Avatar

omar-santosWritten by Omar Santos, Incident Manager, Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations

Since the early 1990s, we’ve watched as the number of entries on the Internet routing table has steadily grown. In 2008 the table reached 256,000 routes, triggering action by network administrators to ensure the continued growth of the Internet. Today we know that another significant milestone has been reached, as we officially passed the 512,000 or 512k route mark!

Our industry has known this milestone was approaching for some time. In fact it was as recently as May 2014 that we provided our customers with a reminder of the milestone, the implications for some Cisco products, and advice on appropriate workarounds.

If you would like to revisit that information, you can find the customer support article here: The Size of the Internet Global Routing Table and Its Potential Side Effects (12 May 2014)

Full text of the customer support article below:

Since the early 1990s, we’ve watched as the number of entries on the Internet routing table has steadily grown. It wasn’t that long ago (2008) that the table reached 256k routes, triggering action by network administrators to ensure the continued growth of the Internet. Now we have passed that another significant milestone – the global routing table has passed 512,000 routes.

As an industry, we’ve known for some time that the Internet routing table growth could cause Ternary Content Addressable Memory (TCAM) resource exhaustion for some networking products. TCAM is a very important component of certain network switches and routers that stores routing tables. It is much faster than ordinary RAM (random access memory) and allows for rapid table lookups.

Networking Product Implications

No matter who provides your networking equipment, it needs to be able to manage the ongoing growth of the Internet routing table. We recommend confirming and addressing any possible impacts for all devices in your network, not just those provided by Cisco. The products that could be affected include those with a default configuration supporting 512k routes. From Cisco’s perspective, this includes:

  • Cisco Catalyst 6500 Switches
  • Cisco 7600 Series Routers
  • Cisco ASR 9000 Series Aggregation Services Routers configured with Trident-based line cards (typhoon-based line cards are not affected)
  • Cisco ASR 1000 Series Aggregation Services Routers with 4GB (devices with 8GB or RAM or higher can scale to up to 1,000,000 routes)

The Good News – Workarounds Are Available!

Cisco has published information on several workarounds that can be applied by our customers, including changing the default configuration for affected devices. In some cases this may require a reload of the device or line card. See below for the links to this customer information.

Cisco Catalyst 6500/Cisco 7600 Series Supervisor Engine 720

The following document describes how to customize the forwarding information base (FIB) ternary content addressable memory (TCAM) on Catalyst 6500 switches that run the Supervisor Engine 720: click here.

This guidance is specific to the Supervisor Engine models SUP720-3BXL and SUP720-3CXL. The “non-XL” versions do not support more than 256,000 IPv4 routes.

Click on the embedded links for additional information about the Cisco Catalyst 6500 and the Cisco 7600 Series Supervisor Engine 720 capabilities.

Cisco ASR 9000 Series Aggregation Services Routers

The following document describes workarounds available for the Cisco ASR 9000 Series Aggregation Services Routers. When a Trident-based line card reaches its prefix limit, the message %ROUTING-FIB-4-RSRC_LOW occurs, causing potential traffic loss on the line cards: click here.

Cisco ASR 1000 Series Aggregation Services Routers

Cisco ASR 1000 Series Aggregation Services Routers with 4GB can scale to up to 500,000 IPv4 or IPv6 routes. Cisco ASR 1000 Series Aggregation Services Routers with 8GB of RAM or higher can scale to up to 1,000,000 routes. The following document provides an overview of the number of supported routes: click here.

Additional Workarounds

Route filtering and the use of a default route can also be used to decrease the number of routes in an affected device. Prefix lists can be used as an alternative to access lists in many BGP route-filtering commands. The use of prefix lists provides significant performance improvements when loading and performing route lookup of large routing tables. Additional information about BGP best practices and configuring prefix lists is available at: click here.

Security Considerations

The possibility of TCAM resource exhaustion at 512k routes is a known issue that we all know has been coming for some time. There is no related security vulnerability, and it cannot be easily triggered by a remote, untrusted user.

This website is a great resource that provides the current state of the Internet routing table. This could help Cisco customers when configuring route filtering.

Implementing the recommended workarounds ahead of time will help your network avoid any performance degradation, routing instability, or impact to availability. Having just passed the 512,000 route milestone, now is the right time to verify and ensure your network is prepared to manage a 512k entry Internet routing table.



Authors

Ying Shen

No Longer with Cisco