1.4.0 : all bgp peers in OpenSent

Alexander Shikov a.shikov at dtel-ix.net
Tue Mar 25 15:04:31 CET 2014 

Hi,

It is not a problem of delays etc.

With great help of Ondrej Zajicek we investigated a problem.
It was caused by enabling authentication just for one peer.

Our route-servers are running FreeBSD 9.2 with options
device          crypto
options         IPSEC
options         TCP_SIGNATURE

compiled in kernel.

BGP authentication in bird (in case of FreeBSD) requires SA entries
to be manually added to /etc/ipsec.conf.

When all peers are up and I add 'password' to protocol configuration in
bird and SA in /etc/ipsec.conf to one of them, other peers do not change 
their state, they remain in Established state.

But if after that any other peer changed state due to any reason (connection
problems, session clearing) then this peer is not able to establish BGP
session again.

My /etc/ipsec.conf file looks like:

flush;
add 193.25.180.255 193.25.180.17 tcp 0x1000 -A tcp-md5 "password";

Authenticated peer don't stuck.

How-to-repeat:
I've set up a test bed with two peers, authentication disabled for both:

bird> show bgp sum
Peer                    AS Last state change   Prefixes rcvd/best   State/Last error
193.25.180.17        25372 2014-03-25 15:52:27 8/8                  Established   
193.25.180.41       199995 2014-03-25 15:54:41 0/0                  Established   

tcpdump of BGP session initiation for 193.25.180.41 looks like:
15:54:42.501326 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [S], seq 891952260, win 16384, options [mss 1460,nop,wscale 0,nop,nop,TS val 62583697 ecr 0,sackOK,eol], length 0
15:54:42.501376 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [S.], seq 4136719465, ack 891952261, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2066801157 ecr 62583697], length 0
15:54:42.501387 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [S], seq 891952260, win 16384, options [mss 1460,nop,wscale 0,nop,nop,TS val 62583697 ecr 0,sackOK,eol], length 0
15:54:42.501395 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [S.], seq 4136719465, ack 891952261, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2066801157 ecr 62583697], length 0
15:54:42.501860 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [.], ack 1, win 17376, options [nop,nop,TS val 62583698 ecr 2066801157], length 0
15:54:42.501955 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [.], ack 1, win 17376, options [nop,nop,TS val 62583698 ecr 2066801157], length 0
15:54:42.502092 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [P.], seq 1:46, ack 1, win 1040, options [nop,nop,TS val 2066801157 ecr 62583698], length 45: BGP, length: 45
15:54:42.502451 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [P.], seq 1:60, ack 1, win 17376, options [nop,nop,TS val 62583698 ecr 2066801157], length 59: BGP, length: 59
15:54:42.601819 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [P.], seq 60:79, ack 46, win 17331, options [nop,nop,TS val 62583798 ecr 2066801157], length 19: BGP, length: 19
15:54:42.601865 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [P.], seq 46:65, ack 79, win 1040, options [nop,nop,TS val 2066801257 ecr 62583698], length 19: BGP, length: 19
15:54:42.602759 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [P.], seq 79:98, ack 65, win 17312, options [nop,nop,TS val 62583798 ecr 2066801257], length 19: BGP, length: 19
15:54:42.602786 IP 193.25.181.254.179 > 193.25.180.41.63464: Flags [P.], seq 65:489, ack 98, win 1040, options [nop,nop,TS val 2066801258 ecr 62583798], length 424: BGP, length: 424
15:54:42.702766 IP 193.25.180.41.63464 > 193.25.181.254.179: Flags [.], ack 489, win 16888, options [nop,nop,TS val 62583899 ecr 2066801258], length 0

Then I've enabled BGP authentication for 193.25.180.17. It re-established 
BGP-session:
BIRD 1.4.0 ready.
bird> show bgp sum
Peer                    AS Last state change   Prefixes rcvd/best   State/Last error
193.25.180.17        25372 2014-03-25 15:57:57 8/8                  Established   
193.25.180.41       199995 2014-03-25 15:54:42 0/0                  Established   

Then I've cleared up session for 193.25.180.41:
bird> show bgp sum
Peer                    AS Last state change   Prefixes rcvd/best   State/Last error
193.25.180.17        25372 2014-03-25 15:57:56 8/8                  Established
193.25.180.41       199995 2014-03-25 15:59:14 0/0                  Passive       Received: Administrative reset

And after that 193.25.180.41 was not able to establish it again. 

tcpdump of BGP session initiation for 193.25.180.41 looks like:
15:59:50.919321 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62889119,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0
15:59:50.919702 IP 193.25.180.41.49984 > 193.25.181.254.179: Flags [S], seq 1944096937, win 17376, options [mss 1460,nop,wscale 0,nop,nop,TS val 62892119 ecr 1735781206,sackOK,eol], length 0
15:59:50.919725 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62892119,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0
15:59:53.919323 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62892119,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0
15:59:54.119646 IP 193.25.180.41.49984 > 193.25.181.254.179: Flags [S], seq 1944096937, win 17376, options [mss 1460,nop,wscale 0,nop,nop,TS val 62895319 ecr 1735781206,sackOK,eol], length 0
15:59:54.119683 IP 193.25.181.254.179 > 193.25.180.41.49984: Flags [S.], seq 218927213, ack 1944096938, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1735781206 ecr 62895319,nop,nop,md5shared secret not supplied with -M, can't check - 00000000000000000000000000000000], length 0

The difference in dumps is noticeable with unaided eye.

Ondrej mentioned: 
"If any BGP proto sets 'password', MD5 auth on listening
socket is enabled. It seems that new socket (for accepted TCP
connection) inherits the MD5 auth even when there is no appropriate SA.
It may be a change of behavior in newer FreeBSDs, as the code worked
on FreeBSD in the past AFAIK."


Now I have a question to community: does anyone have bird installation
with selective authentication of BGP peers on same interface?
Does it work for Linux-like systems or it is FreeBSD-specific issue?

-- 
Alexander Shikov
Technical Staff, Digital Telecom IX
Tel.: +380 44 201 14 07
http://dtel-ix.net/

More information about the Bird-users mailing list