Re: [Idr] Unknown Attributes seen in the wild

Colin Petrie <colin@spakka.net> Sun, 30 October 2016 13:52 UTC

Return-Path: <colin@spakka.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B03C12956B for <idr@ietfa.amsl.com>; Sun, 30 Oct 2016 06:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oar_TXE_dOVl for <idr@ietfa.amsl.com>; Sun, 30 Oct 2016 06:52:28 -0700 (PDT)
Received: from mailhosting.spakka.net (mailhosting.spakka.net [IPv6:2a02:af8:cafe:f00d::25]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2B0412955E for <idr@ietf.org>; Sun, 30 Oct 2016 06:52:27 -0700 (PDT)
Received: from [2a02:a210:380:92f0:aefd:ceff:fe33:1cc9] by mailhosting.spakka.net with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from <colin@spakka.net>) id 1c0qXC-0005QS-4a for idr@ietf.org; Sun, 30 Oct 2016 13:52:26 +0000
To: idr@ietf.org
References: <01f401d22950$7f988470$7ec98d50$@ndzh.com> <5806484F.5080006@foobar.org> <6E6CFB88-04E7-45B6-A325-F57A165E901A@pfrc.org> <20161018172538.GD27221@gir.theapt.org> <01e301d22967$cb3e8c50$61bba4f0$@ndzh.com> <alpine.LRH.2.20.1610212230270.31112@espargaro.jakma.org>
From: Colin Petrie <colin@spakka.net>
Message-ID: <b65b4b10-6635-05f5-035c-66b94f0c8b84@spakka.net>
Date: Sun, 30 Oct 2016 14:52:25 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <alpine.LRH.2.20.1610212230270.31112@espargaro.jakma.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-SMTP-Authenticated-User: colin@spakka.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/uQCDxUxSZ6kZXrqjfjiKMZFGHfo>
Subject: Re: [Idr] Unknown Attributes seen in the wild
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2016 13:52:30 -0000

On 21/10/16 23:32, Paul Jakma wrote:
> On Tue, 18 Oct 2016, Susan Hares wrote:
>> Do we know which routers are sending path attributes with 20 or 21?
> 
> I don't know about #20, but Quagga had support for AS_PATHLIMIT for a
> while. I added it in '07 and removed it from the upstream code in '11.

>> From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Peter Hessler

>> I just did a check of the DFZ, both IPv4 and IPv6, and these are the
>> unknown/deprecated attributes on paths that I can see.
>>
>> 20     Connector Attribute (deprecated)     [RFC6037]
>> 21     AS_PATHLIMIT (deprecated)     [draft-ietf-idr-as-pathlimit]

At RIPE NCC, we searched our RIS raw data for the last 12 months to see
what unknown attributes we could find.

We found the following ones that Peter mentions:
20:   Connector Attribute (deprecated)
21:   AS_PATHLIMIT (deprecated)	

We also found:
28: BGP Entropy Label Capability Attribute (deprecated)
128: ATTR_SET (not deprecated but probably shouldn't be leaking into the
DFZ)

In the last month we also saw:
30: LARGE_COMMUNITY (old)
32: LARGE_COMMUNITY (new)

We also found an interesting unknown attribute, code 243. This appeared
at all our collectors but only during June 2016. We're not sure what it
is. We saw it for 4500 different prefixes, but all of them had the
following sequence of AS_PATH:
"7018 4466 5673"

Looking at the AS graphs on bgp.he.net, at a guess, it was probably
either AS5673 or AS4466 who originated this.

A bit of googling also reveals a mention of it here:
https://bugs.launchpad.net/juniperopenstack/+bug/1599588
"
   Unknown Attribute (243), length: 8, Flags [OT]:
     no Attribute 243 decoder
     0x0000: 8071 369b 0000 0007
"

Perhaps this is some internal SDN thing that leaked publicly?

Anyway, hope this information is useful - if anyone needs any more
details please let me know.

Kind Regards,

Colin