[afnog] 32 bit ASN

Geert Jan de Groot GeertJan.deGroot at xs4all.nl
Thu Jan 27 17:19:14 UTC 2011 

On Wed, 26 Jan 2011 01:33:32 +0800 Mark Tinka wrote:
> > Your peers do not need to upgrade, though upgrading is
> > advisable. To non-32-bit capable BGP speakers, you will
> > look like AS 23456. That works, and works well, except
> > that all 32-bit ASN speakers will look like AS23456 and
> > hence the peer cannot set policy based on AS path.
...
> One reason is because in earlier vendor code that
> implemented 4-byte ASN's, a vulnerability was present where
> a malformed BGP update or a super-long 4-byte ASN AS_PATH
> could bring down an upstream router. In fact, I think we
> (AfNOG) ended up inadvertently doing this during our Cairo
> workshop/meeting in 2009 :-). GJ can tell you all about
> that, and then some.
> So I'd suggest checking with your provider on whether
> they'll have issues supporting you, as a matter of course.

The software involved, Quagga, did understand 32-bit ASNs,
but when expanding the ASN numbers to strings (for policy matching),
inadvertently assumed that an ASN number, written in decimals,
would only take 5 positions which is not valid here 
(327685 is 6 positions).
Hence, the incident in 2009 caused an assert error because the
AS path string was too long. This has since been fixed.

> On the other hand, not supporting native processing of 4-
> byte ASN's complicates AS tracking and AS_PATH-based
> filtering/routing policy, as all AS's then look the same.

The question raises whether one should not only ask one's
upstream bot also the upstream of the upstream, whether
32-bit ASNs are safe. 
This would essentially block deployment of 32-bit ASNs 
as certainly someone "would feel uneasy", and time to upgrade
equipment, after several years, has now run out.

I stand with my original statement that only the BGP originator
*must* be 32-bits capable to initiate the BGP announcements.
For it's peers it is desirable (otherwise, all it's peers 
will look the same, AS23456), but nothing breaks. 
This is a specific property of the design chosen for this. 
This was tested, and I believe it to be safe.

Of course, there is always a chance that something breaks but,
as we've shown in Cairo, we made it work.

I am surprized about the lack of knowledge from vendors on this.
If your box talks BGP then all of this shouldn't be a surprise,
and perhaps we can learn from eachother whom to contact to get
clueful responses and, hopefully, working images.

Geert Jan

More information about the afnog mailing list