BGP session closed after receipt of flowspec route without destination prefix
Hi, i configured the following flowspec route on a Juniper router: route v6test { match { source 2a02:xxxx:xxxx:xxxx::1/128; } then discard; } The route was accepted on my Juniper router and blocked all traffic from src ip 2a02:xxxx:xxxx:xxxx::1 as expected. After advertising the route, BIRD closed the BGP session. Is this an expected behaviour, means does is it necessary, that a dst prefix for a flowspec route must exist ? Log: 2020-01-24 09:52:26.750 <RMT> vs_dis_r1_6838: No dst prefix at first pos 2020-01-24 09:52:26.750 <RMT> vs_dis_r1_6838: Error: Malformed attribute list 2020-01-24 09:52:26.750 <TRACE> vs_dis_r1_6838: BGP session closed BIRD accepted the route after changing to: route v6test { match { destination ::/0; source 2a02:xxxx:xxxx:xxxx::1/128; } then discard; } Regards, Alex
Hi, does anybody know something about the behavior observed ? Regards, Alex -------- Original-Nachricht -------- Betreff: BGP session closed after receipt of flowspec route without destination prefix Datum: Fri, 24 Jan 2020 21:33:17 +0100 Von: Alex D. <listensammler@gmx.de> An: bird-users@network.cz Hi, i configured the following flowspec route on a Juniper router: route v6test { match { source 2a02:xxxx:xxxx:xxxx::1/128; } then discard; } The route was accepted on my Juniper router and blocked all traffic from src ip 2a02:xxxx:xxxx:xxxx::1 as expected. After advertising the route, BIRD closed the BGP session. Is this an expected behaviour, means does is it necessary, that a dst prefix for a flowspec route must exist ? Log: 2020-01-24 09:52:26.750 <RMT> vs_dis_r1_6838: No dst prefix at first pos 2020-01-24 09:52:26.750 <RMT> vs_dis_r1_6838: Error: Malformed attribute list 2020-01-24 09:52:26.750 <TRACE> vs_dis_r1_6838: BGP session closed BIRD accepted the route after changing to: route v6test { match { destination ::/0; source 2a02:xxxx:xxxx:xxxx::1/128; } then discard; } Regards, Alex
Hello! Well, RFC 5575 doesn't explicitly say that the flowspec rule must contain the destination chunk, anyway it specifies that these rules should be understood as additional information for unicast BGP prefixes. Therefore we assume that the dst is de facto mandatory, despite de iure it is optional. If there are more benevolent implementations, we may think about waiving this. I think we don't have any strong position on that, we just assume that flowspec is used in the way the RFC says which assumes dst always present. Maria On February 5, 2020 8:44:54 PM GMT+01:00, "Alex D." <listensammler@gmx.de> wrote:
Hi, does anybody know something about the behavior observed ? Regards, Alex
-------- Original-Nachricht -------- Betreff: BGP session closed after receipt of flowspec route without destination prefix Datum: Fri, 24 Jan 2020 21:33:17 +0100 Von: Alex D. <listensammler@gmx.de> An: bird-users@network.cz
Hi,
i configured the following flowspec route on a Juniper router: route v6test { match { source 2a02:xxxx:xxxx:xxxx::1/128; } then discard; }
The route was accepted on my Juniper router and blocked all traffic from src ip 2a02:xxxx:xxxx:xxxx::1 as expected. After advertising the route, BIRD closed the BGP session. Is this an expected behaviour, means does is it necessary, that a dst prefix for a flowspec route must exist ?
Log: 2020-01-24 09:52:26.750 <RMT> vs_dis_r1_6838: No dst prefix at first pos 2020-01-24 09:52:26.750 <RMT> vs_dis_r1_6838: Error: Malformed attribute list 2020-01-24 09:52:26.750 <TRACE> vs_dis_r1_6838: BGP session closed
BIRD accepted the route after changing to: route v6test { match { destination ::/0; source 2a02:xxxx:xxxx:xxxx::1/128; } then discard; }
Regards, Alex
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hi Maria, thanks for your explanation. I recently stumbled over the mandatory dst prefix when advertising a flow spec rule from a Juniper device which filters just on the source address. But never mind, now as i know it, i would add a dst prefix of 0/0 in case of source-only based filtering. Regards, Alex
On Wed, Feb 05, 2020 at 09:14:13PM +0100, Maria Matějka wrote:
Hello!
Well, RFC 5575 doesn't explicitly say that the flowspec rule must contain the destination chunk, anyway it specifies that these rules should be understood as additional information for unicast BGP prefixes.
Therefore we assume that the dst is de facto mandatory, despite de iure it is optional.
Hi It seems more convoluted: 1) flow_validate() function checks for destination prefix, but only for IPv4 2) BGP NLRI decoding functions also check for destination prefix, but this time for both IPv4 and IPv6 3) I was sure that RFC 5575 requires it (just for IPv4, IPv6 flowspec is covered by draft), but now i cannot find any explicit mention of that in RFC 5575, except implicit assumption of existence of dst prefix in section 6 (validation procedure), which is probable source of that assumption, considering that validation proceure was not in IPv6 draft. 4) Newer drafts (draft-ietf-idr-rfc5575bis-17 and draft-ietf-idr-flow-spec-v6-10) clarify that dst prefix is required for validation procedure for feasibility, so flow without dst prefix is syntactically valid, but unfeasible. Note that BIRD just checks for syntactic validity. Feasibility check is not implemented. Therefore we should clean that and allow flowspec rules without dst prefix. i will check that. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (3)
-
Alex D. -
Maria Matějka -
Ondrej Zajicek