Bird BFD is not compliant to RFC5881
Hi all, we experienced issues with non-functional BFD Sessions. Debugging yielded that bird does not use RFC compliant BFD Port ranges. RFC 5881 states: "" The source port MUST be in the range 49152 through 65535. ""; however, the port range is not restricted within bird and thus using arbitrary high ports. Some tier 1 transit providers like "Deutsche Telekom" apply strict filter for BFD and only allow RFC5881 compliant ports, hence the issue. There is a workaround to limit the port range globally at system level (/proc/sys/net/ipv4/ip_local_port_range); this seems to work, but we have the strong feeling that restriction of port range for BFD sessions should happen within bird itself. Kind regards, Christian
On 17. Feb 2022, at 13:09, Christian Bruns <bird-c@sernet.de> wrote:
providers like "Deutsche Telekom" apply strict filter for BFD and only allow RFC5881 compliant ports,
Hahaha ... *tips hat to Rüdiger Volk¹ in retirement* 😂😂😂 ¹) Oh! Just saw him on the Onsite registrant list for IETF-113 in Wien next month. Nice. Anyone else planning to show? 🤔 Clemens
On Thu, Feb 17, 2022 at 01:09:33PM +0100, Christian Bruns wrote:
Hi all,
we experienced issues with non-functional BFD Sessions. Debugging yielded that bird does not use RFC compliant BFD Port ranges. RFC 5881 states: "" The source port MUST be in the range 49152 through 65535. ""; however, the port range is not restricted within bird and thus using arbitrary high ports. Some tier 1 transit providers like "Deutsche Telekom" apply strict filter for BFD and only allow RFC5881 compliant ports, hence the issue.
There is a workaround to limit the port range globally at system level (/proc/sys/net/ipv4/ip_local_port_range); this seems to work, but we have the strong feeling that restriction of port range for BFD sessions should happen within bird itself.
Hi Unfortunately, this AFAIK does not have a good solution without some additional Linux kernel API. First, restriction for port ranges 49152-65535 is not a speciality of BFD, it is an ephemeral port range designated for outgoing connections or datagrams without defined port number, but Linux by default use range starting with 32768. So setting ip_local_port_range just fixes Linux bad default values. Second, there is no API in Linux to allocate 'any free socket within range'. BSD has IP_PORTRANGE socket option, but there is (AFAIK) no such thing in Linux. One could either require explicit port number, or any free port from the range. And doing systematic enumeration of port numbers from ephemeral port range and trying them one after another seems like silly workaround. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi, as of my understanding ports for BFD session are not ephemeral; the port is chosen statically when the daemon spawns (and even survives lost BFD sessions). Further, there is no RFC known to me that requests limitations on usable port ranges for arbitrary outgoing connections in general-- linux just likes to use 'its' port range and and the world is fine with this. On the other hand, RFC5581 requests specifically the narrow range of 49152-65535 for originating BFD sessions, so bird should comply with this. Thus the somewhat silly workaround would just seem the thing to be done to fix this issue. Kind regards Christian On 2/17/22 15:43, Ondrej Zajicek wrote:
On Thu, Feb 17, 2022 at 01:09:33PM +0100, Christian Bruns wrote:
Hi all,
we experienced issues with non-functional BFD Sessions. Debugging yielded that bird does not use RFC compliant BFD Port ranges. RFC 5881 states: "" The source port MUST be in the range 49152 through 65535. ""; however, the port range is not restricted within bird and thus using arbitrary high ports. Some tier 1 transit providers like "Deutsche Telekom" apply strict filter for BFD and only allow RFC5881 compliant ports, hence the issue.
There is a workaround to limit the port range globally at system level (/proc/sys/net/ipv4/ip_local_port_range); this seems to work, but we have the strong feeling that restriction of port range for BFD sessions should happen within bird itself. Hi
Unfortunately, this AFAIK does not have a good solution without some additional Linux kernel API.
First, restriction for port ranges 49152-65535 is not a speciality of BFD, it is an ephemeral port range designated for outgoing connections or datagrams without defined port number, but Linux by default use range starting with 32768. So setting ip_local_port_range just fixes Linux bad default values.
Second, there is no API in Linux to allocate 'any free socket within range'. BSD has IP_PORTRANGE socket option, but there is (AFAIK) no such thing in Linux. One could either require explicit port number, or any free port from the range. And doing systematic enumeration of port numbers from ephemeral port range and trying them one after another seems like silly workaround.
On 2/17/22 5:09 AM, Christian Bruns wrote:
There is a workaround to limit the port range globally at system level (/proc/sys/net/ipv4/ip_local_port_range);
Another workaround might be to match the outgoing BFD traffic and NAT it such that the source port is altered to be within range. I know that this isn't a more proper solution, but it would probably suffice without affecting the rest of the system like ip_local_port_range does. There may be more esoteric options too like running BIRD in a different network namespace with different per-namespace proc entries. (Or vice versa.) -- Grant. . . . unix || die
participants (4)
-
Christian Bruns -
Clemens Schrimpe -
Grant Taylor -
Ondrej Zajicek