Re: [Idr] Questions regarding BGP capabilities (RFC5492)
Claudio Jeker <cjeker@diehard.n-r-g.com> Thu, 18 April 2024 14:08 UTC
Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88ACEC14F60D for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Dv5Q_Z3XHYT for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:08:30 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7F39C14F60C for <idr@ietf.org>; Thu, 18 Apr 2024 07:08:29 -0700 (PDT)
Received: (qmail 38709 invoked by uid 1000); 18 Apr 2024 14:08:26 -0000
Date: Thu, 18 Apr 2024 16:08:26 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Donatas Abraitis <donatas.abraitis@gmail.com>
Cc: idr@ietf.org
Message-ID: <ZiEpWi52qcVh/Tee@diehard.n-r-g.com>
References: <ZiD21ViYxwCLju8p@diehard.n-r-g.com> <CAPF+HwXedkDMh9=WjtKePUuk8bjXx8tXM5+mKPuKCQ902WqANg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAPF+HwXedkDMh9=WjtKePUuk8bjXx8tXM5+mKPuKCQ902WqANg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/-VlZ97CJx-VkeGcS-6I2pkHyNP8>
Subject: Re: [Idr] Questions regarding BGP capabilities (RFC5492)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 14:08:35 -0000
On Thu, Apr 18, 2024 at 02:59:35PM +0300, Donatas Abraitis wrote: > Hi, > > >Are there still BGP implementations out there that do not support > capabilities (RFC5492)? > > Most likely some random parsers/scripts don't care about capabilities, but > I think this is not a big deal. > > >I checked some other opensource BGP implementations and noticed that > both FRR and bird send this suberr 7 NOTIFICATION without any data! > > Speaking of FRR: what is the configuration of FRR? It SHOULD send > NOTIFICATION(7) only when there is a strict capability requirement > (neighbor ... strict-capability-match), or the AFI/SAFI is not enabled at > all when MP is used. I just looked at the code: https://github.com/FRRouting/frr/blob/master/bgpd/bgp_open.c#L1454 First of all yes this needs strict-capability-match to be on but the sent NOTIFICATION messages are not RFC conforming. The call on line 1457 is for unsupported / superfluous capabilities (which should just be ignored) and the call on line 1468 does not include data. > >The Data field in the NOTIFICATION > message MUST list the set of capabilities that causes the speaker to > send the message. > > I double-checked this, and FRR sends capability(-ies) that are not in > compliance with what is expected. At least wireshark/tcpdump shows it > correctly. > > Donatas. > > On Thu, Apr 18, 2024 at 1:33 PM Claudio Jeker <cjeker@diehard.n-r-g.com> > wrote: > > > Hi all, > > > > I have a few questions about BGP capabilities since we want to enforce > > some capabilities long term in OpenBGPD. > > > > As a first step we want to remove an old fallback to start over with no > > capabilities in case of a NOTIFICATION with error code 2 (OPEN) and > > suberr 4 (Unsupported Optional Parameter). > > > > Are there still BGP implementations out there that do not support > > capabilities (RFC5492)? > > > > > > > > On top of this I have a question about NOTIFICATION error code 2 (OPEN) > > suberr 7 (Unsupported Capability). From the RFC5492: > > > > 5. Extensions to Error Handling > > > > This document defines a new Error Subcode, Unsupported Capability. > > The value of this Subcode is 7. The Data field in the NOTIFICATION > > message MUST list the set of capabilities that causes the speaker to > > send the message. Each such capability is encoded in the same way as > > it would be encoded in the OPEN message. > > > > As explained in the "Overview of Operations" section, the Unsupported > > Capability NOTIFICATION is a way for a BGP speaker to complain that > > its peer does not support a required capability without which the > > peering cannot proceed. It MUST NOT be used when a BGP speaker > > receives a capability that it does not understand; such capabilities > > MUST be ignored. > > > > I have an issue with "Each such capability is encoded in the same way > > as it would be encoded in the OPEN message". The thing is for some > > capabilities the system may not really know the exact encoding of the > > missing capability. For example graceful restart could include some > > AFI/SAFI pairs but those are optional. > > > > For OpenBGPD when parsing notifications only the first byte of data is > > looked at so that we can log which capability code caused the problem. > > When sending such a notification we build a capability with valid code and > > length fields but apart from capa 1 the payload of the capability is 0. > > For capa 1 we do send the AFI/SAFI pair that is missing. > > > > How do other implementations handle this? > > > > I checked some other opensource BGP implementations and noticed that > > both FRR and bird send this suberr 7 NOTIFICATION without any data! > > I can not really check the behaviour of other propretary implementations. > > > > Also FRR seems to send suberr 7 NOTIFICATIONs for unknown or superfluous > > capabilities. Which violates the last sentence of Section 5. > > Again, do other implementations do the same? > > > > -- > > :wq Claudio > > > > _______________________________________________ > > Idr mailing list > > Idr@ietf.org > > https://www.ietf.org/mailman/listinfo/idr > > > > > -- > Donatas -- :wq Claudio
- [Idr] Questions regarding BGP capabilities (RFC54… Claudio Jeker
- Re: [Idr] Questions regarding BGP capabilities (R… Donatas Abraitis
- Re: [Idr] Questions regarding BGP capabilities (R… Claudio Jeker
- Re: [Idr] Questions regarding BGP capabilities (R… Jeffrey Haas
- Re: [Idr] Questions regarding BGP capabilities (R… Claudio Jeker
- Re: [Idr] Questions regarding BGP capabilities (R… Donatas Abraitis
- Re: [Idr] Questions regarding BGP capabilities (R… Jeffrey Haas
- Re: [Idr] Questions regarding BGP capabilities (R… Claudio Jeker