On February 16, 2009, a widely-distributed Border Gateway Protocol (BGP) route update contained an Autonomous System (AS) path that included approximately 250 entries. As the update propagated through additional Autonomous Systems, each AS prepended its own AS as part of the normal BGP process. When the AS path length exceeded 255 entries, some routers were unable to form correct BGP route updates to their peers, which resulted in corrupted BGP route updates and the subsequent resetting of certain BGP peering sessions. Some resets occurred as a result of a bug in Cisco IOS Software. This event is described in Alert 17657.
Devices normally accept BGP update messages and prepend local AS values to a BGP AS path list that is distributed to BGP neighbors. Due to a bug in Cisco IOS Software (CSCsx73770), an error may occur if a Cisco IOS device attempts to send a BGP update message that contains a route with an AS path length greater than 255 to a BGP neighbor. When received by a BGP peer, the invalid BGP update triggers a NOTIFICATION message of "Malformed AS PATH" that is returned to the sender of the incorrectly formatted BGP update message. This scenario causes the BGP session to reset. Information about this Cisco IOS Software bug is available at the
following link: CSCsx73770.
Cisco Security has identified a method through which administrators can modify device configurations to mitigate the effects of the AS path processing issue. Administrators can limit the amount of AS path segments that are associated with any route by using the bgp maxas-limit feature, which requires the software fix associated with CSCeh13489. All neighbors will be treated uniformly according to the specified policy because this router configuration command is not tied to any specific BGP neighbor. Prior to the functionality change for the bug associated with CSCee30718, the value that can be entered for this argument is a number from 1 to 255.
Because Cisco IOS Software limits the prepending of Autonomous Systems via the route-map function to a total of 10, the most that a Cisco IOS device can add to the AS path-length is 21 AS identifiers, or ten using an ingress route map, ten using an egress route map, and one for normal BGP AS processing. An administrator can set the bgp maxas-limit to 234, which results in a maximum AS path length of 255 AS identifiers that can be sent to the downstream BGP peers without corruption. The bgp maxas-limit command was introduced in Cisco IOS Software Release 12.2 and in 12.0(17)S in the 12.0S train. Using a conservative value of 200 can simplify the configuration and also prevent this condition. Administrators are advised to configure and fully test any limit in a lab environment prior to deployment on a production router.
IntelliShield will continue tracking this issue and the related event. Administrators are advised to continue to monitor edge devices for service failures that may indicate additional outages and employ mitigations where appropriate.