<div dir="auto">The setup of the TCP session is handled by the kernel, hence the higher TTL. Once TCP is established, (e)BGP tends to use a TTL of 1 unless it's a multihop session.l, or you're using GTSM.<div dir="auto"><br></div><div dir="auto">It's expected, and is partly due to the limitations of how sockets are implemented in Linux.</div><div dir="auto"><br></div><div dir="auto">M</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 1 Apr 2022, 03:10 Rumen Telbizov, <<a href="mailto:rumen.telbizov@menlosecurity.com">rumen.telbizov@menlosecurity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Hello Bird users,</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">First time poster and new subscriber.</div><div class="gmail_default" style="font-family:tahoma,sans-serif">I noticed something strange and wanted to report it here in case this is in fact a bug that deserves attention.<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I run bird 2.0.7-4.1 on Debian 11.</div><div class="gmail_default" style="font-family:tahoma,sans-serif">I have a BGP section configured as passive that acts as a TCP health-check endpoint.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">It is as follows:</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><b>--- cut --</b><br></div><div class="gmail_default"><font face="monospace">protocol bgp HEALTHCHECKv4 {<br> hold time 6;<br> startup hold time 20;<br> connect delay time 3;<br> connect retry time 6;<br> error wait time 3, 12;<br> passive on;<br><br> local 100.64.0.5 as 65000;<br> neighbor 100.64.0.4 as 65535;<br></font></div><div class="gmail_default"><font face="monospace">}</font></div><div class="gmail_default"><b style="font-family:tahoma,sans-serif">--- cut --</b><font face="monospace"><br></font></div><div><br></div><div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif">What ends up happening on the wire is this:</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><b>--- cut --</b></div><div class="gmail_default"><font face="monospace">23:15:09.443792 IP (tos 0x0, ttl 254, id 4040, offset 0, flags [DF], proto TCP (6), length 60)<br> 100.64.0.4.16141 > 100.64.0.5.179: Flags [S], cksum 0xa78f (correct), seq 723435095, win 8961, options [mss 8621,sackOK,TS val 3290475421 ecr 0,nop,wscale 0], length 0<br>23:15:09.443823 IP (tos 0xc0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60)<br> 100.64.0.5.179 > 100.64.0.4.16141: Flags [S.], cksum 0xc8b7 (incorrect -> 0x0785), seq 124371865, ack 723435096, win 62643, options [mss 8961,sackOK,TS val 2210037294 ecr 3290475421,nop,wscale 7], length 0<br>23:15:09.444437 IP (tos 0x0, ttl 254, id 4041, offset 0, flags [DF], proto TCP (6), length 52)<br> 100.64.0.4.16141 > 100.64.0.5.179: Flags [.], cksum 0x2550 (correct), seq 1, ack 1, win 8961, options [nop,nop,TS val 3290475422 ecr 2210037294], length 0<br>23:15:09.444471 IP (tos 0x0, ttl 254, id 4042, offset 0, flags [DF], proto TCP (6), length 52)<br> 100.64.0.4.16141 > 100.64.0.5.179: Flags [F.], cksum 0x254e (correct), seq 1, ack 1, win 8961, options [nop,nop,TS val 3290475423 ecr 2210037294], length 0<br>23:15:09.444576 IP (tos 0xc0,<span> </span><b>ttl 1</b>, id 55411, offset 0, flags [DF], proto TCP (6), length 99)<br> 100.64.0.5.179 > 100.64.0.4.16141: Flags [P.], cksum 0xc8de (incorrect -> 0x58b6), seq 1:48, ack 2, win 490, options [nop,nop,TS val 2210037294 ecr 3290475423], length 47: BGP<br> Open Message (1), length: 47<br> Version 4, my AS 65000, Holdtime 6s, ID 100.64.0.5<br> Optional parameters, length: 18<br> Option Capabilities Advertisement (2), length: 16<br> Route Refresh (2), length: 0<br> Graceful Restart (64), length: 2<br> Restart Flags: [none], Restart Time 120s<br> 0x0000: 0078<br> 32-Bit AS Number (65), length: 4<br> 4 Byte AS 65000<br> 0x0000: 0000 fde8<br> Enhanced Route Refresh (70), length: 0<br> no decoder for Capability 70<br> Long-lived Graceful Restart (71), length: 0<br><br>23:15:09.444602 IP (tos 0xc0,<span> </span><b>ttl 1</b>, id 55412, offset 0, flags [DF], proto TCP (6), length 52)<br> 100.64.0.5.179 > 100.64.0.4.16141: Flags [F.], cksum 0xc8af (incorrect -> 0x4635), seq 48, ack 2, win 490, options [nop,nop,TS val 2210037294 ecr 3290475423], length 0<br>23:15:09.444670 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto ICMP (1), length 56)<br> 100.64.0.4 ><span> </span><a href="http://100.64.0.5/" target="_blank" rel="noreferrer">100.64.0.5</a>: ICMP time exceeded in-transit, length 36<br> IP (tos 0xc0, ttl 1, id 55411, offset 0, flags [DF], proto TCP (6), length 99)<br> 100.64.0.5.179 > 100.64.0.4.16141: [|tcp]</font><br></div><b style="font-family:tahoma,sans-serif">--- cut --</b><br></div><div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif">As you can see the TTL on our packets is initially set to 255. At the end of the connection</div><div class="gmail_default" style="font-family:tahoma,sans-serif">during the last PUSH and FIN packets all of a sudden bird sets the TTL to 1.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default"><span style="font-family:tahoma,sans-serif">I have no<span> </span></span><font face="monospace">ttl security</font><font face="tahoma, sans-serif"><span> </span>enabled and even if I explicitly disable it the problem persists.</font></div><div class="gmail_default"><span style="font-family:tahoma,sans-serif">A workaround that I found to work is to pass<span> </span></span><font face="monospace">multihop 20</font><font face="tahoma, sans-serif"> directive which then changes the<span> </span></font><font face="monospace">ttl 1</font><font face="tahoma, sans-serif"><span> </span>above to<span> </span></font><font face="monospace">ttl 20</font></div><div class="gmail_default" style="font-family:tahoma,sans-serif">which alleviates the problem.</div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif">Let me know if you need any additional information.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Regards,</div></div><font color="#888888">--<span> </span><br><div dir="ltr"><div dir="ltr"><div><span style="font-family:tahoma,sans-serif">Rumen Telbizov</span><div><span style="font-family:tahoma,sans-serif"><a href="http://telbizov.com/" target="_blank" rel="noreferrer">Site Reliability Engineer</a></span></div></div></div></div></font></div>
</blockquote></div>