IPv6 BFD interop with Huawei, checksum 0 UDP
Hello, At least some Huawei devices use a checksum of 0 for all IPv6 BFD UDP packets after finishing Poll/Final. All packets sent with states other than Up or with flags other than C have the correct checksums. IPv6 checksum issues with UDP seem to be rather common with network vendors, for example Cisco has very relevant problems in IPv6 BFD [1] and has added a command around this issue [2]; other vendors have articles around various problems with the mandatory checksums. Following the RFCs this should be a bug on the Huawei side since the checksum is mandatory. But getting Huawei to fix this could be difficult or impossible and I personally do not have options to pursue that. These problem devices are not under my control. I have no relationship with Huawei. This issue could be worked around on the BIRD side at least on the Linux platform. RFC6936 allows [3] for hosts to enable accepting IPv6 UDP with a checksum of 0 and this is implemented in Linux kernels from 3.16 with sockopt "UDP_NO_CHECK6_RX". I have tested that this indeed works: checksum 0 packets are received to AF_INET6, SOCK_DGRAM sockets when it is enabled. I wonder if it would be acceptable to enable this option on the IPv6 socket(s) used for BFD in BIRD, if supported by the platform? I understand this idea may be controversial given it is not portable and the reason for the workaround. At minimum I hope this post may be informative for others failing to setup IPv6 BFD with Huawei. Regards, VO [1] https://bst.cisco.com/quickview/bug/CSCtb33440 [2] https://bst.cisco.com/quickview/bug/CSCtb87599 [3] https://datatracker.ietf.org/doc/html/rfc6936#section-4
Hello! On Wed, Jun 12, 2024 at 06:32:10PM +0700, Ville O wrote:
At least some Huawei devices use a checksum of 0 for all IPv6 BFD UDP packets after finishing Poll/Final. All packets sent with states other than Up or with flags other than C have the correct checksums.
[...]
This issue could be worked around on the BIRD side at least on the Linux platform. RFC6936 allows [3] for hosts to enable accepting IPv6 UDP with a checksum of 0 and this is implemented in Linux kernels from 3.16 with sockopt "UDP_NO_CHECK6_RX". I have tested that this indeed works: checksum 0 packets are received to AF_INET6, SOCK_DGRAM sockets when it is enabled.
I wonder if it would be acceptable to enable this option on the IPv6 socket(s) used for BFD in BIRD, if supported by the platform?
Patches welcome. It should be configurable and off by default. For more information on how to contribute, see the contributing guidelines: https://gitlab.nic.cz/labs/bird/-/blob/master/CONTRIBUTING.md Thank you for raising awareness about this issue. Maria -- Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
Hello, Nobody has done it yet, so I've tried to implement it. The patch is attached. Of course feel free to alter naming, wording, add credits for the reported, etc. as you wish. Ville, could you check that it works for you? PS. 1) I also noticed there is "strict bind" example is missing in BFD template config in the documentation. 2) What do you think about changing bfd flags and/or socket flags to bit fields too, as it was done with other flags recently? Regards, Alexander On Wed, Jun 12, 2024 at 3:14 PM Maria Matejka via Bird-users <bird-users@network.cz> wrote:
Hello!
On Wed, Jun 12, 2024 at 06:32:10PM +0700, Ville O wrote:
At least some Huawei devices use a checksum of 0 for all IPv6 BFD UDP packets after finishing Poll/Final. All packets sent with states other than Up or with flags other than C have the correct checksums.
[…]
This issue could be worked around on the BIRD side at least on the Linux platform. RFC6936 allows [3] for hosts to enable accepting IPv6 UDP with a checksum of 0 and this is implemented in Linux kernels from 3.16 with sockopt “UDP_NO_CHECK6_RX”. I have tested that this indeed works: checksum 0 packets are received to AF_INET6, SOCK_DGRAM sockets when it is enabled.
I wonder if it would be acceptable to enable this option on the IPv6 socket(s) used for BFD in BIRD, if supported by the platform?
Patches welcome. It should be configurable and off by default. For more information on how to contribute, see the contributing guidelines:
https://gitlab.nic.cz/labs/bird/-/blob/master/CONTRIBUTING.md
Thank you for raising awareness about this issue.
Maria
– Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
On Sat, Jun 22, 2024 at 07:44:34PM +0200, Alexander Zubkov via Bird-users wrote:
Hello,
Nobody has done it yet, so I've tried to implement it. The patch is attached. Of course feel free to alter naming, wording, add credits for the reported, etc. as you wish.
Hello Thanks for the patch, will merge it. Seems to me (from cursory look at the kernel code, as it seems to be an undocumented option) that the socket option UDP_NO_CHECK6_RX does not disable UDP checksum verification in general, just allows to accept UDP packets with zero checksum, while UDP packets with invalid non-zero checksums would still be rejected. Which fits better to what we need for this. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) "To err is human -- to blame it on a computer is even more so."
Hi, On Tue, Jun 25, 2024 at 3:04 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Sat, Jun 22, 2024 at 07:44:34PM +0200, Alexander Zubkov via Bird-users wrote:
Hello,
Nobody has done it yet, so I've tried to implement it. The patch is attached. Of course feel free to alter naming, wording, add credits for the reported, etc. as you wish.
Hello
Thanks for the patch, will merge it.
Seems to me (from cursory look at the kernel code, as it seems to be an undocumented option) that the socket option UDP_NO_CHECK6_RX does not disable UDP checksum verification in general, just allows to accept UDP packets with zero checksum, while UDP packets with invalid non-zero checksums would still be rejected. Which fits better to what we need for this.
I've grepped the kernel source and I agree, it seems to only accept zero checksums. Then maybe some phrases need to be reworded and the configuration option to be renamed?
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) "To err is human -- to blame it on a computer is even more so."
Hello All, On Tue, Jun 25, 2024 at 9:05 PM Alexander Zubkov via Bird-users <bird-users@network.cz> wrote:
On Tue, Jun 25, 2024 at 3:04 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
Seems to me (from cursory look at the kernel code, as it seems to be an undocumented option) that the socket option UDP_NO_CHECK6_RX does not disable UDP checksum verification in general, just allows to accept UDP packets with zero checksum, while UDP packets with invalid non-zero checksums would still be rejected. Which fits better to what we need for this.
I've grepped the kernel source and I agree, it seems to only accept zero checksums. Then maybe some phrases need to be reworded and the configuration option to be renamed?
This is the impression I, too, got while doing research into this matter and looking at the patches [1] that implemented this feature. The commit message is very clear: only a checksum of 0 is special-case accepted. By the way it seems the patch has been backported by RH at least as far back as EL7 kernel version 3.10.0. And I have an update on my problem that started all this: The peer managed to update their devices to the latest Huawei OS version and this fixed IPv6 BFD checksums. Unfortunately the peer could not give me the old/current versions so I cannot give information on which versions are broken and which are fixed. I tried to get more detailed information but it just was not possible; I can only say "latest version". Since the problem was fixed with the Huawei update I then regret that I am unable to usefully test the diff. I tested the new UDP socket option simply with scapy and maybe something similar could work for functional testing if required. A big thank you to everyone! Regards, V O [1]: https://github.com/torvalds/linux/commit/1c19448c9ba6545b80ded18488a64a7f3d8...
Hi all, Slightly modified the patch (names & description) in spite of the checksum verify semantics. On Wed, Jun 26, 2024 at 9:03 AM Ville O <vojamo@gmail.com> wrote:
Hello All,
On Tue, Jun 25, 2024 at 9:05 PM Alexander Zubkov via Bird-users <bird-users@network.cz> wrote:
On Tue, Jun 25, 2024 at 3:04 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
Seems to me (from cursory look at the kernel code, as it seems to be an undocumented option) that the socket option UDP_NO_CHECK6_RX does not disable UDP checksum verification in general, just allows to accept UDP packets with zero checksum, while UDP packets with invalid non-zero checksums would still be rejected. Which fits better to what we need for this.
I've grepped the kernel source and I agree, it seems to only accept zero checksums. Then maybe some phrases need to be reworded and the configuration option to be renamed?
This is the impression I, too, got while doing research into this matter and looking at the patches [1] that implemented this feature. The commit message is very clear: only a checksum of 0 is special-case accepted.
By the way it seems the patch has been backported by RH at least as far back as EL7 kernel version 3.10.0.
And I have an update on my problem that started all this:
The peer managed to update their devices to the latest Huawei OS version and this fixed IPv6 BFD checksums. Unfortunately the peer could not give me the old/current versions so I cannot give information on which versions are broken and which are fixed. I tried to get more detailed information but it just was not possible; I can only say "latest version".
Since the problem was fixed with the Huawei update I then regret that I am unable to usefully test the diff. I tested the new UDP socket option simply with scapy and maybe something similar could work for functional testing if required.
A big thank you to everyone!
Regards,
V O
[1]: https://github.com/torvalds/linux/commit/1c19448c9ba6545b80ded18488a64a7f3d8...
On Thu, Jun 27, 2024 at 10:26:17AM +0200, Alexander Zubkov via Bird-users wrote:
Hi all,
Slightly modified the patch (names & description) in spite of the checksum verify semantics.
Hi, i already updated and merged your previous patch: https://gitlab.nic.cz/labs/bird/-/commit/8a40bccffe9e28e211fe996845658f87f5c... -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) "To err is human -- to blame it on a computer is even more so."
Great! And how about it:
What do you think about changing bfd flags and/or socket flags to bit fields too, as it was done with other flags recently?
I could try to prepare the patches, but only if such changes are welcomed. I've checked the codebase and it seems there were not that much of those as I remembered. :) I'm saying about those: https://gitlab.nic.cz/labs/bird/-/commit/eb937358c087eaeb6f209660cc7ecfe6d6e... https://gitlab.nic.cz/labs/bird/-/commit/6b95353ebdaa724252492f941ebe75f80e9... On Thu, Jun 27, 2024 at 4:08 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Jun 27, 2024 at 10:26:17AM +0200, Alexander Zubkov via Bird-users wrote:
Hi all,
Slightly modified the patch (names & description) in spite of the checksum verify semantics.
Hi, i already updated and merged your previous patch:
https://gitlab.nic.cz/labs/bird/-/commit/8a40bccffe9e28e211fe996845658f87f5c...
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) "To err is human -- to blame it on a computer is even more so."
participants (4)
-
Alexander Zubkov -
Maria Matejka -
Ondrej Zajicek -
Ville O