My IOS XR router detected a malformed BGP message, logs are in the thread
below, but it treated it as a withdrawal per RFC7606. The Brocades saw the
error and closed the BGP session, which is what many older BGP
implementations do. I'm not sure the reason for the malformed BGP message,
it could have something to do the next-hop, or it could be for some
completely unrelated reason, but it as far as I can tell, BIRD put
a malformed BGP message on the wire.
IOS XR said "hey look that's bad, and I'm going to ignore it", and Brocade
said, "hey that's bad, and you're bad so I'm not going to talk to you", I
think the Junipers reacted much as IOS XR did, but that doesn't mean there
wasn't a bad message.
Thanks
On Wed, May 6, 2020 at 11:49 AM Doug McIntyre <[log in to unmask]> wrote:
> I think we've come up with some methods for potentially creating
> filters for this situation to roll out in the future.
>
> I don't think its' BIRD place to impose restrictions on what a BGP
> peer is advertising, even if it is bogus.
>
> Clearly its only a bug with Brocade, because other vendors (especially
> Juniper) didn't
> care that it was announced this way, I just had a bogus route inserted
> from them, but
> it didn't affect any of my BGP sessions with MICE.
>
>
>
>
>
> On Wed, May 06, 2020 at 04:45:33PM +0000, Frank Bulk wrote:
> >Do we need to submit a bug to the developers of BIRD?
> >
> >Frank
> >
> >From: MICE Discuss <[log in to unmask]> On Behalf Of David
> Farmer
> >Sent: Thursday, April 30, 2020 8:37 AM
> >To: [log in to unmask]
> >Subject: Re: [MICE-DISCUSS] route server down?
> >
> >I think it was more than just an invalid next-hop. If it was simply an
> invalid next-hop that shouldn't have created a malformed BGP update. Unless
> the invalid next-hop caused BIRD to send out a malformed BGP update.
> >
> >On Thu, Apr 30, 2020 at 8:24 AM Jay Hanke <[log in to unmask] [log in to unmask]>> wrote:
> >I emailed xcel about the invalid next-hop address.
> >
> >We should filter invalid next hops on the route servers.
> >
> >There also appears to be an issue with how some routers handle the
> >invalid next hop.
> >
> >Are all the peers with the issue of losing the session to RS2 running
> Brocade?
> >
> >On Thu, Apr 30, 2020 at 8:17 AM David Farmer <[log in to unmask] [log in to unmask]>> wrote:
> >>
> >> someone with Access should see what route server 2 sees for that
> prefix, and maybe kick it over after look at it.
> >>
> >> On Thu, Apr 30, 2020 at 8:04 AM Jay Hanke <[log in to unmask]
> > wrote:
> >>>
> >>> We're seeing the same with a good next-hop from RS1.
> >>>
> >>> On Thu, Apr 30, 2020 at 7:55 AM Chris Wopat <[log in to unmask] [log in to unmask]>> wrote:
> >>> >
> >>> > On 4/30/20 7:49 AM, David Farmer wrote:
> >>> >
> >>> > > We're running IOS XR, I found these droppings in our logs;
> >>> > >
> >>> >
> >>> > RP/0/RP0/CPU0:Apr 29 21:50:26.798 CDT: bgp[1068]:
> >>> > %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received
> from
> >>> > neighbor 206.108.255.2 (VRF: default) - message length 59 bytes,
> error
> >>> > flags 0x00000200, action taken "TreatAsWdr". Error details: "Error
> >>> > 0x00000200, Field "Attr-data", Attribute 2 (Flags 0x40, Length 0),
> Data
> >>> > [400200]". NLRIs: [IPv4 Unicast] 198.179.154.0/23<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__198.179.154.0_23&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=xqx0yD1kWOETi5_MVFlMPPxb5us_12870MpQFRgCEns&m=HC4viek-LcVI3v4xHZ-kdoMqXk9oP6L6JJphz73kmL8&s=FyKbPJIOaE5o00czfNutNmUhd7uUDVUIDud4c0xZHC0&e=
> >
> >>> > RP/0/RP1/CPU0:Apr 29 21:50:26.797 CDT: bgp[1068]:
> >>> > %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received
> from
> >>> > neighbor 206.108.255.2 (VRF: default) - message length 59 bytes,
> error
> >>> > flags 0x00000200, action taken "TreatAsWdr". Error details: "Error
> >>> > 0x00000200, Field "Attr-data", Attribute 2 (Flags 0x40, Length 0),
> Data
> >>> > [400200]". NLRIs: [IPv4 Unicast] 198.179.154.0/23<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__198.179.154.0_23&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=xqx0yD1kWOETi5_MVFlMPPxb5us_12870MpQFRgCEns&m=HC4viek-LcVI3v4xHZ-kdoMqXk9oP6L6JJphz73kmL8&s=FyKbPJIOaE5o00czfNutNmUhd7uUDVUIDud4c0xZHC0&e=
> >
> >>> > >
> >>> > > Maybe try resting you BGP sessions.
> >>> > >
> >>> > We're seeing a weird next-hop ip on that prefix (rfc1918) and its
> hidden
> >>> > on our net.
> >>> >
> >>> > Is 10.223.129.2 something internal to route server #2?
> >>> >
> >>> > > show route 198.179.154.0 hidden detail
> >>> >
> >>> > inet.0: 795967 destinations, 2081403 routes (795589 active, 0
> holddown,
> >>> > 1604 hidden)
> >>> > 198.179.154.0/23<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__198.179.154.0_23&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=xqx0yD1kWOETi5_MVFlMPPxb5us_12870MpQFRgCEns&m=HC4viek-LcVI3v4xHZ-kdoMqXk9oP6L6JJphz73kmL8&s=FyKbPJIOaE5o00czfNutNmUhd7uUDVUIDud4c0xZHC0&e=>
> (3 entries, 1 announced)
> >>> > BGP
> >>> > Next hop type: Router, Next hop index: 0
> >>> > Address: 0x113614cc
> >>> > Next-hop reference count: 1
> >>> > Source: 206.108.255.2
> >>> > Next hop: 10.223.129.2 via xe-0/1/5.300, selected
> >>> > Session Id: 0x0
> >>> > State:
> >>> > Inactive reason: Unusable path
> >>> > Local AS: 65400 Peer AS: 53679
> >>> > Age: 10:02:05
> >>> > Validation State: unverified
> >>> > Task: BGP_53679.206.108.255.2
> >>> > AS path: I
> >>> > Communities: target:21693:1000
> >>> > Router ID: 206.108.255.2
> >>> > Hidden reason: protocol nexthop is not on the
> interface
> >>> >
> >>> >
> >>> > --
> >>> > Chris Wopat
> >>> > Network Engineer, WiscNet
> >>> > [log in to unmask] 608-210-3965
> >>>
> >>>
> >>>
> >>> --
> >>> Jay Hanke, President
> >>> South Front Networks
> >>> [log in to unmask]
> >>> Phone 612-204-0000
> >>
> >>
> >>
> >> --
> >> ===============================================
> >> David Farmer Email:[log in to unmask] [log in to unmask]>
> >> Networking & Telecommunication Services
> >> Office of Information Technology
> >> University of Minnesota
> >> 2218 University Ave SE Phone: 612-626-0815
> >> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> >> ===============================================
> >>
> >> ________________________________
> >>
> >> To unsubscribe from the MICE-DISCUSS list, click the following link:
> >> http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.iphouse.net_cgi-2Dbin_wa-3FSUBED1-3DMICE-2DDISCUSS-26A-3D1&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=xqx0yD1kWOETi5_MVFlMPPxb5us_12870MpQFRgCEns&m=HC4viek-LcVI3v4xHZ-kdoMqXk9oP6L6JJphz73kmL8&s=1aL3YJ1V-gX14CJG-PYa38ULVB_ddLzb5TCjLjM4BiQ&e=
> >
> >
> >
> >
> >--
> >Jay Hanke, President
> >South Front Networks
> >[log in to unmask]
> >Phone 612-204-0000
> >
> >
> >--
> >===============================================
> >David Farmer Email:[log in to unmask] [log in to unmask]>
> >Networking & Telecommunication Services
> >Office of Information Technology
> >University of Minnesota
> >2218 University Ave SE Phone: 612-626-0815
> >Minneapolis, MN 55414-3029 Cell: 612-812-9952
> >===============================================
> >
> >________________________________
> >
> >To unsubscribe from the MICE-DISCUSS list, click the following link:
> >http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.iphouse.net_cgi-2Dbin_wa-3FSUBED1-3DMICE-2DDISCUSS-26A-3D1&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=xqx0yD1kWOETi5_MVFlMPPxb5us_12870MpQFRgCEns&m=HC4viek-LcVI3v4xHZ-kdoMqXk9oP6L6JJphz73kmL8&s=1aL3YJ1V-gX14CJG-PYa38ULVB_ddLzb5TCjLjM4BiQ&e=
> >
>
> --
> Doug McIntyre <[log in to unmask]>
> ~.~ ipHouse ~.~
> Network Engineer/Provisioning/Jack of all Trades
>
--
===============================================
David Farmer Email:[log in to unmask]
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
