BGP strict bind socket error

Alexander Zubkov green at qrator.net
Wed Dec 29 18:11:32 CET 2021


Yes, probably it is ok to use it by default, at least in our case we
use it always-on (as in attached patch). Only in this case it may be
better to lower the log level for it then for the cases when it does
not work.
With default on there may be cases when someone will be surprised to
see the bird listening on nonexistent address in netstat. And may be
someone has some sort of security concerns with it, then please speak
now or forever hold your peace. :)
I looked a bit about the FreeBSD, but there are different options for
it and it can probably be disabled with sysctl there. So I thought it
would be better if some people with more FreeBSD (or other *BSD)
experience updated this part later.

On Wed, Dec 29, 2021 at 5:41 PM Ondrej Zajicek <santiago at crfreenet.org> wrote:
>
> On Tue, Dec 28, 2021 at 06:34:28PM +0100, Alexander Zubkov wrote:
> > Hi,
> >
> > I want to bring this question up again. In our company we use it in
> > production with patches, but I think it would be useful in upstream
> > version too.
> > Short version of the story: bird can try to bind socket when
> > IP-address is absent in the system, it will result in a error and the
> > protocol will remain in down state after that. Suggested change is to
> > allow it to bind non-local addresses.
> >
> > If this variant is OK, than the next step is to choose wether it would
> > be some configuration option or maybe a compile-time flag.
>
> Hi
>
> My main objection is that whether to use IP_FREEBIND should be primarily
> developer decision, not admin decision. Either the code should work
> correctly without IP_FREEBIND, or we should use it always or
> automatically when necessary.
>
> I looked for disadvantages of always using IP_FREEBIND, i found nothing
> except that in case of misconfigured IP address it does not report error.
> But BIRD (and modern daemons in general) are supposed to wait for IP to
> appear instead of assuming that all valid IPs are available when daemon
> starts, so this is not an issue. So it makes sense to use IP_FREEBIND by
> default if available.
>
> So i think that there could be a protocol option for freebind, which
> should have platform-specific defaults (like rt_default_ecmp is
> platform-specific default for ECMP option), independently for IPv4 and
> IPv6. This option is primarily intended for disabling freebind in case
> of some unexpected case where it is not desirable.
>
> Also note that the patch does not handle IPv6 case (there is
> IPV6_FREEBIND) and BSD case (there is IP_BINDANY, which seems that
> does the same, but it is less clear and requires some privilege,
> so perhaps it makes sense to skip it or not make it default).
>
> I will try the patch, modify it and merge it.
>
> --
> Elen sila lumenn' omentielvo
>
> Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bird-bgp-always-freebind.patch
Type: text/x-patch
Size: 865 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20211229/0d291cd5/attachment.bin>


More information about the Bird-users mailing list