Re: [Idr] Unknown Attributes seen in the wild

Robert Raszuk <robert@raszuk.net> Sun, 30 October 2016 18:05 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2E1112948F for <idr@ietfa.amsl.com>; Sun, 30 Oct 2016 11:05:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dSaM-YNuoj6 for <idr@ietfa.amsl.com>; Sun, 30 Oct 2016 11:05:52 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28A75129473 for <idr@ietf.org>; Sun, 30 Oct 2016 11:05:52 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id t79so14405639wmt.0 for <idr@ietf.org>; Sun, 30 Oct 2016 11:05:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=DGCbMkgTRB7KEMrmluAKAXIut1NmIspotNcQAZlD+Ag=; b=dOQwuq933TZ0cf7s6JMvHWZ91HTNJk6QSZn2EPJwpkQn+FhRgkdbW06f5/6DR9I6qq +9JVkU6nXi6OwRk+Ix3nwRzj37MDz4ZKIdSpRw9KGC/pFnf2byxW9QRnAYXXPtk16Ufh lKwNUm8zkxbl3dN9HCYK7RgBtPg9UBmOpAUdI+L1eG0PyBYGfAAE2urUbZVbzyd8aLFR FMCLBy9JTFMbgPxom4RfkA/FHgrcZ5Kh7QDgpO5jCoFy7jyfSGKPBHRYC9Wa950j3D65 icIg2It7keaja314oSJJ9Xv1QfGIzV07JAUPo+uLNAR6iMh8GBu3AV21g36mFvY1xCj2 9aXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=DGCbMkgTRB7KEMrmluAKAXIut1NmIspotNcQAZlD+Ag=; b=LnboYn2RDhPxB/osYn/7P/p921NRbMFAZELv2W78dvUnTXMxipDbDxwVsRM8LOUa0g SUgW58EvE0ED6U/T8AZglM3HTzlzM0SsvCyuVTxpHVir4Xlbj6pCk70OCyovoW3P4bna fLj7s7UlArEVakpe3lppOb2WKZlE8+ektHxmVIyc8Tecv+F27Goa7vKToRwJcJpdcck/ gbgNCJiikMFAcmcn+CUgsv3oQmUCude9+nl/COyd5c89HliWlFqLFEieft7whJHuabqQ 1qxXwFBjdUq0pTkicRi4ASxpzRH27CvNVOCS0CCKHaiP5k0Jj92sCJJm/W2coZsoRWCM lARw==
X-Gm-Message-State: ABUngve7QuBDL5w4ZqMHjh65mr2M4c4xcciWN+A4alZBYuoxy1ItSDblF4ykYYYRDAtgWaK31cKgqIefGuglhg==
X-Received: by 10.194.56.69 with SMTP id y5mr19277339wjp.4.1477850750521; Sun, 30 Oct 2016 11:05:50 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 10.80.137.69 with HTTP; Sun, 30 Oct 2016 11:05:49 -0700 (PDT)
In-Reply-To: <b65b4b10-6635-05f5-035c-66b94f0c8b84@spakka.net>
References: <01f401d22950$7f988470$7ec98d50$@ndzh.com> <5806484F.5080006@foobar.org> <6E6CFB88-04E7-45B6-A325-F57A165E901A@pfrc.org> <20161018172538.GD27221@gir.theapt.org> <01e301d22967$cb3e8c50$61bba4f0$@ndzh.com> <alpine.LRH.2.20.1610212230270.31112@espargaro.jakma.org> <b65b4b10-6635-05f5-035c-66b94f0c8b84@spakka.net>
From: Robert Raszuk <robert@raszuk.net>
Date: Sun, 30 Oct 2016 19:05:49 +0100
X-Google-Sender-Auth: 2R6eUYrhBVVZhxhvY66WtlD7Sos
Message-ID: <CA+b+ERk5=rbUGXk32cgjW=cOQDg+O+k4jK4hK1HpX7S0M34QTA@mail.gmail.com>
To: Colin Petrie <colin@spakka.net>
Content-Type: multipart/alternative; boundary="047d7b86ef840418db054018f1aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/S6Sgb7G8fMBYUvP2LfrG4V-r2nU>
Cc: idr wg <idr@ietf.org>
Subject: Re: [Idr] Unknown Attributes seen in the wild
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2016 18:05:54 -0000

Colin,

> ​
Perhaps this is some internal SDN thing that leaked publicly ?

You are right ... attribute 243 is Contrail's OriginVnPath attribute useful
for more complex service chaining scenarios.

https://github.com/Juniper/contrail-controller/blob/82cdb6afee49b39e54364f18be8eeca725dd76f4/src/bgp/bgp_attr_base.h

With that let's also not forget about attributes 241 and 242 used for
multicast edge replication. The work on draft describing those last two
temporarily allocated attribute codes is currently being resubmitted. The
good news is that they should not be leaked as they are to be send in their
dedicated SAFIs so unless peer exchanges right capabilities they should be
quite contained.

https://github.com/Juniper/contrail-controller/blob/82cdb6afee49b39e54364f18be8eeca725dd76f4/src/net/bgp_af.h

Thx,
R.


We also found an interesting unknown attribute, code 243. This appeared
> at all our collectors but only during June 2016. We're not sure what it
> is. We saw it for 4500 different prefixes, but all of them had the
> following sequence of AS_PATH:
> "7018 4466 5673"
>
> Looking at the AS graphs on bgp.he.net, at a guess, it was probably
> either AS5673 or AS4466 who originated this.
>
> A bit of googling also reveals a mention of it here:
> https://bugs.launchpad.net/juniperopenstack/+bug/1599588
> "
>    Unknown Attribute (243), length: 8, Flags [OT]:
>      no Attribute 243 decoder
>      0x0000: 8071 369b 0000 0007
> "
>
> ​​
> Perhaps this is some internal SDN thing that leaked publicly?
>