behavior (personal experience speaking
    here with a different attribute) and vendors should adopt RFC7606
    and not be absolutely awful at responding to vulnerability reporting.

    On Aug 30, 2023 10:43 AM, "Jakob Heitz (jheitz) via NANOG"
    <nanog@nanog.org <mailto:nanog@nanog.org>> wrote:

        The blog was updated. Correct link:

        https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

        The attribute was not malformed.

        This is the hex dump of the attribute: “E0 1C 00”

        It is described here.

        https://www.rfc-editor.org/rfc/rfc6790#section-5.2

        This attribute is deprecated, but that does not prevent
        routers from originating it or passing it on.

        Kind Regards,

        Jakob

        ----------------- Original message --------------

        From: Mike Lyon <mike.l...@gmail.com <mailto:mike.l...@gmail.com>>
        To: NANOG list <nanog@nanog.org <mailto:nanog@nanog.org>>

        Ran across this article today and haven't seen posts about it so i
        figured I would share:

        
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling?fbclid=IwAR13ePY43Vf3u4X8PDyCDT39DtyXczAKkv6CGXOQbcQv90Y3aIAmTkJxn7k_aem_Ad0hzj2Mh_WlbFZug-vGdlJJdXr2Xo0RFIsPwAU2GviPz6xZDib76YHwFuzU7E0_sJk&mibextid=Zxz2cZ

        Curious if anyone on the list is running VyOS and has
        experienced any problems?

        Cheers,
        Mike


        -- 
        Mike Lyon

        mike.l...@gmail.com <mailto:mike.l...@gmail.com>
        http://www.linkedin.com/in/mlyon




--
Thank you,
Steven






















					Reply via email to