Thursday, March 5, 2009

Global Internet Problem...As Prepend

With reference to the bgp problem reported in global internet cloud on 16th February 2009, Cisco renders a document of “Protecting Border Gateway Protocol For Enterprise”. Problem was first reported by the Czech provider on Nanog Mailing List and solution for the same was provided by Ivan & lot of Nanog users. Click here to see the details of the problem.

Cisco has documented lot of scenarios and out of them one was the actual protagonist. Document is really so large and one cannot make it complete in one shot without having cup of coffee.

Document progression is given below:-

a) Basic BGP Configuration.
b) BGP Authentication With MD5
Really a awesome because a good thing in the paragraph is that BGP uses the option “kind 19” for MD5 hash carried in TCP header. Commands given to verify the BGP neighbor session is using MD5 authentication or not.
Run “Show tcp brief” there after copy TCB address and run another command “show tcp tcb ”. Under the Option flags you will find md5
c) BGP Time To Live Security Check
The BGP Time To Live (TTL) security check is designed to protect the BGP process from these kinds of CPU-utilization-based attacks and route manipulation attempts.
Add the command under bgp “neighbor ttl-security hops 1”
d) Configuring Maximum Prefixes
This command is used mostly by the service providers to limit the number of routes received from CE.
neighbor maximum-prefix 5
e) Filter BGP prefixes
A simple and easy to use
f) Filtering BGP prefixes with AS path access list
A favourite and popular question of CCIE.
g) AS path length limiting [ Real Culprit of the problem ]
In addition to filtering routes based on specific AS paths (AS number), it is also possible to filter routes by limiting the number of AS path segments that each route can include. This limiting is performed primarily to prevent the router from expending too much memory when it stores routes with long AS paths. The bgp maxas-limit feature, which requires the software fix that is associated with Cisco BugID CSCeh13489, allows administrators to set a limit on number of AS path segments that are associated with any route. Administrators should note that because this feature is a router configuration command that is not tied to any specific BGP neighbor, all neighbors will be treated uniformly according to the specified policy. Prior to the functionality change for the Cisco bug associated with CSCee30718, the value that can be entered for this argument is a number from 1 to 255. Following the functionality change associated with CSCee30718, it is possible to configure a higher threshold value (up to 2,000) for the AS path segment length. Advertising a route with an AS path length that exceeds 255 may result in an adverse impact when sending long AS path segments to downstream BGP routers. Because Cisco IOS Software limits the prepending value to 10 using route maps, the most that a Cisco device could add is 21 AS identifiers, or 10 on ingress, 10 on egress, and 1 for normal BGP AS processing.
Add “bgp maxas-limit 5” under BGP.

For the detailed report visit the given links

One of the best tool I found for checking AS prepend is

shivlu jain

People who read this post also read :

No comments: