BGP w/ MD5 and range
Hi, Is the following configuration supported ? protocol bgp { debug { states, routes, filters, interfaces, events, packets }; debug all; ipv4 { import none; export filter export_bgp; }; local as 65001; neighbor range 0.0.0.0/0 as 65001 internal; #neighbor 10.255.254.3 as 65001 internal; password "12345678"; } If I switch to non-range neighbour everything works fins. However w/ above configuration in place the BIRD does not react to incoming packet: # tcpdump -veni any port 179 tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 19:41:05.377600 P 02:42:0a:ff:fe:03 ethertype IPv4 (0x0800), length 88: (tos 0xc0, ttl 64, id 52315, offset 0, flags [DF], proto TCP (6), length 72) 10.255.254.3.35894 > 10.255.254.1.179: Flags [S], cksum 0x123e (incorrect -> 0xb691), seq 307422819, win 64240, options [nop,nop,md5 shared secret not supplied with -M, can't check - ee89cc98bcbc5b38f7500c2f751a7612,mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 However at the same time stracing the BIRD process shows nothing: # strace -p 8042 strace: Process 8042 attached restart_syscall(<... resuming interrupted read ...>) = 0 poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLOUT}], 3, 3000) = 0 (Timeout) poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLOUT}], 3, 3000) = 0 (Timeout) poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLOUT}], 3, 3000) = 0 (Timeout) poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLOUT}], 3, 3000) = 0 (Timeout) poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLOUT}], 3, 3000) = 0 (Timeout) Am I missing something? The BIRD logs are empty. Best regards, Adam
On Tue, Jan 28, 2020 at 07:57:42PM +0100, Adam Kułagowski wrote:
Hi,
Is the following configuration supported ?
Hi Probably not. The neighbor address (in this case 0.0.0.0) is passed to kernel in TCP_MD5SIG socket option, but i guess that passing zero address just make it to fail silently. There is also (AFAIK) no way to pass a range to kernel. So probably we should just add configuration check and reject password together with range.
protocol bgp { debug { states, routes, filters, interfaces, events, packets }; debug all; ipv4 { import none; export filter export_bgp; }; local as 65001; neighbor range 0.0.0.0/0 as 65001 internal; #neighbor 10.255.254.3 as 65001 internal; password "12345678"; }
-- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi, I've found that It is supported since 4.14: https://github.com/torvalds/linux/commit/8917a777be3ba566377be05117f71b93a5f... http://docs.frrouting.org/en/latest/bgp.html#clicmd-[no]bgplistenrange%3CA.B.C.D/M|X:X::X:X/M%3Epeer-groupPGNAME In FRR I hit the same issue (when using range 0.0.0.0/0) but I was able to resolve using: bgp listen range 0.0.0.0/1 peer-group quiz bgp listen range 128.0.0.0/1 peer-group quiz I'll try to check if the same approach works on BIRD. Best regards, Adam On Wed, Jan 29, 2020 at 3:17 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Tue, Jan 28, 2020 at 07:57:42PM +0100, Adam Kułagowski wrote:
Hi,
Is the following configuration supported ?
Hi
Probably not. The neighbor address (in this case 0.0.0.0) is passed to kernel in TCP_MD5SIG socket option, but i guess that passing zero address just make it to fail silently. There is also (AFAIK) no way to pass a range to kernel. So probably we should just add configuration check and reject password together with range.
protocol bgp { debug { states, routes, filters, interfaces, events, packets }; debug all; ipv4 { import none; export filter export_bgp; }; local as 65001; neighbor range 0.0.0.0/0 as 65001 internal; #neighbor 10.255.254.3 as 65001 internal; password "12345678"; }
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Wed, Jan 29, 2020 at 03:29:47PM +0100, Adam Kułagowski wrote:
Hi,
I've found that It is supported since 4.14:
https://github.com/torvalds/linux/commit/8917a777be3ba566377be05117f71b93a5f...
Great, so it could be easily fixed, will check that.
In FRR I hit the same issue (when using range 0.0.0.0/0) but I was able to resolve using: bgp listen range 0.0.0.0/1 peer-group quiz bgp listen range 128.0.0.0/1 peer-group quiz
I'll try to check if the same approach works on BIRD.
Best regards, Adam
On Wed, Jan 29, 2020 at 3:17 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Tue, Jan 28, 2020 at 07:57:42PM +0100, Adam Kułagowski wrote:
Hi,
Is the following configuration supported ?
Hi
Probably not. The neighbor address (in this case 0.0.0.0) is passed to kernel in TCP_MD5SIG socket option, but i guess that passing zero address just make it to fail silently. There is also (AFAIK) no way to pass a range to kernel. So probably we should just add configuration check and reject password together with range.
protocol bgp { debug { states, routes, filters, interfaces, events, packets }; debug all; ipv4 { import none; export filter export_bgp; }; local as 65001; neighbor range 0.0.0.0/0 as 65001 internal; #neighbor 10.255.254.3 as 65001 internal; password "12345678"; }
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
-- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Wed, Jan 29, 2020 at 03:29:47PM +0100, Adam Kułagowski wrote:
Hi,
I've found that It is supported since 4.14:
https://github.com/torvalds/linux/commit/8917a777be3ba566377be05117f71b93a5f...
Hi Fixed in latest commit [*], now TCP_MD5SIG should work with ranges. Did not try 0.0.0.0/0 range, but i do not see why it shold not work. [*] https://gitlab.labs.nic.cz/labs/bird/commit/757cab18d6427d9246618ce48c158f2b... -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Adam Kułagowski -
Ondrej Zajicek