Page MenuHomePhabricator

FRR - BGP replicating routes
Open, Requires assessmentPublic

Description

I found extremely dangerous behavior in the FRR.
The routes received by a peering are replicated to the same peering. Including AS-PATH.
I created a lab by using the 1.2RC10, 1.2RC11, 1.2EPA2 versions and they all behave the same way.

Follow configuration for proof of concept.

VyOS

  1. R1 - VyOS 1.2 RC10
  2. AS 64710
  3. 192.168.246.129
  4. 2001:db8:c0fe:c0fe::129
  5. Origin:
  6. - 198.18.10.0/24
  7. - 2001:db8:198:1810::/64

set protocols static route 198.18.10.0/24 blackhole
set protocols static route6 2001:db8:198:1810::/64 blackhole

set protocols bgp 64710 address-family ipv4-unicast network 198.18.10.0/24
set protocols bgp 64710 address-family ipv6-unicast network 2001:db8:198:1810::/64

set protocols bgp 64710 neighbor 192.168.246.131 remote-as 64711
set protocols bgp 64710 neighbor 192.168.246.131 address-family ipv4-unicast nexthop-self
set protocols bgp 64710 neighbor 192.168.246.131 address-family ipv4-unicast soft-reconfiguration inbound

set protocols bgp 64710 neighbor 2001:db8:c0fe:c0fe::131 remote-as 64711
set protocols bgp 64710 neighbor 2001:db8:c0fe:c0fe::131 address-family ipv6-unicast nexthop-self
set protocols bgp 64710 neighbor 2001:db8:c0fe:c0fe::131 address-family ipv6-unicast soft-reconfiguration inbound

  1. R2 - VyOS 1.2 RC11
  2. AS 64711
  3. 192.168.246.131
  4. 2001:db8:c0fe:c0fe::131
  5. Origin:
  6. - 198.18.11.0/24
  7. - 2001:db8:198:1811::/64

set protocols static route 198.18.11.0/24 blackhole
set protocols static route6 2001:db8:198:1811::/64 blackhole

set protocols bgp 64711 address-family ipv4-unicast network 198.18.11.0/24
set protocols bgp 64711 address-family ipv6-unicast network 2001:db8:198:1811::/64

set protocols bgp 64711 neighbor 192.168.246.129 remote-as 64710
set protocols bgp 64711 neighbor 192.168.246.129 address-family ipv4-unicast nexthop-self
set protocols bgp 64711 neighbor 192.168.246.129 address-family ipv4-unicast soft-reconfiguration inbound

set protocols bgp 64711 neighbor 2001:db8:c0fe:c0fe::129 remote-as 64710
set protocols bgp 64711 neighbor 2001:db8:c0fe:c0fe::129 address-family ipv6-unicast nexthop-self
set protocols bgp 64711 neighbor 2001:db8:c0fe:c0fe::129 address-family ipv6-unicast soft-reconfiguration inbound

set protocols bgp 64711 neighbor 192.168.246.132 remote-as 64712
set protocols bgp 64711 neighbor 192.168.246.132 address-family ipv4-unicast nexthop-self
set protocols bgp 64711 neighbor 192.168.246.132 address-family ipv4-unicast soft-reconfiguration inbound

set protocols bgp 64711 neighbor 2001:db8:c0fe:c0fe::132 remote-as 64712
set protocols bgp 64711 neighbor 2001:db8:c0fe:c0fe::132 address-family ipv6-unicast nexthop-self
set protocols bgp 64711 neighbor 2001:db8:c0fe:c0fe::132 address-family ipv6-unicast soft-reconfiguration inbound

  1. R3 VyOS 1.2 EPA2
  2. AS 64712
  3. 192.168.246.132
  4. 2001:db8:c0fe:c0fe::132
  5. Origin:
  6. - 198.18.12.0/24
  7. - 2001:db8:198:1812::/64

set protocols static route 198.18.12.0/24 blackhole
set protocols static route6 2001:db8:198:1812::/64 blackhole

set protocols bgp 64712 address-family ipv4-unicast network 198.18.12.0/24
set protocols bgp 64712 address-family ipv6-unicast network 2001:db8:198:1812::/64

set protocols bgp 64712 neighbor 192.168.246.131 remote-as 64711
set protocols bgp 64712 neighbor 192.168.246.131 address-family ipv4-unicast nexthop-self
set protocols bgp 64712 neighbor 192.168.246.131 address-family ipv4-unicast soft-reconfiguration inbound

set protocols bgp 64712 neighbor 2001:db8:c0fe:c0fe::131 remote-as 64711
set protocols bgp 64712 neighbor 2001:db8:c0fe:c0fe::131 address-family ipv6-unicast nexthop-self
set protocols bgp 64712 neighbor 2001:db8:c0fe:c0fe::131 address-family ipv6-unicast soft-reconfiguration inbound

TCPDUMP - R3

tcpdump -nevas0 -i eth0 'host 192.168.246.132 and tcp port 179'

PACKET 1:

192.168.246.131.50444 > 192.168.246.132.179
Open Message (1), length: 77

	  Version 4, my AS 64711, Holdtime 180s, ID 192.168.246.131
	  Optional parameters, length: 48
	    Option Capabilities Advertisement (2), length: 6
	      Multiprotocol Extensions (1), length: 4
		AFI IPv4 (1), SAFI Unicast (1)
	    Option Capabilities Advertisement (2), length: 2
	      Route Refresh (Cisco) (128), length: 0
	    Option Capabilities Advertisement (2), length: 2
	      Route Refresh (2), length: 0
	    Option Capabilities Advertisement (2), length: 6
	      32-Bit AS Number (65), length: 4
		 4 Byte AS 64711
	    Option Capabilities Advertisement (2), length: 6
	      Multiple Paths (69), length: 4
		AFI IPv4 (1), SAFI Unicast (1), Send/Receive: Receive
	    Option Capabilities Advertisement (2), length: 8
	      Unknown (73), length: 6
		no decoder for Capability 73
		0x0000:  0476 796f 7300
	    Option Capabilities Advertisement (2), length: 4
	      Graceful Restart (64), length: 2
		Restart Flags: [R], Restart Time 120s

PACKET 2:

192.168.246.132.179 > 192.168.246.131.50444
Open Message (1), length: 77

	  Version 4, my AS 64712, Holdtime 180s, ID 192.168.246.132
	  Optional parameters, length: 48
	    Option Capabilities Advertisement (2), length: 6
	      Multiprotocol Extensions (1), length: 4
		AFI IPv4 (1), SAFI Unicast (1)
	    Option Capabilities Advertisement (2), length: 2
	      Route Refresh (Cisco) (128), length: 0
	    Option Capabilities Advertisement (2), length: 2
	      Route Refresh (2), length: 0
	    Option Capabilities Advertisement (2), length: 6
	      32-Bit AS Number (65), length: 4
		 4 Byte AS 64712
	    Option Capabilities Advertisement (2), length: 6
	      Multiple Paths (69), length: 4
		AFI IPv4 (1), SAFI Unicast (1), Send/Receive: Receive
	    Option Capabilities Advertisement (2), length: 8
	      Unknown (73), length: 6
		no decoder for Capability 73
		0x0000:  0476 796f 7300
	    Option Capabilities Advertisement (2), length: 4
	      Graceful Restart (64), length: 2
		Restart Flags: [none], Restart Time 120s

PACKET 3:

192.168.246.132.179 > 192.168.246.131.50444
Keepalive Message (4), length: 19

PACKET 4:

192.168.246.131.50444 > 192.168.246.132.179
Keepalive Message (4), length: 19

PACKET 5: ******

192.168.246.131.50444 > 192.168.246.132.179
Update Message (2), length: 55

	  Origin (1), length: 1, Flags [T]: IGP
	  AS Path (2), length: 6, Flags [TE]: 64711 
	  Next Hop (3), length: 4, Flags [T]: 192.168.246.131
	  Multi Exit Discriminator (4), length: 4, Flags [O]: 0
	  Updated routes:
	    198.18.11.0/24

PACKET 6:

192.168.246.131.50444 > 192.168.246.132.179
Update Message (2), length: 23

	  End-of-Rib Marker (empty NLRI)

PACKET 7:

192.168.246.131.50444 > 192.168.246.132.179
Update Message (2), length: 52

	  Origin (1), length: 1, Flags [T]: IGP
	  AS Path (2), length: 10, Flags [TE]: 64711 64710 
	  Next Hop (3), length: 4, Flags [T]: 192.168.246.131
	  Updated routes:
	    198.18.10.0/24

PACKET 8:

192.168.246.132.179 > 192.168.246.131.50444
Update Message (2), length: 55

	  Origin (1), length: 1, Flags [T]: IGP
	  AS Path (2), length: 6, Flags [TE]: 64712 
	  Next Hop (3), length: 4, Flags [T]: 192.168.246.132
	  Multi Exit Discriminator (4), length: 4, Flags [O]: 0
	  Updated routes:
	    198.18.12.0/24

PACKET 9:

192.168.246.132.179 > 192.168.246.131.50444
Update Message (2), length: 23

	  End-of-Rib Marker (empty NLRI)

PACKET 10:

192.168.246.132.179 > 192.168.246.131.50444
Update Message (2), length: 52

	  Origin (1), length: 1, Flags [T]: IGP
	  AS Path (2), length: 10, Flags [TE]: 64712 64711 
	  Next Hop (3), length: 4, Flags [T]: 192.168.246.132
	  Updated routes:
	    198.18.11.0/24
  • NO NO NO, 198.18.11.0/24 received from 192.168.246.131 send to 192.168.246.131 (PACKET 5)

PACKET 11:

192.168.246.132.179 > 192.168.246.131.50444
Update Message (2), length: 56

	  Origin (1), length: 1, Flags [T]: IGP
	  AS Path (2), length: 14, Flags [TE]: 64712 64711 64710 
	  Next Hop (3), length: 4, Flags [T]: 192.168.246.132
	  Updated routes:
	    198.18.10.0/24

PACKET 12:

192.168.246.131.50444 > 192.168.246.132.179
Update Message (2), length: 52

	  Origin (1), length: 1, Flags [T]: IGP
	  AS Path (2), length: 10, Flags [TE]: 64711 64712 
	  Next Hop (3), length: 4, Flags [T]: 192.168.246.131
	  Updated routes:
	    198.18.12.0/24

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

patrickbrandao created this object in space S1 VyOS Public.
Merijn added a subscriber: Merijn.Jan 14 2019, 9:22 AM

According to FRR this is normal behavior.
https://github.com/FRRouting/frr/pull/3044

it is explained there that FRR creates an update group with all peering connections in it to simplify announcing all learned prefixes to the complete group.
You are right that a possible loop is created here, but your 192.168.246.131 router won't accept that route from 192.168.246.132 because it will see it's own AS number in it and that will prevent the loop.

Also it is good practise to add prefix-filters or route-map policies, since in normal situation only one of the 2 routers will be the transit provider, and you should never announce routes learned from your primary provider to your secondary provider.

I noticed in VTYSH that the "solo" option was added (bgp <as> neighbor x.x.x.x solo)

You can kindly determine this parameter as default, or, as soon as possible, add option to enable or disable it.

I believe it is more useful to implement "solo" as an internal standard. And allow a new "no-solo" entry for neighbor without peer-group.

Default: (vtysh insert solo)
New interface:
set protocolos bgp <asn> neighbor <address> no-solo

Thank you.

pasik added a subscriber: pasik.Jan 21 2019, 9:43 PM