"gw" attribute assignment in filter invalidates routes learned via BGP, static, and possibly others?
Ondrej Zajicek
santiago at crfreenet.org
Tue Aug 13 16:25:14 CEST 2013
On Tue, Aug 13, 2013 at 01:57:48PM +0300, Sergey Popovich wrote:
> Hello!
>
> Another issue I spot last time:
> assigning value in protocol export filter
> invalidates route and prevents its from being
> installed in KRT.
Yes, this is a known issue. Works just for setting gw on the same iface.
> ---------------------------------------------------------------------------------------
> This is probably due to not updating iface, nexthops (multihop config) and
> other fields of "rta" struct.
>
> Provided patch in attachment tries to address this issue by calling
> rta_set_recursive_next_hop() in filter/filter.c to properly assign to "gw"
> attribute. Special cases for bgp and static protocols was taken to use
> "igp table" configuration parameter if present (tested, and found working
> with static protocol, probably some with bgp).
The patch does not make sense to me - if user sets 'gw' attribute, BIRD
should set immediate nexthop of the route, not setup a route with a
recursive nexthop - that would be inconsistent, because reading of 'gw'
attribute returns the immediate nexhop and not the recursive nexthop of
a route.
The attached patch should do that (essentially just lookup iface,
fix it and force the route to RTD_ROUTER in case of setting 'gw').
Is this OK for you?
> ---------------------------------------------------------------------------------------
> Brief explanation why "gw" attribute might be wery important (at least
> in my case).
>
> There is common technique to stop DDoS in large ISP network:
> blackholing.
>
> However implementations of this might wary from vendor to vendor.
> In BIRD simplest way to implement this is to set "dest" attribute to something
> like RTD_BLACKHOLE, and all other route attributes gets deleted (gw, iface,
> ...). Route installed in KRT as blackhole.
...
>
> In this case we setup some system looped back interface (in Linux this is
> dummy interface type), configure some network on it (say something
> 192.0.2.0/24), And instead of setting blackholed route type to RTD_BLACKHOLE
> we change its "gw" to any address within subnet assigned on looped back
> interface.
>
> Thats servers same as route with blackhole type, but behaves differently on
> trace paths: router sends ICMP Time To Live Exceeded messages from its
> incoming interface address indicating last hop before dropping blackholed
> traffic. This has no impact on DDoS traffic, except it transmitted to
> looped back interface instead of being dropped immediately after matching
> route and wasting few CPU cycles.
Thanks for the thorough explanation. I am surprised that route to a Linux
dummy interface works like that, i always thought that dummy interface
would behave more like an ethernet with nothing connected on it than
like a loopback (therefore you would get ICMP Destination unreachable
instead of TTL exceeded), but i didn't tested that.
And why not just use RTD_UNREACHABLE or RTD_PROHIBIT? Both would return
some ICMP message.
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: set_gw.patch
Type: text/x-diff
Size: 821 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130813/8804adc4/attachment-0001.patch>
More information about the Bird-users
mailing list