Bird BFD is not compliant to RFC5881
Ondrej Zajicek
santiago at crfreenet.org
Thu Feb 17 15:43:49 CET 2022
On Thu, Feb 17, 2022 at 01:09:33PM +0100, Christian Bruns wrote:
> Hi all,
>
> we experienced issues with non-functional BFD Sessions. Debugging yielded
> that bird does not use RFC compliant BFD Port ranges.
> RFC 5881 states: "" The source port MUST be in the range 49152 through
> 65535. ""; however, the port range is not restricted within bird and thus
> using arbitrary high ports.
> Some tier 1 transit providers like "Deutsche Telekom" apply strict filter
> for BFD and only allow RFC5881 compliant ports, hence the issue.
>
> There is a workaround to limit the port range globally at system level
> (/proc/sys/net/ipv4/ip_local_port_range); this seems to work, but we have
> the strong feeling that restriction of port range for BFD sessions should
> happen within bird itself.
Hi
Unfortunately, this AFAIK does not have a good solution without some additional
Linux kernel API.
First, restriction for port ranges 49152-65535 is not a speciality of
BFD, it is an ephemeral port range designated for outgoing connections or
datagrams without defined port number, but Linux by default use range
starting with 32768. So setting ip_local_port_range just fixes Linux bad
default values.
Second, there is no API in Linux to allocate 'any free socket within
range'. BSD has IP_PORTRANGE socket option, but there is (AFAIK) no such
thing in Linux. One could either require explicit port number, or any
free port from the range. And doing systematic enumeration of port
numbers from ephemeral port range and trying them one after another
seems like silly workaround.
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list