[BGPCEP-259] Noncompliant and insecure handling of internal errors

Sun, 3 Mar 2019 11:50:29 +0000

If some resource gets exhausted (such as execution queue capacity as seen in ~~CONTROLLER-957~~ or ~~BGPCEP-258~~), the speaker shall (after reporting the condition in the logs) send NOTIFICATION with Code=6 (CEASE) and SubCode=8 (Out Of Resources) and close the connection. The current implementation performs "log spamming" instead, leading to multi-gigabyte logs.

If some other problem occurs which prevents the connection from working properly, the speaker shall "administratively shutdown the connection" after reporting the problem in the logs. This is done by sending NOTIFICATION with Code=6 (CEASE) and SubCode=2 (Administrative Shutdown), closing the connection and cleaning the mess left behind. A clearer message would be NOTIFICATION with some error code that says "Internal Router Error" but I could not see such error code in the BGP RFCs I was reading so far so I consider the "Administrative Shutdown" to be the best alternative.

Producing multi-gigabyte logs can easily lead to resource exhaustion, allowing an attacker to crash the connection and then continue pushing more and more updates until the disk holding the log space gets full, rendering the application completely inoperable.

See RFC4271 and RFC4486

OpenDaylight JIRA

[BGPCEP-259] Noncompliant and insecure handling of internal errors