How a Router's Missed Range Check Nearly Crashed the Internet

Barlaam writes "A bug by router vendor A (omitting a range check from a critical field in the configuration interface) tickled a bug from router vendor B (dropping BGP sessions when processing some ASPATH attributes with length very close to 256), causing a ripple effect that caused widespread global routing instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose ASN, modulo 256, was greater than 250. At that point, the Internet was one typo away from disaster. Other router vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is — this is just the latest example." Vendor A, in this case, is a Latvian router vendor called MikroTik.

Same story, different spin???

Is this related to the story posted that stated:

"One Broken Router Takes Out Half the Internet?"

http://tech.slashdot.org/article.pl?sid=09/02/16/2233207

It just amazes me how differently presented this story is compared with the previous.

In fairness, there is much more information about this 'outage' now.

This news is alarming. Thanks for not making in alarmist this time.

Re:Same story, different spin???

[Anthony_Cargile]

It just amazes me how differently presented this story is compared with the previous.

Previous story: kdawson. Current story: Timothy. Do you need any more explanation than that?

Re:Same story, different spin???

parent here...

No, I'm the parent!

Re:Same story, different spin???

[ion.simon.c]

Mmm. We should get rid of kdawson. (Of course, /.'s board of corporate overlord directors probably likes all the ad revenue that he brings in. :/ )

Re:Same story, different spin???

No, I'm Spartac--wait, what?

Re:Same story, different spin???

[Jamie's+Nightmare]

No, it's best to keep him here where he can do less damage. We wouldn't want him to fill an editorial position at Fox News.

Re:Same story, different spin???

[commodore64_love]

Or pro-government-leaning CNN/MSNBC.

Re:Same story, different spin???

[PopeRatzo]

Wait, Slashdot has ad revenue? They have ads here?

I'm a subscriber, so I didn't know.

Re:Same story, different spin???

[PopeRatzo]

commodore64_love(1445365),

let me be the first to welcome you to Slashdot.

Re:Same story, different spin???

No, I'm the parent, and so's my wife!

Re:Same story, different spin???

Previous story: kdawson. Current story: Timothy. Do you need any more explanation than that?

Same crap, different asshole?

Re:Same story, different spin???

I'm pretty sure that I'm the parent

Re:Same story, different spin???

Wait, Slashdot has ad revenue? They have ads here?

I'm a subscriber, so I didn't know.

I have AdBlock Plus, so I didn't know.

Re:Same story, different spin???

[Wakko+Warner]

You seriously have the stupidest .sig I've ever seen on slashdot.

Re:Same story, different spin???

[ConceptJunkie]

I'm glad I'm not the only one who thought so, Wakko.

Re:Same story, different spin???

I'm blind, so I didn't know. (you insensitive clod)

Re:Same story, different spin???

[commodore64_love]

I seriously don't care. I've been dealing with online idiots since 1987 - welcome to the club.

Vendor B

[CSFFlame]

Vendor B is Cisco btw. Dunno why they were being vague.

Re:Vendor B

[mysidia]

It seems like we live in a world now where media go ridiculously out of their way to soften the blow and protect the parties who screwed up and shipped software that had mistakes in it, by playing PR on their behalf and hiding their name.

They had a bug; they deserve to be called on that fact, authors should be honest and direct, and always mention them by name. ESPECIALLY in this case, so people who bought their product KNOWM they need to update, even if they didn't notice the fact that they were impacted by the bug (not everyone impacted necessarily knows what caused their problems, a lot of people may still be wide open to the bug but not know about it).

Seriously, if you develop an implementation of an exterior routing protocol that untrusted devices participate in BY DESIGN...

How do you justify NOT taking basic steps to validate what happens in your implementation if another party decides to play dirty, and hit you with a ridiculously long or corrupt entry in a field (like AS path) ?

How does your QA team miss the potential consequences of how such a case can impact your re-advertisements of that long path? And miss testing that the result you send is still valid, or that you at least block it properly.

It doesn't mean they're totally inept, i'm sure their QA team does a lot of good work. But something fundamental seems to be missing, if these sort of elementary bugs slip through the cracks.

It may be hard on them PR wise, but the public deserves to know the facts, without the names being changed to protect the guilty.

Re:Vendor B

[Shakrai]

It seems like we live in a world now where media go ridiculously out of their way to soften the blow and protect the parties who screwed up and shipped software that had mistakes in it, by playing PR on their behalf and hiding their name.

Well that may be the case but in this case the criticism doesn't really seem deserved. For better or worse /. generally posts exactly what was written by the person who submitted the article. Blame that person for trying to "soften" the blow.

Re:Vendor B

[troll8901]

They had a bug; they deserve to be called on that fact, authors should be honest and direct, and always mention them by name.

The writer is probably trying to facilitate discussions, instead of playing the blame game.

Names trigger emotions in us (right brain). Identifiers triggers logic in us (left brain).

The writer is probably relying on us to suggest how to get top-level ISPs to implement filtering. It's a human and business issue ... not a technical issue.

Re:Vendor B

[afidel]

The Cisco bug had been fixed for about forever so anyone running an affected version probably had a million other known bugs as well, just most didn't bring their primary function to a screeching halt. Some of the time admins choose to run with the devil they know rather than finding all the new bugs waiting in new code, this time it bit a bunch of them hard and hence bit their customers. They will now upgrade to newer software or implement a workaround for this bug, if they upgrade their customers will probably have some additional downtime while the new bugs are found and worked around. Unfortunately this is how IT works, it's a complex web of systems built, programmed, and administered by fallible humans.

Re:Vendor B

[thsths]

Should be obvious, hm? Because Vendor B is the one really to blame: as far as I can see, one router from Vendor A misbehaved, but thousands or more from Vendor B. Unfortunately, Vendor B is also the one with deep pockets for legal action, so you cannot possible put the blame on them. Oops, hope Ido not get sued.

Re:Vendor B

With Cisco you can choose between:

- Known, often workaroundable Bugs in older Versions

or

- new unknown fancy Bugs w/o workarounds that can hit you like a truck in the groin every minute now.

As long as the first choice does not include Show-Stopper bugs like the BGP one, there is usually no reason to use the latest IOS image.
Actually, the stability of your network is often a good reason /not/ to use the latest, shinyest version with lots of new features and even more new bugs.

Consider that.

Re:Vendor B

Vendor B is Cisco btw.

Dunno why they were being vague.

The Cisco thing is actually quite old. During the event a new bug in OpenBSD was discovered:
http://secunia.com/advisories/33975/

Re:Vendor B

so people who bought their product KNOWM

WTF does that mean?

Re:Vendor B

[Shag]

so people who bought their product KNOWM

WTF does that mean?

It means some people don't know how to spell GNOME.

Re:Vendor B

False. It's really the codename for the top-secret new GNOME/KDE hybrid. If anyone asks you didn't hear it from me.

Re:Vendor B

[bram]

lol :) Thanks I needed that.

Re:Vendor B

[eudaemon]

Just another reason for Cisco to opensource IOS and sell their hardware and service,instead.
IOS has been famously pirated along with its hardware by Chinese knock-offs for years now.
Might as well finish the transition. Then again I'd like to see Mac OSX opensourced, too,
so it may be something in the water. :-)

Re:Vendor B

Actually, no. The problem is that you need to pay big bucks to have access to IOS updates, and too many people just buy the router, whatever IOS comes with it, and NEVER want to hear from Cisco's overpriced services ever again.

Really, critical internet infrastructure needs to be *easy* (as in low cost and not many technical pitfalls) to keep up-to-date, and we need to start doing Very Bad Things to those that don't implement BCP-38 (you're a danger to all your customers and downstream if you don't), egress filtering (good neighborhood requirements), automated up-to-date bogon filtering (or you will cause troubles for everyone that gets a new block of IP space freshly handed to a RIR), and strict BGP filtering...

Cisco's IOS update policies REALLY have a part of the blame on this.

Re:Vendor B

Actually, several related cisco bugs had been fixed, but according to Cisco product development this was a new case not previously fixed.

See your Cisco rep regarding CSCsx73770.

Ref:

  http://blog.ioshints.info/2009/02/oversized-as-paths-cisco-ios-bug.html

Re:Vendor B

Probably at Cisco's request...

Re:Vendor B

[mysidia]

This is (in theory) why they have T release trains versus the general mainline release trains.

The mainline release is supposed to be stable. If it's not, then yes, they deserve to be called on it for poor QA.

If operators run the T train, essentially beta quality stuff, they deserve what they get.

Chances are very good that old versions do contain showstopper bugs, or bugs that can be showstoppers, esp. security bugs that clean lead to DoS or compromise, exploitable or will be a serious problem at some unknown point in the future (a minefield waiting for someone to step in the wrong place). Running software that's 10 years old on the internet, when hundreds of thousands of bugs have been fixed over the years is just plain irresponsible.

Re:Vendor B

[mysidia]

Yes, exactly. A thorough investigation of the original bug and revised QA procedures to 'test around' the known bug should have caught related issues like the one that was found.

The fact it didn't, I think means someone was asleep at the switch back then, or just doing to the minimal work to fix the known bug, rather than a proper testing effort to find similar issues, or other issues that may have arisen from the same basic assumptions that resulted in the first bug.

If quality of your product is a priority, your QA effort doesn't stop at making sure known bugs don't exist, it involves a serious effort to validate your implementation, and determine all known bugs (like the new one that was found), and they've had 10 years to do it, so it's not as if time or limited resources is a legitimate issue.

Re:Vendor B

[Lars+T.]

Well that may be the case but in this case the criticism doesn't really seem deserved. For better or worse /. generally posts exactly what was written by the person who submitted the article. Blame that person for trying to "soften" the blow.

But it was timothy who felt the need to point out who vendor A was, but not vendor B.

Re:Vendor B

[The+name+is+Dave.+Ja]

critical internet infrastructure needs to be *easy*,

and

we need to start doing Very Bad Things to those that
don't implement BCP-38,
egress filtering,
automated up-to-date bogon filtering,
and strict BGP filtering...

Well, make up your mind. Can't have both.

Re:Vendor B

[lukas84]

Erm, i don't think people running their own AS have an issue with the pricing of Cisco's services.

Re:Vendor B

[Blakey+Rat]

Dude, relax. People make mistakes, no harm was done... breathe into a paper bag for a few minutes and come back to us when you've calmed down, ok? You're going to hurt yourself with all this outrage over an almost-trivial software bug.

Re:Vendor B

[Darkk]

You hope Cisco will provide the firmware update for free for those who don't have a current service contract on their routers.

Cisco charges for everything from stupid cables to firmware updates.

Re:Vendor B

[mysidia]

You know the fact that the bug is trivial is what makes it so outrageous, the most basic of testing by a professional test team should have detected it.

It would be understandable if this were were some complex bug that only showed up if a long list of conditions were met.

This was a simple input validation bug. The IOS is _highly_ expensive enterprise software. This should not happen, period.

Re:Vendor B

I thought the vendor B was you-know-who.

Re:Vendor B

You clearly do not understand the basics of BGP regarding your comments of trusting untrusted devices.

The users of the larger more useful router vendor had prior notice and knew they had a buggy implementation. You need to check the realease notes and caveats before you install your IOS.

Re:Vendor B

[kasperd]

If anyone asks you didn't hear it from me.

I'll just pretend I heard it from an anonymous coward on slashdot.

Re:Vendor B

[anon+mouse-cow-aard]

Then again I'd like to see Mac OSX opensourced, too,

umm... http://www.opensource.apple.com/darwinsource/

Re:Vendor B

[alecwood]

Anything to do with Timothy sharing nationality with Vendor B I wonder? Either way, one mjst ask the question - Timothy, why did you name vendor A but not vendor B?

Maybe I'm just getting cynical in my old age

Re:Vendor B

[rwa2]

Vendor B is Cisco btw.

Dunno why they were being vague.

They're being vague because they (reporters, editors, advertisers, hell just about everybody) probably have a lot of money in Cisco in their stock portfolio. If it was good news that would bump stocks up they probably would have called it out.

It's actually kinda amazing how much stock prices are tied to news releases. Remember that earlier story about how Google news somehow picked up an outdated news report with bad news on an airliner, and a whole bunch of automated wall street scripts started dumping stock in that airline which led to a panicked run on that stock which ultimately took out a big fraction of the stock value? Yeah, interesting times :P

Re:Vendor B

[psydeshow]

Actually, no. The problem is that you need to pay big bucks to have access to IOS updates, and too many people just buy the router, whatever IOS comes with it, and NEVER want to hear from Cisco's overpriced services ever again.

Wait, you're saying that a leading provider of internet infrastructure charges for bugfix updates or security patches? That's completely irresponsible, and recklessly greedy.

If that's true, then Cisco is one internet-breaking bug away from enforced product recalls (like the auto industry has). I would also question their eligibility as a vendor for future government-sponsored infrastructure projects.

Re:Vendor B

[Cramer]

Actually, Cisco *will* provide fixed versions (aka. "rebuilds") to non-contract customers upon request. All it takes is one email to tac with a valid device and serial number. No, they will not give you a free update from IP Only to Adv Enterprise Services, nor will they bump the version (12.0 -> 12.2 -> 12.4)... if you are running 12.2.12, they'll give you 12.2.12(b) or whatever is the latest rebuild of that version.

(Been there, done it.)

No more routers...think of the children

[Mrs.+Grundy]

I'm sure nobody here would argue with me if I suggested that the internet would be a much safer place without routers.

Re:No more routers...think of the children

The RIAA and MPAA would agree with you I think.

Re:No more routers...think of the children

[mysidia]

It also wouldn't work.

Just b/c someone was asleep at the switch and let a bug slip into routers, doesn't mean the internet is better with just switches.

A world-wide Ethernet network with no routing (the only real alternative based on the technology we know) just isn't very scalable. Plus Ethernet doesn't handle loops very well...

Re:No more routers...think of the children

Whoosh!

Re:No more routers...think of the children

[macraig]

What's this about a world with no reuters?

Re:No more routers...think of the children

[macraig]

Think of the starving journalists!

Re:No more routers...think of the children

[Ihmhi]

Well of course, power tools are dangerous.

Re:No more routers...think of the children

[ion.simon.c]

Just b/c someone was asleep at the switch and let a bug slip into routers, doesn't mean the internet is better with just switches.

Duh. PP's not talking about switches. He's talking about *hubs*.

Re:No more routers...think of the children

[dangitman]

I'm sure nobody here would argue with me if I suggested that the internet would be a much safer place without routers.

I suggest a system based on gaffer tape and chicken wire.

Re:No more routers...think of the children

Then there shall be no Internet without routers:-)

Re:No more routers...think of the children

[Arancaytar]

Exactly. As much as 100% of all illegal content, like child pornography or (even worse!) pirated music is transferred over the internet by routers. Get rid of them, and you nip all that crime in the bud!

Re:No more routers...think of the children

[Mad+Merlin]

He said safer, not better.

Re:No more routers...think of the children

[Jah-Wren+Ryel]

I'm sure nobody here would argue with me if I suggested that the internet would be a much safer place without routers.

Either that, or they could stop sending packets down the ASSPATH, that's just a recipe for disaster right there.

Re:No more routers...think of the children

[OolimPhon]

I suggest a system based on gaffer tape and chicken wire.

I thought that was what the current system was.

Re:No more routers...think of the children

[ScrewMaster]

Just b/c someone was asleep at the switch and let a bug slip into routers, doesn't mean the internet is better with just switches.

Duh. PP's not talking about switches. He's talking about *hubs*.

Yeah, passive hubs at that.

Re:No more routers...think of the children

[Lars+T.]

Just b/c someone was asleep at the switch and let a bug slip into routers, doesn't mean the internet is better with just switches.

Duh. PP's not talking about switches. He's talking about *hubs*.

They can't handle loops at all.

Re:No more routers...think of the children

[ion.simon.c]

Yeah, passive hubs at that.

Think of the power savings!

Gee, known Cisco bug causes problems

[seifried]

If people had upgraded their routers this wouldn't have happened. Newsflash: software has bugs. Not upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

Re:Gee, known Cisco bug causes problems

[vux984]

Newsflash: software has bugs. Not upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

Newsflash: software has bugs. Upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

See? The statement is true either way... update or don't update. It doesn't matte. One way you'll get bitten by dormant bugs in the old version, the other way will bite you with bugs introduced in the upgrade.

The only question that remains is which will bite you in the ass first and more often. From long experience most people agree... if it isn't broken, don't fix it.

Re:Gee, known Cisco bug causes problems

[Skinkie]

If this kind of software was 'free' because you bought an appliance that actually should work instead of upgraded to a different set of bugs, then you might have a point... I honestly think the firmwares that are deployed lack a critical view of some outsiders, but then again I was raised with the open source spirit, Cisco bought itself into it.

Re:Gee, known Cisco bug causes problems

[ThePromenader]

Did you RTFA? The problem was due to a router misconfiguration - a human error - and a worldwide ISP tendency of not reading/filtering garbage from what they pass along. Not bugs, not upgrades.

Re:Gee, known Cisco bug causes problems

[Shakrai]

From long experience most people agree... if it isn't broken, don't fix it.

Reminds me of an old "offensive" fortune quote: Working computer hardware is a lot like an erect penis. It stays up as long as you don't fuck with it.

If you have no clue what offensive fortunes are try 'fortune -o'. They are great when you are stoned, drunk or just bored at work. If you don't have fortune installed then you are clearly on the wrong website ;)

Re:Gee, known Cisco bug causes problems

[davester666]

I wonder why the summary went out of it's way to use company A & B, then tagged a small Latvian vendor for their range-check bug, but didn't name the much larger vendor that also has a range-check bug, namely Cisco...

Re:Gee, known Cisco bug causes problems

[fuzzyfuzzyfungus]

Possibly because Cisco has trained attack lawyers and a history of rocky relationships with people who say unkind things about their firmware?

Re:Gee, known Cisco bug causes problems

If you have no clue what offensive fortunes are try 'fortune -o'.

(in bold) Please, please, please request a potentially offensive fortune if and only if you believe, deep down in your heart, that you are willing to be offended...

If you don't have fortune installed then you are clearly on the wrong website ;)

Hey, I've got it installed! "fortune -o" says: No fortunes found.

(Sorry, I'm new.)

Re:Gee, known Cisco bug causes problems

[DerekLyons]

The summary used Company A and Company B, the editor's comment tagged the Latvian vendor.

Re:Gee, known Cisco bug causes problems

[seifried]

Speaking of RTFA'ing you should maybe take your own advice:

As it turns out, the reason for all those routing resets and general instability was due to a previously unknown Cisco bug involving AS paths close to 255 in length. If you try to prepend to a long path that you receive and by doing so, create a path longer than 255, you are toast. So the maps we gave in our our last blog were more of an indication of Cisco market share (at least among prependers), rather than the propensity of outdated routers. Kudos to Ivan for figuring this out.

Re:Gee, known Cisco bug causes problems

[Kaboom13]

You have to have a support agreement with Cisco to get the latest IOS. They won't even give you the last version when your support contract ran out. Also, older routers do not always have upgrades available for various reasons, either they do not have enough space or hardware limitations or Cisco End-of-Lifed it and hasn't bothered.

There's also the "if it isn't broke don't fix it" mentality in the networking world. A new version may fix some bugs but it might add some bugs as well. An upgrade, even if minor, generally means a lot of work testing and reconfiguring before you roll it out. Network engineers are expensive and that time isn't free. Sometimes the devil you know is better then the devil you don't.

In an ideal world it wouldn't be an issue, but when it comes to networking it's NEVER an ideal world. There's always too much to do and never enough budget/manpower to do it. Every network admin probably has 10 things on his mental wishlist right now, upgrades he would like to make, redundant hardware he would like to purchase, failover contingencies he needs to test, etc. Upgrading IOS on an old router in a rack somewhere (and hoping it doesn't blow up in your face) can be pretty far down the list.

Re:Gee, known Cisco bug causes problems

Exactly. Very bad reporting standards. Typical of /. really, makes me sick.

Re:Gee, known Cisco bug causes problems

[ThePromenader]

The Cisco 'bug' is an oversight - with its own configuration system (where the actual AS path is written out, not an algorithm treating the same set earlier in a variable), there can be no problem. Cisco does not take into account possible errors (garbage) created by the configuration of other-type routers, thus the problem. True, this also reveals a laziness on the behalf of network engineers who assume that all routers use the dominant Cisco-ish configuration language - not. So what is needed is a means of filtering errored garbage from all platforms and sources, and this job would be most efficient were it undertaken by ISP's.

Re:Gee, known Cisco bug causes problems

Probably because he's that same troll who writes the blog that bashes on the Cisco test cloning products and threatens candidates with the Cisco Lifetime Shitlist.

Re:Gee, known Cisco bug causes problems

[FireFury03]

Hey, I've got it installed! "fortune -o" says: No fortunes found.

(Sorry, I'm new.)

Most distros seem to remove offensive mode for fear of offending people. :-/
You'll need to grab the source package and rebuild it yourself with offensive mode enabled.

Re:Gee, known Cisco bug causes problems

[geirnord]

Untrue. Cisco TAC wil give you the latest firmware for free, provided you tell then n\you need it due to security flaws discovered in your current version. Yoy may need to point to their blletin about the bug, but that should be trivial (http://www.cisco.com/en/US/products/products_security_advisories_listing.html)

Since Cisco almost exclusivly patches current versions due to security bugs, all their IOS are belong to us for free.

Re:Gee, known Cisco bug causes problems

[SanityInAnarchy]

if it isn't broken, don't fix it.

That also implies, if it is broken, fix it.

From long experience, we all get bitten sooner or later. I would say we most often remember the upgrades as being more hazardous, because we blame ourselves for those -- should've known better than to use that new, untrusted code. At least with inaction (not patching), it's negligence, rather than active incompetence -- harder to blame yourself, or for others to blame you.

But this should not be about escaping blame, it should be about minimizing risk.

Re:Gee, known Cisco bug causes problems

Understood, thanks!

(Same AC here)

Re:Gee, known Cisco bug causes problems

[SanityInAnarchy]

Or, they move it to a separate package. For example, on Ubuntu, this is fortunes-off.

No need to make it more complicated than it is.

Re:Gee, known Cisco bug causes problems

wva@yup:~$ sudo apt-get install fortunes-off
[sudo] password for wva:
Reading package lists... Done
[...]
Setting up fortunes-off (1:1.99.1-3.1ubuntu2) ...

wva@yup:~$ fortune -o
The King plugged the Queen's ass with mustard
To make her fuck hot, but got flustered,
        And cried, "Oh, my dear,
        I am coming, I fear,
But the mustard will make you come `plus tard'."
wva@yup:~$

I never knew about offensive cookies... You guys made my day!

Re:Gee, known Cisco bug causes problems

[funkatron]

Not working here (unless dawkins means something else in American).

fortune -o

"In childhood our credulity serves us well. It helps us to pack, with extraordinary rapidity, our skulls full of the wisdom of our parents and our ancestors. But if we don't grow out of it in the fullness of time, our ... nature makes us a sitting target for astrologers, mediums, gurus, evangelists, and quacks. We need to replace the automatic credulity of childhood with the constructive skepticism of adult science."

[Richard Dawkins]

Re:Gee, known Cisco bug causes problems

[Tony+Hoyle]

It wasn't 'previously unknown' it was fixed over 3 years ago.

A router that hasn't been updated in 3 years has problems - including a couple of security holes that have been discovered in the interim.

Re:Gee, known Cisco bug causes problems

fortune -o
Confucious say:
                man who make oral love to epileptic woman may get tongue-tied.

Re:Gee, known Cisco bug causes problems

[iminplaya]

There's always too much to do and never enough budget/manpower to do it.

*sigh* So much to do...So many unemployed...So confusing!

Re:Gee, known Cisco bug causes problems

[Bert64]

Trouble is, you can't just go and download cisco updates... Even if you own their harware, they make it difficult to download anything... You need a support contract and valid account to download most stuff, and their website is absolutely horrendous to navigate.
It's pretty stupid, just about every other vendor makes the updates freely downloadable.

Re:Gee, known Cisco bug causes problems

[Bert64]

Which is a lot more hassle than the update mechanisms offered by pretty much every other vendor.

Re:Gee, known Cisco bug causes problems

[ScrewMaster]

Trouble is, you can't just go and download cisco updates... Even if you own their harware, they make it difficult to download anything... You need a support contract and valid account to download most stuff, and their website is absolutely horrendous to navigate. It's pretty stupid, just about every other vendor makes the updates freely downloadable.

Cisco is where they are because they monetize everything.

Re:Gee, known Cisco bug causes problems

[turbidostato]

"But this should not be about escaping blame, it should be about minimizing risk."

Sadly enough, in too many places not upgrading till obviusly broken *is* a minimizing risk strategy... Minimizing employ risk, I mean.

Re:Gee, known Cisco bug causes problems

[Lars+T.]

Not working here (unless dawkins means something else in American).

Well, to many Americans what Dawkins said would be an insult.

Re:Gee, known Cisco bug causes problems

> They are great when you are stoned, drunk or just bored at work.

Well I don't know about where you work, but here the first two are sacking offences.

Re:Gee, known Cisco bug causes problems

[russotto]

There's always too much to do and never enough budget/manpower to do it.

*sigh* So much to do...So many unemployed...So confusing!

1) There's still the budget issue
2) Just how many unemployed people do you think there are who are able and willing to do the work?

Re:Gee, known Cisco bug causes problems

[iminplaya]

Just how many unemployed people do you think there are who are able and willing to do the work?

I know a guy in La Jolla that might tell you ha can pull it off for the right price, and he might even offer up a cure for malaria. He's a frickin genius.

Re:Gee, known Cisco bug causes problems

[pyite]

The Cisco 'bug' is an oversight

How is this an "oversight"? There really is a bug. Cisco Bug ID CSCdr54230, to be exact. The bug was fixed in various code versions, but that doesn't change the fact that by Cisco's own admission it is classified as "1 - catastrophic" (in red letters, even).

Normal measures like blocking routes with an as-path length greater than n (for some reasonable value of n) stop you from passing it on to others, but if you ran an affected IOS, it would still hurt you.

Re:Gee, known Cisco bug causes problems

[Kaboom13]

I was not aware of that, but it is still a lot of hassle. Time spent researching a security flaw affecting your device and contacting Cisco about it is time you could be doing other things. I know when we had an issue with some old gear acquired off eBay for a test network, getting Cisco to even acknowledge that we were now the legit owners of the device was a pain.

Updating your IOS is seldom a quick and easy task, especially if your predecessors were less then diligent.

Re:Gee, known Cisco bug causes problems

[mean+pun]

Cisco is where they are because they monetize everything.

And where they are is with a customer base that is reluctant to fix security holes...

Re:Gee, known Cisco bug causes problems

[ScrewMaster]

Cisco is where they are because they monetize everything.

And where they are is with a customer base that is reluctant to fix security holes...

No kidding. Even the great Beast of Redmond has not, so far as I'm aware, tried to profit from WindowsUpdate. Of course, if they did, nobody would ever use it.

Re:Gee, known Cisco bug causes problems

My mentality is that every so often you HAVE to upgrade. It is not a choice. (A taxation change means you have to upgrade payroll software; you have no option. Your router dies, you have to buy new ones; you have no option but to upgrade. The list goes on.)

Having made incremental upgrades, the pain and damage is a lot lower. Going from v1 to v8 will break a LOT, but the breakages from v4 to v5 are proabably a lot more minor.

So, I'd rather amortize the risk by occasional upgrades.

Re:Gee, known Cisco bug causes problems

Actually Cisco only sells hardware and licenses the IOS. Thus when you bought the old gear from ebay, from Cisco's view you do not have a valid IOS license. I do not agree with their view but they are unlikely to change it. They even have 'relicense' equipment purchased from 3rd parties.

Re:Gee, known Cisco bug causes problems

[psydeshow]

Which is a lot more hassle than the update mechanisms offered by pretty much every other vendor.

Exactly. Cisco needs to get their heads out of the 90s and make it easy for their customers to keep their gear patched against critical bugs like this.

I don't care if they want to restrict feature enhancements and non-critical bug fixes for contract purchasers. But when a router is vulnerable to a simple validation error, they need to give *everyone* with that hardware the ability to fix it, regardless of whether are paying for support or not.

Cisco sold a buggy product. Then they made it difficult if not impossible for some purchasers to get a working version. In my opinion, that makes Cisco responsible for the outages, no matter what their business model and lawyers have to say about it. Grow up and release your patches already.

Conclusion...

[ThePromenader]

...so ISP's should filter AS paths!

Re:Conclusion...

[Shakrai]

...so ISP's should filter AS paths!

I always thought they did. Back in my ISP days we had multihomed connections and all three of our uplink providers filtered what we sent to them. It just seems like common sense. What's the reason for not doing it? Laziness?

Re:Conclusion...

[tomstorey]

I always thought they did.

Most already do. The problem was not the ASPATH itself, it was the length of it. The routers affected did not handle updates for a prefix which required more than one AS_SEQUENCE segments in order to obtain the full AS path. The existence of the additional AS_SEQUENCE segment is what triggered the bug, causing the receiving router to treat the update as invalid, and the BGP session is dropped.

Re:Conclusion...

[tomstorey]

...so ISP's should filter AS paths!

Filtering the path would not have prevented this from happening. However, filtering paths whos length was unrealistically long would have done a world of good.

didnt kdawson post this last week

[gad_zuki!]

except in the kdawson style it was a single link to a message board posting about a router "taking out half the internet." Dupe? Correction? I dont care as long as kdawson is kept away from the site for a while.

Re:didnt kdawson post this last week

[timmarhy]

"timothy" is actually kdawson's alter ego from which he posts the same crap

Re:didnt kdawson post this last week

[Bryan+Ischo]

That explains alot.

I complained to CmdrTaco a year ago or so about kdawson's terrible editing and article judgement. The site would be SOOO much better without him. But CmdrTaco stood up for him, arguing that he does "a pretty good job".

I lost alot of faith in Slashdot that day. I only continue to read out of habit. But I skip more articles now and I get a chuckle when I see lame stories posted by lame editors with sub-100 comments. I only wish that *no one* would read and comment on the lame stories (I should be taking my own advice here!) so that maybe the Slashdot editor cabal would get the hint.

Re:didnt kdawson post this last week

[troll8901]

But, kdawson is the only one who's willing to work on a Saturday!

(It's Saturday today, right?)

Re:didnt kdawson post this last week

[ion.simon.c]

You should check out alterslash.org. It's an excellent way to sort through the shitty /. comments and get to some decent threads.

Re:didnt kdawson post this last week

[troll8901]

But CmdrTaco stood up for him, arguing that he does "a pretty good job".

I see the old "should a boss side with his subordinates or customers" argument.

I only wish that *no one* would read and comment on the lame stories (I should be taking my own advice here!) so that maybe the Slashdot editor cabal would get the hint.

What's the reason for not filtering out kdawson and timothy in Preferences > Index > Authors? (I'm not saying you're a complainer, I'm just wondering if "not wanting to miss out on the news" is the reason.)

Of course, I agree that it's important to present a better Slashdot with higher quality news to the casual visitor.

Re:didnt kdawson post this last week

I didn't see a previous post... Oh, wait, that's because I got so sick of kdawson's crap that I finally got around to filtering him out.

It was either get rid of kdawson or give up on /.

(This is not to say that kdawson might not be a fine *person*, but his posts were revolting. If I wanted chicken-little-on-'roids reporting, I'd go to Rush, O'Reilly, or one of the other side's buffoons [who would be named as well if I had the names handy].)

Re:didnt kdawson post this last week

[Bryan+Ischo]

As you speculated, it's a "not wanting to miss out on the news" thing. I filtered kdawson for about a day but got paranoid that I was missing some interesting stories.

kdawson is a terrible editor, and makes poor choices about which articles to post to Slashdot, but of course he sometimes posts good stories too. The problem is that the signal to noise ratio is so low with him. It's irritating to have to scan through so many crappy summaries just to find the few good ones. But I don't want to miss out on the few good ones, so I don't filter him.

If kdawson were gone, then presumably someone with better judgement would take his place, and they'd still post the good stories that he would have posted, but wouldn't post nearly as many of the bad ones. That's what I want to happen, it's why I wrote to CmdrTaco, it's the point I tried to make with him, and it's what I was utterly unable to convince him of. So kdawson and his 8-crappy-stories-to-every-1-good-story-that-you-don't-want-to-miss contributions to Slashdot are unfortunately here to stay.

The only editor I ever filtered was JonKatz. He never posted a single good story, so I knew I wasn't missing anything when I filtered him out.

Re:didnt kdawson post this last week

[makomk]

It's called a "follow-up". You see, when there's a news story, often relevant details don't become known until some days later - as in this case. If this happens, obviously the readers would like to be told, which means a second, updated story. (Of course, even in real-world newspapers, this can border on a dupe if done gratuitously. In this case, though, there really is new info.)

Re:didnt kdawson post this last week

[cide1]

The last 3-5 years of Slashdot have been pretty painful. I find the insightful posts to be less and less insightful, and the humorous comments to be more and more predictable. I have sworn I was leaving several times, only to come back out of habit and boredom. It is no longer "News for Nerds, stuff that matters.", it is "Easily explained subsets of news for wannabe nerds, and pointless articles that are rarely interesting and often old". It saddens me, as I learned a lot of technical knowledge on this site.

Sigh... maybe next time...

... the crash will take out the entire interwebs for a full week. Wouldn't it be amazing if mankind as a whole had to "survive" an entire week without the face-to-face interaction killer that is the internet? I suppose that what's even more pathetic is that we depend on it so much now; countries would go into widespread panic if internet was lost for a single week. Isn't it sad how people seem to think that something that didn't even exist 30 years ago is now considered a bare necessity? Oh, the priorities of man.

Re:Sigh... maybe next time...

You mean something like this?

Those South Park guys are prophets, I tell you.

Re:Sigh... maybe next time...

[Spatial]

What exactly is pathetic about it, as opposed to the dependency on phones or any other telecommunication system? Or any infrastructure for that matter. It's completely typical and ordinary.

Nearly crashed the Internet?

[twistah]

I don't know about it nearly crashing the Internet. How many people actually noticed a difference that day, for that matter?

A lot of admins, especially after the alert went out over the NANOG list, set their routers to reject long ASPATHs (or I assume, from what I saw on those list, I am not a BGP admin myself.) Many routers simply rejected these ASPATHs as well; correct me if I'm wrong, but weren't old versions of IOS the only ones affected? It was a serious issue, but I'm not sure if it came anywhere near a disaster scenario.

Re:Nearly crashed the Internet?

[interkin3tic]

A lot of admins, especially after the alert went out over the NANOG list

This is very off topic... but that's the first time I ever heard of "North American Network Operators Group." It's strange that apparently by coincidence that the acronym is the same as the name of one of the four transcription factors that causes de-differentiation in IPS cells. The wiki page says the transcription factor gets its name from some scottish legend.

http://en.wikipedia.org/wiki/Nanog

Like I said, off topic but I thought it was interesting...

Re:Nearly crashed the Internet?

[Paaskonijn]

I don't know about it nearly crashing the Internet. How many people actually noticed a difference that day, for that matter?

Well, sure, nobody noticed... But they all nearly noticed!

Re:Nearly crashed the Internet?

[Phroggy]

It knocked me offline for a couple of hours. I called my ISP, and they said the problem was at their upstream provider, which is Time Warner. So yeah, this is a big deal.

FTA

[drDugan]

"The Internet was back to normal in short order."

Well, not completely normal, not yet.

Re:FTA

[Akardam]

Speaking of one typo away from disaster...

Try jonesday.com

I heard it was a little more devastating

[mysidia]

Reportedly all data was lost. And it was more than just the routers -- someone was clogging the tubes by running too many apps on their desktop.

We should be very thankful that the partial backup was found with some info from the Google Tube, however.

Fragile Internet

[tick-tock-atona]

Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is - this is just the latest example.

Yeah. Like how everyone is trusted not to google "google".

Re:Fragile Internet

[mail2345]

Err...
Yeah...
I'm sorry about that whole mess.

Re:Fragile Internet

[iminplaya]

Results 1 - 100 of about 2,580,000,000 for google. (0.11 seconds)

Not too shabby

Re:Fragile Internet

Yeah. Like how everyone is trusted not to google "google".

Look, all that happened was that "The Internet" was knocked over and fell off the stool.

laf

[maitai]

When I worked for *unnamed nw regional backbone here* we had peering agreements with everyone except uunet that we connected to, and it was pretty known that if we spat out an bad BGP route we could bring down the whole net by hitting enter ('cept uunet, although I'm pretty sure uunet woulda went down from everyone else routing around them to us)

How is this new? That was the 90's. and when we spent 100k+ on a Cisco 7513 with 64megs of ram so it could hold the BGP tables...

We even wrote our own manual ('cause none existed) on how to deal with BGP tables so junior admins working for us wouldn't fuq it up. (and on top of that, we wouldn't let them touch the routers either)

-meetme room in the westin in Seattle-

Cisco to Blame, not Mikrotik

[DeadboltX]

The critical bug is with the Cisco routers; a Mikrotik router merely nearly triggered the bug.
It would be possible to trigger this bug with any routing software that does not do range checking on the amount of times the ASN is pretended.

The summary is spreading FUD by making Mikrotik, the only named vendor in the summary, look like the vendor at fault.

Re:Cisco to Blame, not Mikrotik

[FirstDivision]

I was wondering about this. I don't know very much about networking, but what prevents an individual from initiating this problem? Do the routers only accept these messages from 'trusted' sources? Obviously this must be the case or there would be people taking advantage of it.

Re:Cisco to Blame, not Mikrotik

[0xFCE2]

Routers will only exchange BGP messages if both are configured to do this. Each "neighbor" must be added using its IP and AS-number.

Re:Cisco to Blame, not Mikrotik

[FirstDivision]

Ahh, I figured as much. I tried searching for it before but I didn't have BGP in there, so my search for "network announcement AS" resulted in "OWN: The Oprah Winfrey Network Announcement", lol. My modified search landed me on http://www.tcpipguide.com/free/t_BGPDetailedMessagingOperationandMessageFormats.htm which I think will help me out. I think I remember reading this years ago, didn't the PDF used to be free?

Re:Cisco to Blame, not Mikrotik

[Crackez]

On the other hand, MikroTik devices do suck.

Ever had the pleasure of dealing with one of these pieces of garbage?

Not that Cisco doesn't have problems (FWIW, I admin a fair sized Cisco network), but MikroTik routers give me a feeling in my gut that it's just about to break, any minute now... I could build a better router out of a PC and some NICs (and have - love OpenBSD)...

Disclaimer: my experience with MikroTik is from dealing with a particular Indian Contracting firm that uses them, and they also happen to have incompetent admins (willing to give me admin on their boxes to fix their problems - told 'em to deal with their own gear)... Maybe that's a commonality between MicroTik users?

Re:Cisco to Blame, not Mikrotik

[SaDan]

I deployed a decent array of Mikrotik routers for a wireless ISP running OSPF internally for redundancy between towers (multiple backhauls per tower to route around a tower that may be down), and also dealt with Cisco gear on the same network doing OSPF and BGP.

I'd trust Mikrotik over Cisco any day of the week.

Re:Cisco to Blame, not Mikrotik

[TheCow]

No, that is a commonality between admins that don't care about their network.

I have experience running both Mikrotik and Cisco (a lot more experience with Cisco), and can say that when configured correctly both run well, however Cisco makes it easier to get it configured correctly. Cisco has a wide array of documentation and their IOS helps you avoid many configuration errors.

Mikrotik has similar command line help, but their documentation is a bit behind their current release, so if you try to use that new feature, you better still have support available so Mikrotik can tell you how you should have done it and then provide you to a link to yet un-published documentation. (vrrp in the 3.x line is my example)

However when you are running a small wisp where bandwidth and revenue are really tight, Cisco is just plain out of that price range. Mikrotik fits the price range for this business segment. (What price do you need to pay to be able to route 20+ Mbps on Cisco? How about 40 Mbps? On Mikrotik it costs about $200. Now in a WISP you have multiple towers each with a router to help move that 40 Mbps around... Or put Mikrotik RouterOS on a two or more processor server with multiple NICs and you have a wire speed router, firewall, etc for the cost of a low end Cisco router, however your RouterOS server concotion has 10 to 100 times the throughput capability...)

Cisco Brand appeal only gets me so far, that mighty dollar is pulling me more and more toward Mikrotik every day.

I love this article's summary.

[Korey+Kaczor]

The next time someone needs you to fix a computer problem and asks what went wrong, simply give them this article's summary as the reason why, replacing "router" and "Internet" with the the defective part in question. You're also guarenteed to look a bit sharper, too.

"A bug by power supply vendor A (omitting a range check from a critical field in the configuration interface) tickled a bug from power supply vendor B (dropping BGP sessions when processing some ASPATH attributes with length very close to 256), causing a ripple effect that caused widespread global routing instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose ASN, modulo 256, was greater than 250. At that point, the power supply was one typo away from disaster. Other power supply vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the power supply's trust-based critical infrastructure really is â" this is just the latest example."

Re:I love this article's summary.

Beautiful.

Re:I love this article's summary.

Funny you should write this. I had a power supply bug that caused a ripple effect that caused a routing problem. That also involved a Cisco router.

We had a new Cisco router in place for about 9 months before it started spontaneously rebooting. We paid 700 bucks for an advance replacement, and then the replacement router had the same problem. The most amazing thing was that both routers would reboot simultaneously.

Cisco does make very good products. But I feel their quality control is sometimes lacking, and they do not take the road of greatest responsibility for their products' flaws.

It turns out that when summer hit and everyone turned on their air conditioners it caused an odd instability in the local power grid. The power was not going out of spec and the routers should have ridden the problem out. But, the power supplies had a design flaw. The routers would throw an error code and reboot. Cisco had been aware of the problem but never issued a recall notice. The telephone support techs did not apparently have information about that problem on hand. What's worse is that Cisco knew about the problem and was shipping out replacement routers with the same flaw.

Cisco eventually got a replacement out to me, but not until we paid for two high dollar network engineers to come out and diagnose the problem. (The first one did not find the problem). But, Cisco refused to refund us the 700 dollar advance replacement fee. I feel that Cisco should have covered the costs for fixing what was essentially a design and manufacturing flaw.

Cisco does make good products. But, I don't think their quality assurance is as good as it should be, and that they do not act responsibly enough to reports of their products' flaws after the sale.

GPL violators

Mikrotik are known GPL violators, that use a modified Linux (they re-branded that as "RouterOS") and a terribly bad implementation of the BGP protocol..

In some custom community network, where MikroTik has been deployed internally, that stolen-Linux is being hacked to use the Quagga instead of MikroTik's BGP.

In short: that "RouterOS" has been higly unsuitable for the Internet. I can't believe somebody was so stupid to trust it.

Re:GPL violators

[transporter_ii]

I used Mikrotik for quite some time and I'm not sure they are "known GPL violators." I guess it sounds good to kdawson them and all, but they offer the changes made to GPLed software:

To get a CD with the corresponding source code for the GPL-covered programs in this distribution, wire transfer $45 to MikroTikls SIA, Pernavas 46, Riga, LV-1009, Latvia. Please contact MikroTikls SIA for our current account information and wire transfer instructions. Offer valid until 2010. This CD will only include the source code of the following programs according to the license requirements. This CD will not include MikroTikls proprietary SOFTWARE.

In reading through their posts on their forums, they claim that there aren't many changes to GPL software, and that they aren't required to release proprietary software code (true). And it seems they do make some attempt to release the code to what little GPL they do change (see above).

Personally, I think Mikrotik is awesome. But to me, they are a little bit in a TiVo-type of area here.

Why on earth they didn't just use FreeBSD instead of Linux, I will never understand. Then they could have done whatever they wanted with FreeBSD and not been made to look bad over it.

transporter_ii

Re:GPL violators

[transporter_ii]

In short: that "RouterOS" has been higly unsuitable for the Internet.

Really, that should be highly unsuitable for what appears to be a high-end backbone use on the Internet.

Assuming they don't do themselves in with GPL violations, Mikrotik is in a position to blow Cisco out of the water some day.

We used them for internet use all the time, just internally, where it couldn't take down the whole Internet.

I can tell you right now they aren't ready for prime time. But you guys better look out when they are.

Mikrotik's configuration software, winbox.exe, is about as cool as it gets and I've dreamed of being a good enough programmer to release a GPLed version of it on many occasions.

If a lot of people ever used winbox, they would see that the Linux community dropped the ball in this area.

Transporter_ii

Re:GPL violators

[KZigurs]

I actually recall downloading their source about a year ago - couldn't find the link on the spot thou, but it certainly is there. Not to mention the fact that they are the ultimate solution if you just want to repurpose an old box at network entry point.

go figure, it seems.

Re:GPL violators

[Ciaran+Power]

Cisco are also GPL violaters. http://www.theregister.co.uk/2008/12/12/free_software_foundation_sues_cisco/

Re:GPL violators

It's been about 2 decades since you needed $45 to make a CD.

The cost is ONLY to cover the material cost. $45 might be fine if they're providing you several printed and bound manuals containing the source code. $45 is too much for a CD.

Furthermore, people have tried to make good on this offer (check their forums) and MikroTik has refused it stating they are working on providing the source.

That doesn't sound like compliance to me. It sounds like a lie wrapped up in an excuse.

Reminds me of a story

[ShakaUVM]

Reminds me of a story that Keith Marzullo told our class in a graduate level reliability class. This was back in the days of using UUCP to send email, and the vendor that he worked for had just released a "failsafe" product they were very proud of -- essentially, it was a mail router that could detect if a path went down, and would try an alternate router instead. The company touted it as a bulletproof solution.

So they go to a conference, and set up some routers, unplug some of them, etc., and everything is going fine until they ask an audience member for his UUCP address. UUCP addresses are in the form of host1!host2!host3!username, with the routing for the username explicitly specified... the addresses could thus get quite long. In this case, the guy's email address was over the buffer limit the company's routers used.

Guess what happened?

The mail server tried sending an email to the next router in the chain. The router buffer overflowed and crashed. The reliable server than tried another router... and crashed it. It then went through the entire network, and crashed every single one of the nodes, turning a bug that would have been a single point of failure into a total network collapse.

=)

Yeah, one of my favorite stories from UCSD.

Re:Reminds me of a story

[DarkOx]

I have seen bugges in spanning-tree do similar things on my network. This seems to be a recuring problem with "HA systems". Losts of stories like this out there. Its a hard problem to solve though.

Re:Reminds me of a story

[Bert64]

Make your backup device be different to the main one... If you use 2 different vendors the chances of a bug affecting both is significantly reduced, It also means that the devices have to actually use standard interoperable protocols to handle the failover.

Re:Reminds me of a story

[Darkk]

Classic!

Would have been nice to see the vendor's faces when they saw things were crashing itself down to it's knees and claim their product is "bulletproof".

Can't put the blame on them as they couldn't have anticipated it would have caused a total network collapse by their own software.

Re:Reminds me of a story

[Darkk]

Bad idea. Generally you want to stick to one vendor that you can trust to support your products either be Cisco or some other company.

This way you'll have identical hardware for redundancy. If a bug is found in the firmware you just have to bug the vendor for a fix or threaten them that you're going to stop buying their products and go with a different vendor.

Should have updated IOS in 2003 when fixed.

Maybe if they updated their IOS back in 2003 when Cisco came out with the fix they wouldn't have these problems. You wouldn't give an XP user a pass on not updating for 6 years and having a problem, don't give these upstreams any.

-zifr

Re:Should have updated IOS in 2003 when fixed.

ya know what they say, "don't upgrade unless you have a reason to"
now they do.

Movie script?

[Mathness]

Summary reads like the script for a bad disaster movie.

Debug

[szundi]

I see the poor programmers thousands of miles away from their routers jammed with idiot traffic configs trying to fix a bug knowing the WORLD is waiting for their patch... would be bad.

It's only a matter of time before...

...A Slashdot "Editor" notices these posts and mods them into oblivion.

But is that better or worse than having them modded down by sycophantic Slashdot readers?

My Slashdot login - a four-digit userid - is worthless now.

It's been stuck on Karma:-1, Terrible for a couple of years.

What did I do to deserve that terrible fate?

My sin was to post a message critical of dear Michael Sims and his editing methods and practices here on Slashdot.

Re:It's only a matter of time before...

[PopeRatzo]

A Slashdot "Editor" notices these posts and mods them into oblivion.

It's not "oblivion" if we all view the comments at -1.

I find that it's quite easy to scroll past all the useless "frist" and "n-word" posts, and I wouldn't want to miss an insightful comment that was modded down just because he called some stupid cunt a stupid cunt.f

Please note, I use the word "cunt" not as any sort of gender specification, but rather as in "That stupid cunt voted Republican".

Re:It's only a matter of time before...

[uniquegeek]

So it was not possible to come up with a more intelligent word? If you have to explain yourself, it's a sign you should have come up with a much better and concise word.

Seriously, it's people like you and Mr.(?)-Linux-is-tickling-my-clitoris that drives women away from tech.

http://tldp.org/HOWTO/Encourage-Women-Linux-HOWTO/

Re:It's only a matter of time before...

[Wakko+Warner]

That happened to my account once when I bitched about an editor too, almost ten years ago now. (Within a week of pretty simple, thought-free karma-whoring comments, I was back posting at +2.)

Re:It's only a matter of time before...

[jandrese]

Sounds to me like your sin went beyond posting meta-griping that was almost certainly off topic, but also to carefully avoid posting anything constructive to counteract the Karma loss.

Latvia?

I forget - are they nasty Russian stooges or decent US stooges these days?

Bug????

It's not a bug...it's a feature

Just one tyop

[yotto]

At that point, the Internet was one typo away from disaster.

I wonder how long that took?

Hmm...

[OneSmartFellow]

A bug by device vendor A (twiddling a framis panel instead of sparting the glinbo interface) patted a bug from device vendor B (elevating ALP packets when deferring some GALAS modifiers with size benath 176), yielding a domino effect that caused widespread universal switching instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose LKM, divisor 965, was less than 1250. At that point, the Internet was one typo away from disaster. Other router vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is -- this is just the latest example.

Reads just about the same to me. I can't make any sense of either description of the bug

Re:Hmm...

[ScrewMaster]

twiddling a framis panel instead of sparting the glinbo interface

That's very (ahem!) creative. May I have some of whatever it is you have in your pipe?

Re:Hmm...

I do know bgp and this is about as good a explanation as we sometimes get.

funny, funny, funny

That breeze like something flew over your head...

It's called humor.

Agree, use the filter

[VampireByte]

I filtered out Jon Katz when he was still with slashdot and it was a huge improvement in my user experience.

Internet's trust-based critical infrastructure

[nurb432]

So then you just have to enact secure connections, where everyone personally knows everyone else before you connect.

Deja Vu

[Rene+S.+Hollan]

Heh.

In the last 90s I worked for a large American test equipment manufacturer. We had developed an embedded system for performing parametric testing of telephone lines when not in use (and the test would be rescheduled if the line became required).

It was great for detecting cables about to fail, that had failed, and could pinpoint where (by TDR) they likely had failed.

It worked like a charm, except for one little nuisance: downloading new firmware to the thousands of remote units usually failed. It took a while to track down, since we could not repro it in house. The control network was TCP/IP over PPP over PVCs set up over 9600 bps serial links multiplexed over X.25.

Turned out that small command and control requests did not send the large packets that software download did, and the combination of large packet size, consequently long ACK time (over the 9600 bps link), poor RTT convergence in the host TCP/IP stack, and incorrect handling of duplicated packets in the embedded TCP/IP stack was our undoing.

I engineered a small piece of code that would modify the embedded TCP/IP stack to get around the defect well enough so that it could be download, and in turn, allow for the download of a properly corrected full version.

Route around damage

[kylben]

At that point, the Internet was one typo away from disaster. ... Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is -- this is just the latest example."

At that point, the internet as a whole remained largely unaffected for the majority of users. Few people appreciate how robust the Internet's trust-based critical infrastructure and its ability to dynamically reroute traffic through the remaining nodes even with the loss of a significant portion of the net really is -- this is just the latest example.

Re:Route around damage

[epine]

With the modern network of air transportation, just about any new strain of halfway competent contagion can spread to every major world city in 24 to 48 hours.

In the real world, there are hardly any large scale systems where robustness is measured by 0-day quarantine containment.

If a four hour flu goes around the world in 80 hours, and everything is back to normal the following Monday, I'd regard that as a robust system flexing its immune response.

Since the internet surpassed the importance of human well being around 2004, it gets held to a higher standard, as it should. Any day now, I expect the FDA to announce a recall on IOS 11, and maybe pull the entire IOS product line behind the counter.

What reason is there

[Paralizer]

to prepend your own ASN multiple times in an outgoing advertisement?

bgp-prepend (integer: 0..16) - number which indicates how many times to prepend AS_NAME to AS_PATH

Unless there really is a legitimate reason for it, this seems stupid. The only reason I can think of to put your own ASN more than once would be to artifically increase the AS_PATH size and lower other ASN's preference to route through you. But BGP has lots of other ways to accomplish that same goal.

Why would MikroTik have this as a required parameter? And what legitimate reasons are there to include your own ASN multiple times on an advertisement?

Cisco update policy?

[TheLink]

Cisco update policy? Isn't that called Juniper or Huawei?

Cisco used to be the best option (they weren't that great in product terms, but everyone else was worse, and Cisco had good service and support).

They're getting squeezed from both the top and bottom.

Mikrotik at fault?

[weather01089]

Well we replaced a cisco edge router with a Mikrotik based one after tests with the mikrotik showed it kicked the cisco's butt. Its far easier to deal with than the cisco was. Some care in how you configure BGP can stop this, but clearly the cisco side shouldnt have even accepted that update. So now we will hear the naysayers.

Use the filter then.

[TheLink]

This is Slashdot. News for Nerds etc. Most readers should be able to use the filtering.

In the past, I believe many of us filtered out JonKatz.

Just because a vocal minority complain about kdawson doesn't mean the rest care that much.

Re:Vendor B ancient IOS

[wsanders]

And as I understand it the bug was pre-IOS 12.0-something.

Looks like the Net needed a good round of forklift upgrades anyway.

Re:Vendor B ancient IOS

[moyix]

I believe this has been shown incorrect; from the article:

As it turns out, the reason for all those routing resets and general instability was due to a previously unknown Cisco bug involving AS paths close to 255 in length.

(emphasis mine). More info:

http://blog.ioshints.info/2009/02/oversized-as-paths-cisco-ios-bug.html

And the Cisco description (the bug ID, CSCsx73770, is linked in there, but you need a login to access it):

http://tools.cisco.com/security/center/viewAlert.x?alertId=17670

MikroTik - does that westernise as NecroTic?

[PeterWone]

Does that westernise as NecroTic?

Remember when Sprint did this on purpose

[lamapper]

A bug by router vendor

So that is what they are calling it these days....lol, I know that was a bit tongue in cheek. Its just that when I read this I remembered all too well how Sprint made a business decision to remove a span of IP addresses from being reached by any sprint users of their DNS service. Effectively censoring any and all users of Sprint DNS.

I do not have the article handy, perhaps someone could post a couple of links to the news stories where Sprint was blocking IP address ranges. While I do NOT remember the year, it was pre 2003, possibly before 2000?

Re:Vendor B, Whadda bout vendor A

[PalmKiller]

Vendor A had a bug also that didn't play well with vendor B's bug, so who was vendor A?

Bearly News

[Jettra]

News articles should answer: What, Where, When, How and (sometimes) Why?

So... when?

Why not state when this network error was propagated? Did it happen this year some time?

Re:Vendor B, Whadda bout vendor A

[mysidia]

MicroTik. And their 'bug' was the fact, that their command to choose the number of AS prepends was not restricted to a reasonable number.

It's being called a bug just because it was easy to misconfigure, and the misconfiguration could have nasty side effects on other people's networks where vendor B's equipment was used.

And an operator more familiar with vendor B's equipment would be likely to make a mistake when working with vendor A's equipment. (As in entering the explicit sequence of numbers to prepend where they should _instead_ have typed the number of prepends)

In other words, vendor A didn't include a device on their gun to prevent owners of their equipment from shooting other strangers in the foot, but just about everyone had bulletproof feet in this case, except vendor B.

Of course, if the operator of vendor A equipment was malicious, they could have used a malicious implementation of the protocol that would prepend that many, regardless of conventions that most routers restrict prepend to numbers somewhere between 10 and 16 hops.

Whoops

Vendor A: "I accidentally the whole internet."