Page MenuHomePhabricator

VRRP V3 backup router sending ND RA
Open, NormalPublicBUG

Description

When configuring VRRP using IPv6 virtual address in combination with router advertise only the master should send ND RA according to RFC 5798 6.4.2

To reproduce:
Router1:

vyos@vyos-vrrp1# run sh config commands
set high-availability vrrp group eth1-50 advertise-interval '1'
set high-availability vrrp group eth1-50 interface 'eth1'
set high-availability vrrp group eth1-50 priority '150'
set high-availability vrrp group eth1-50 virtual-address '10.1.1.50/24'
set high-availability vrrp group eth1-50 vrid '50'
set high-availability vrrp group eth1-51 interface 'eth1'
set high-availability vrrp group eth1-51 priority '150'
set high-availability vrrp group eth1-51 virtual-address '2001:4642:3a8e:fff0::100/64'
set high-availability vrrp group eth1-51 vrid '51'
set high-availability vrrp sync-group vyos-vrrp member 'eth1-50'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:32:59:cc'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.0.0/31'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:32:59:d6'
set interfaces ethernet eth1 ipv6 router-advert prefix 2001:4642:3a8e:fff0::/64
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'

Router2:

vyos@vyos-vrrp2# run sh configuration commands
set high-availability vrrp group eth1-50 advertise-interval '1'
set high-availability vrrp group eth1-50 interface 'eth1'
set high-availability vrrp group eth1-50 priority '50'
set high-availability vrrp group eth1-50 virtual-address '10.1.1.50/24'
set high-availability vrrp group eth1-50 vrid '50'
set high-availability vrrp group eth1-51 interface 'eth1'
set high-availability vrrp group eth1-51 priority '50'
set high-availability vrrp group eth1-51 virtual-address '2001:4642:3a8e:fff0::100/64'
set high-availability vrrp group eth1-51 vrid '51'
set high-availability vrrp sync-group vyos-vrrp member 'eth1-50'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:d3:a5:45'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.0.1/31'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:d3:a5:4f'
set interfaces ethernet eth1 ipv6 router-advert prefix 2001:4642:3a8e:fff0::/64
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'

Observ packets on network connected to eth1 using wireshark and see both routers sending router advertisement.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.0-rolling+201809050337
Why the issue appeared?
Will be filled on close
aopdal created this task.Sep 11 2018, 9:01 AM
rps added a subscriber: rps.Sep 23 2018, 12:28 AM

This will need to be implemented using transition scripts in keepalived to enable and disable radvd for the prefix.

In the meantime one work-around would be to set your primary with a priority of high and backup with a priority of medium allowing the hosts to select the gateway based on preference.

Would likely implement as an additional option e.g.

set high-availability vrrp group <x> enable-ipv6-ra-failover

Note: For automatic address configuration (as opposed to manual) the next-hop used will be the link-local address rather than the global address so VRRP for the global address will not impact next-hop on its own except for hosts which have manually configured the default gateway to be that address.

Having VRRP for IPv6 will be very helpful for failover scenarios which make use of static IP routes though (e.g. for outside interfaces in a firewall configuration).

Agree that getting radvd start-stop support tied into VRRP should be a priority for IPv6 support though.

rps added a comment.Sep 23 2018, 12:29 PM
In T840#19823, @c-po wrote:

Did you respond to the wrong task?

c-po added a comment.Sep 23 2018, 12:43 PM

@rps seems to be the case. sorry for the noise

rps added a comment.Sep 24 2018, 9:03 PM

So I'm not sure this is a bug as much as a feature request. You CAN in fact accomplish what you're trying to do in VyOS 1.2 albeit manually using a transition script.

As a proof-of-concept you can create a transition script and reference it in your VRRP configuration for master, backup, and fault which will disable radvd for the specific interface using the CLI API:

#!/bin/bash

LOG_FILE=/tmp/vrrp-ipv6-transition.log

date  >> $LOG_FILE

STATE=$1
INTERFACE=$2
GROUP=$3


radvd_enable() {
    session_env=$(cli-shell-api getSessionEnv $PPID)
    eval $session_env
    cli-shell-api setupSession
    cli-shell-api inSession
    if [ $? -ne 0 ]; then
        echo "Error: Unable to obtain API session" >> $LOG_FILE
        exit 1
    fi
    /opt/vyatta/sbin/my_set interfaces ethernet $INTERFACE ipv6 router-advert send-advert true
    /opt/vyatta/sbin/my_commit
    cli-shell-api teardownSession
}

radvd_disable() {
    session_env=$(cli-shell-api getSessionEnv $PPID)
    eval $session_env
    cli-shell-api setupSession
    cli-shell-api inSession
    if [ $? -ne 0 ]; then
        echo "Error: Unable to obtain API session" >> $LOG_FILE
        exit 1
    fi
    /opt/vyatta/sbin/my_set interfaces ethernet $INTERFACE ipv6 router-advert send-advert false
    /opt/vyatta/sbin/my_commit
    cli-shell-api teardownSession
}


case $STATE in
    "master")
        echo "$INTERFACE has entered a MASTER state" >> $LOG_FILE
        radvd_enable
    ;;
    "backup")
        echo "$INTERFACE has entered a BACKUP state" >> $LOG_FILE
        radvd_disable
    ;;
    "fault")
        echo "$INTERFACE has entered a FAULT state" >> $LOG_FILE
        radvd_disable
    ;;
esac

I verified that this transition script will correctly transition IPv6 RA with VRRP with the following configuration:

set high-availability vrrp group <group> transition-script backup '/config/scripts/vrrp-ipv6-transition.script'
set high-availability vrrp group <group> transition-script fault '/config/scripts/vrrp-ipv6-transition.script'
set high-availability vrrp group <group> transition-script master '/config/scripts/vrrp-ipv6-transition.script'

Example RA configuration:

set interfaces ethernet eth2 ipv6 router-advert cur-hop-limit '64'
set interfaces ethernet eth2 ipv6 router-advert default-lifetime '300'
set interfaces ethernet eth2 ipv6 router-advert default-preference 'high'
set interfaces ethernet eth2 ipv6 router-advert link-mtu '0'
set interfaces ethernet eth2 ipv6 router-advert max-interval '30'
set interfaces ethernet eth2 ipv6 router-advert prefix fd02::/64 autonomous-flag 'true'
set interfaces ethernet eth2 ipv6 router-advert prefix fd02::/64 on-link-flag 'true'
set interfaces ethernet eth2 ipv6 router-advert prefix fd02::/64 preferred-lifetime '300'
set interfaces ethernet eth2 ipv6 router-advert prefix fd02::/64 valid-lifetime '900'
set interfaces ethernet eth2 ipv6 router-advert reachable-time '900000'
set interfaces ethernet eth2 ipv6 router-advert retrans-timer '0'
set interfaces ethernet eth2 ipv6 router-advert send-advert 'true'

I do agree that there should be a pre-canned way to do this.

I'm also not sure that radvd configuration is best kept in the interface now that VRRP configuration has been moved out (perhaps under protocols or services).

Thoughts?

I think the radvd should be made vrrp3 aware. In Juniper this looks like protocols router-advertisement interface <val> virtual-router-only: Send advertisemnets only for vrrp-inet6-group.

@rps I think this is a bug, because this behavior is not by design - it just to happen ;-) . You may call i a design bug.

Using a transition script is not a problem for me. If we could make the router to behave correctly out of the box it would be better. I just think the implementation should be based on a qualified choice. This make it easier to test, respond to requests about the feature and to document the feature.

rps added a comment.Sep 25 2018, 8:15 AM

I do agree that there should be a pre-canned way to do this.

I don't think we have any disagreement here @aopdal

syncer triaged this task as High priority.Sep 25 2018, 2:07 PM
syncer assigned this task to dmbaturin.Sep 25 2018, 2:29 PM
syncer edited projects, added VyOS 1.3.x; removed VyOS 1.2.x.Oct 9 2018, 6:58 AM
syncer lowered the priority of this task from High to Normal.Nov 2 2018, 7:32 PM