Bug in bfd implementation: Wrong TTL on bfd control packets (was: Re: BFD sessions with FFR (VyOS) won't establish)

Alexander Zubkov green at qrator.net
Sat Jan 20 17:55:55 CET 2024 

Hi Lukas,

Actually I saw support for TTL security in BFD code:
https://gitlab.nic.cz/labs/bird/-/blob/master/proto/bfd/packets.c#L496

And I see in your config example that you use multihop BFD, but RFC
you refer is talking about single-hop BFD usage. So it does not seem
like a bug here. Maybe the other side does not consider this BFD
sessions multihop and thus applying the TTL security policy?

Regards,
Alexander

On Sat, Jan 20, 2024 at 11:18 AM Lukas Haase <lukashaase at gmx.at> wrote:
>
> Hi,
>
> After long debugging I finally figured out why Bird's bfd cannot establish a session with FRR (VyOS): Packets are sent with TTL 64. However, according to https://datatracker.ietf.org/doc/rfc5881/, Section 5: "If BFD authentication is not in use on a session, all BFD Control packets for the session MUST be sent with a Time to Live (TTL) or Hop Limit value of 255".
>
> This is the reason why FRR just drops packets received from bird and the session never establishes.
>
> As a quick workaround, I could get it working with:
>
> sysctl -w net.ipv4.ip_default_ttl="255"
>
> However, bird should set TTL appropriately.
>
> Is this something that was missed or is there an setting I am missing?
>
> Thanks,
> Luke
>
>
>
>
>
> > Gesendet: Mittwoch, 17. Januar 2024 um 01:24 Uhr
> > Von: "Lukas Haase via Bird-users" <bird-users at network.cz>
> > An: "Alexander Zubkov" <green at qrator.net>
> > Cc: bird-users at network.cz
> > Betreff: Re: BFD sessions with FFR (VyOS) won't establish
> >
> > Hi Alexander,
> >
> > Thanks. I have tried
> >
> > sysctl -w net.ipv4.ip_local_port_range="49152 65535"
> >
> > but unfortunately no change.
> > What I do not understand is that Interval and Timeout is wrong on the non-working peer:
> >
> > # birdc show bfd sess
> > BIRD 2.0.8 ready.
> > bfd1:
> > IP address                Interface  State      Since         Interval  Timeout
> > 172.20.215.130            ---        Up         2024-01-16      0.100    0.500
> > 172.20.215.131            ---        Init       2024-01-16      1.000   10.000
> >
> > Do these parameters need to be identical among peers, similar as with OSPF? Note, they are identical to my knowledge but could there be any implicit setting that causes discrepancy between the peers and would cause a connection being stuck in "Up"? For example, in bird I have "idle tx interval 500 ms" but I could not find a corresponding option in VyOS/FFR.
> >
> > Could you think of any tcpdump/netcat debug?
> >
> > Thanks,
> > Luke
> >
> >
> >
> > > Gesendet: Mittwoch, 17. Januar 2024 um 00:35 Uhr
> > > Von: "Alexander Zubkov" <green at qrator.net>
> > > An: "Lukas Haase" <lukashaase at gmx.at>
> > > Cc: bird-users at network.cz
> > > Betreff: Re: BFD sessions with FFR (VyOS) won't establish
> > >
> > > Hi,
> > >
> > > There were reports here in the list that some BFD peers do not allow
> > > connections from non-standard ports and bird do not choose source port
> > > specifically. So you might need to tune your sysctl like that:
> > >
> > > net.ipv4.ip_local_port_range = 49152 65535
> > >
> > > Not sure if this is the case, but I would try that first.
> > >
> > > Regards,
> > > Alexander
> > >
> > > On Tue, Jan 16, 2024 at 9:15 AM Lukas Haase via Bird-users
> > > <bird-users at network.cz> wrote:
> > > >
> > > > Hello,
> > > >
> > > > My BFD session between bird work fine but the ones but the ones to VyOS (which uses FFR) just won't connect:
> > > >
> > > > # birdc show bfd sess
> > > > BIRD 2.0.8 ready.
> > > > bfd1:
> > > > IP address Interface State Since Interval Timeout
> > > > 172.20.215.131 --- Init 10:39:14.183 1.000 10.000
> > > > 172.20.215.130 --- Up 10:42:03.901 0.100 0.500
> > > >
> > > > 172.20.215.131 is here a VyOS box and its FFR config looks like:
> > > >
> > > > !
> > > > bfd
> > > > peer 172.20.215.129 multihop local-address 172.20.215.131
> > > > detect-multiplier 10
> > > > transmit-interval 100
> > > > receive-interval 100
> > > > exit
> > > > !
> > > > exit
> > > > !
> > > > end
> > > >
> > > >
> > > > For reference, my bird config is trivially:
> > > >
> > > > protocol bfd
> > > > {
> > > > interface "local-ibgp" {
> > > > min rx interval 100 ms;
> > > > min tx interval 100 ms;
> > > > idle tx interval 500 ms;
> > > > multiplier 10;
> > > > };
> > > > neighbor 172.20.215.130 local 172.20.215.129 multihop;
> > > > neighbor 172.20.215.131 local 172.20.215.129 multihop;
> > > > }
> > > >
> > > >
> > > > I have turned off firewall. What else could go wrong?
> > > >
> > > >
> > > > Thanks,
> > > > Luke
> > >
> >
> >

More information about the Bird-users mailing list