Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Claudio Jeker (claudiocvs.openbsd.org)
Date: Fri Jan 30 2009 - 16:37:34 CST
Module name: src
Changes by: claudiocvs.openbsd.org 2009/01/30 15:37:34
usr.sbin/bgpd : Tag: OPENBSD_4_4 rde.c
Bring in from reliability fix from -current rev. 1.234
OK henning sthen
Add a ugly workaround for the problem where an invalid AS4_PATH is passed
over mulitple hops and causes bgpd to close the connection. This is what
the RFC requires us to do but the result is a DoS against all OpenBGPD
routers when somebody injects such a bad optional transitive attribute
because the intermediate routers don't give a damn about it.
As a result we now ignore such bad prefixes and don't allow them in the
decision process. The handling of optional transitive attributes needs to
be rethinked because all of them can be abused in such a way.
Idea OK by a few + henning, tested myself against my crappy regress test
suite that needs way more work.