[ga] How a Router's Missed Range Check Nearly Crashed the Internet

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

All,

  Looks like some of our Latvian friends are ill suited to handle
routing configuration.

See:
A bug by router vendor A (omitting a range check from a
critical field in the configuration interface) tickled a bug from router

vendor B (dropping BGP sessions when processing some ASPATH attributes
with length very close to 256), causing a ripple effect that caused
 http://www.renesys.com/blog/2009/02/longer-is-not-better.shtml
widespread global routing instability last week. The flaw lay dormant
until one of vendor A's systems was deployed in an autonomous system
whose ASN, modulo 256, was greater than 250. At that point, the Internet

was one typo away from disaster. Other router vendors, who were not
affected by the bug, happily propagated the trigger message to every
vulnerable system on the planet in about 30 seconds. Few people
appreciate how fragile and unsecured the Internet's trust-based critical

infrastructure really is â?? this is just the latest example." Vendor A,
in
this case, is a Latvian router vendor called MikroTik.

Regards,

Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln
"YES WE CAN!"  Barack ( Berry ) Obama

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827