nanog mailing list archives
RE: BGP malformed update/attribute list
From: Zhuangshunwan via NANOG <nanog () lists nanog org>
Date: Fri, 23 May 2025 01:53:36 +0000
Hi Chris, Thanks for your detail information! Regarding the following message:
Message data: 144 bytes
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00900200 00007540 01010040 02220208
00000D1C 0000232A 00002458 000210AA
00024F1E 00021B5D 000003D8 00060A11
400304D5 F2494980 04040000 0000C008
1C0D1C00 020D1C00 160D1C00 640D1C00
7B0D1C01 F70D1C03 850D1C08 13E0281C
00000000 00000000 00000000 00000000
00000000 00000000 00000000 182DC6B8
We can find the BGP attribute data that causes the problem as follows:
E0281C
00000000 00000000 00000000 00000000
00000000 00000000 00000000
Semantically, this is a "complete" BGP Path Attribute: Flags=0xE0 Type=0x28, it is defined in RFC8669. (https://datatracker.ietf.org/doc/rfc8669/) Length=0x1C The Value field, as indicated by Length, does indeed occupy 28 bytes, although they are all zeros. Some network operating systems may try to parse the TLV carried in this attribute per RFC8669 and find that there is no valid TLV, so resulting in an error. Other operating systems found that the attribute was semantically correct but the content was incorrect, so they ignored the attribute and no BGP session interruption occurred. I'm curious how this strange attribute was generated. Was it the result of a test initiated by someone? Was it an attempt to test the robustness of the BGP protocol on the Internet? Cheers, Shunwan
-----Original Message----- From: Chris Welti via NANOG [mailto:nanog () lists nanog org] Sent: Thursday, May 22, 2025 8:09 PM To: North American Network Operators Group <nanog () lists nanog org> Cc: Niels den Otter <niels.denotter () surf nl>; Chris Welti <chris.welti () switch ch> Subject: Re: BGP malformed update/attribute list Hi Niels, For what it's worth, thats what we saw here on our AS3356 uplink: Total Update messages received: 281003910 Malformed Update messages received: 6 First received: May 20 09:01:52.256 Last received: May 20 09:02:12.529 (2d04h ago) Memory allocation failures: 0 First failure: --- Last failure: --- (never) Error-handling session resets: 0 First reset: --- Last reset: --- (never) Discarded attributes: 6 Since session establishment: Update messages received: 37579519 Final actions: None: 0, DiscardMsg: 0, Reset: 0 TreatAsWdrOrReset: 0, TreatAsWdr: 0, DiscardAttr: 6 LocalRepair: 0 Malformed messages stored: 5 (current index: 0) Malformed message #1 Received: May 20 09:02:12.529 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr NLRIs: "IPv4 Unicast" <15 chars> 140.150.9.0/24 Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes) Message data: 136 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00880200 00006D40 01010040 021A0206 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 188C9609 Malformed message #2 Received: May 20 09:02:12.529 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr NLRIs: "IPv4 Unicast" <68 chars> 138.113.116.0/24 163.171.104.0/24 163.1 71.102.0/24 163.171.103.0/24 Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes) Message data: 152 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00980200 00007140 01010040 021E0207 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 0000D6D2 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 188A7174 18A3AB68 18A3AB66 18A3AB67 Malformed message #3 Received: May 20 09:02:10.106 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr NLRIs: "IPv4 Unicast" <109 chars> 103.87.71.0/24 103.160.154.0/24 103.87. 70.0/24 103.160.54.0/24 110.44.172.0/22 103.52.2.0/24 203.84.138.0/24... Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes) Message data: 184 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00B80200 00006D40 01010040 021A0206 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 18675747 1867A09A 18675746 1867A036 166E2CAC 18673402 18CB548A 18CB5489 18A014DE 1867A037 18CA38AC 186E2CAA 18673403 Malformed message #4 Received: May 20 09:01:57.313 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr NLRIs: "IPv4 Unicast" <15 chars> 156.230.0.0/16 Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes) Message data: 139 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 008B0200 00007140 01010040 021E0207 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 000003D8 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 870D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 109CE6 Malformed message #5 Received: May 20 09:01:57.312 Error flags: 0x00080000 Discarded attributes: 1 Final action: DiscardAttr Error elements: 1 [1] Error 0x00080000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28) Error data: [e0281c00] (4 bytes) Action: DiscardAttr NLRIs: "IPv4 Unicast" <16 chars> 45.198.184.0/24 Reset/notification information: Reason "None", Postit type "Update malformed" Notification code 3, sub-code 1 Notification data [e0281c00000000000000000000000000] (16 bytes) Message data: 144 bytes FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00900200 00007540 01010040 02220208 00000D1C 0000232A 00002458 000210AA 00024F1E 00021B5D 000003D8 00060A11 400304D5 F2494980 04040000 0000C008 1C0D1C00 020D1C00 160D1C00 640D1C00 7B0D1C01 F70D1C03 850D1C08 13E0281C 00000000 00000000 00000000 00000000 00000000 00000000 00000000 182DC6B8 Cheers, Chris On 22.05.2025 08:29, Niels den Otter via NANOG wrote:Hallo Randy, That's interesting. At exact the same moment this is what our Juniper routers reported; --- May 20 07:01:51 router rpd[34930]: %DAEMON-4: bgp_read_v4_update:13937: NOTIFICATION sent to a.b.c.d (Internal AS xxx): code 3 (Update Message Error) subcode 131 (invalid), Data: 00 00 00 00 00 00 May 20 07:01:51 router rpd[34930]: %DAEMON-3: Receivedmalformed update from a.b.c.d (Internal AS xxx) May 20 07:01:51 router rpd[34930]: %DAEMON-3: Family inet-vpn-unicast, prefix a.b.c.d:32767:156.230.0.0/40 (label 114) May 20 07:01:51 router rpd[34930]: %DAEMON-3: Malformed Attribute PREFIX_SID(40) flag 0x80 length 28 error 131 (TLV length error).--- Appears to be another prefix? Unfortunately we don't have a BMP dump ofthis packet.* Niels ________________________________ Van: Randy Bush via NANOG <nanog () lists nanog org> Verzonden: woensdag 21 mei 2025 22:47 Aan: Simon Lockhart via NANOG <nanog () lists nanog org> CC: Randy Bush <randy () psg com> Onderwerp: Re: BGP malformed update/attribute list just to aol, and other posts did not show full nlri May 20 07:01:51 r2.f00 16869308: RP/0/RSP0/CPU0:May 20 07:01:51.437 : bgp[1059]: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATEmessagereceived from neighbor 123.45.67.89 (VRF: default) - message length 106 bytes, error flags 0x000c0000, action taken "DiscardAttr". Error details: "Error 0x00040000, Field "Attr-length", Attribute 40 (Flags 0xe0, Length 28), Data [e0281c]". NLRIs: [IPv4 Unicast] 45.198.25.0/24 randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/56 PKKMWIL7WN5T2VQTDL7M23RFSZO6I3/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/JL S5CHUGXNY6C55ZA4SVQO6CJU6KBTG5/_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/IGG5VK 7BADZMQLYRND6L7YKHK7FTHYAD/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/CSDTO64UPEZT2MLL4KSCDJGTHUHBRDPF/
Current thread:
- RE: BGP malformed update/attribute list Zhuangshunwan via NANOG (May 27)
- <Possible follow-ups>
- Re: BGP malformed update/attribute list Randy Bush via NANOG (May 27)
- Re: BGP malformed update/attribute list Chris Welti via NANOG (May 27)
- Re: BGP malformed update/attribute list Jakob Heitz (jheitz) via NANOG (May 27)