IETF Logo Mail Archive

Re: [Idr] Questions regarding BGP capabilities (RFC5492)

Claudio Jeker <cjeker@diehard.n-r-g.com> Thu, 18 April 2024 14:08 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88ACEC14F60D for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Dv5Q_Z3XHYT for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:08:30 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7F39C14F60C for <idr@ietf.org>; Thu, 18 Apr 2024 07:08:29 -0700 (PDT)
Received: (qmail 38709 invoked by uid 1000); 18 Apr 2024 14:08:26 -0000
Date: Thu, 18 Apr 2024 16:08:26 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Donatas Abraitis <donatas.abraitis@gmail.com>
Cc: idr@ietf.org
Message-ID: <ZiEpWi52qcVh/Tee@diehard.n-r-g.com>
References: <ZiD21ViYxwCLju8p@diehard.n-r-g.com> <CAPF+HwXedkDMh9=WjtKePUuk8bjXx8tXM5+mKPuKCQ902WqANg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAPF+HwXedkDMh9=WjtKePUuk8bjXx8tXM5+mKPuKCQ902WqANg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/-VlZ97CJx-VkeGcS-6I2pkHyNP8>
Subject: Re: [Idr] Questions regarding BGP capabilities (RFC5492)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 14:08:35 -0000

On Thu, Apr 18, 2024 at 02:59:35PM +0300, Donatas Abraitis wrote:
> Hi,
> 
> >Are there still BGP implementations out there that do not support
> capabilities (RFC5492)?
> 
> Most likely some random parsers/scripts don't care about capabilities, but
> I think this is not a big deal.
> 
> >I checked some other opensource BGP implementations and noticed that
> both FRR and bird send this suberr 7 NOTIFICATION without any data!
> 
> Speaking of FRR: what is the configuration of FRR? It SHOULD send
> NOTIFICATION(7) only when there is a strict capability requirement
> (neighbor ... strict-capability-match), or the AFI/SAFI is not enabled at
> all when MP is used.

I just looked at the code:
https://github.com/FRRouting/frr/blob/master/bgpd/bgp_open.c#L1454

First of all yes this needs strict-capability-match to be on but
the sent NOTIFICATION messages are not RFC conforming.
The call on line 1457 is for unsupported / superfluous capabilities (which
should just be ignored) and the call on line 1468 does not include data.

> >The Data field in the NOTIFICATION
>    message MUST list the set of capabilities that causes the speaker to
>    send the message.
> 
> I double-checked this, and FRR sends capability(-ies) that are not in
> compliance with what is expected. At least wireshark/tcpdump shows it
> correctly.
> 
> Donatas.
> 
> On Thu, Apr 18, 2024 at 1:33 PM Claudio Jeker <cjeker@diehard.n-r-g.com>
> wrote:
> 
> > Hi all,
> >
> > I have a few questions about BGP capabilities since we want to enforce
> > some capabilities long term in OpenBGPD.
> >
> > As a first step we want to remove an old fallback to start over with no
> > capabilities in case of a NOTIFICATION with error code 2 (OPEN) and
> > suberr 4 (Unsupported Optional Parameter).
> >
> > Are there still BGP implementations out there that do not support
> > capabilities (RFC5492)?
> >
> >
> >
> > On top of this I have a question about NOTIFICATION error code 2 (OPEN)
> > suberr 7 (Unsupported Capability). From the RFC5492:
> >
> > 5.  Extensions to Error Handling
> >
> >    This document defines a new Error Subcode, Unsupported Capability.
> >    The value of this Subcode is 7.  The Data field in the NOTIFICATION
> >    message MUST list the set of capabilities that causes the speaker to
> >    send the message.  Each such capability is encoded in the same way as
> >    it would be encoded in the OPEN message.
> >
> >    As explained in the "Overview of Operations" section, the Unsupported
> >    Capability NOTIFICATION is a way for a BGP speaker to complain that
> >    its peer does not support a required capability without which the
> >    peering cannot proceed.  It MUST NOT be used when a BGP speaker
> >    receives a capability that it does not understand; such capabilities
> >    MUST be ignored.
> >
> > I have an issue with "Each such capability is encoded in the same way
> > as it would be encoded in the OPEN message".  The thing is for some
> > capabilities the system may not really know the exact encoding of the
> > missing capability. For example graceful restart could include some
> > AFI/SAFI pairs but those are optional.
> >
> > For OpenBGPD when parsing notifications only the first byte of data is
> > looked at so that we can log which capability code caused the problem.
> > When sending such a notification we build a capability with valid code and
> > length fields but apart from capa 1 the payload of the capability is 0.
> > For capa 1 we do send the AFI/SAFI pair that is missing.
> >
> > How do other implementations handle this?
> >
> > I checked some other opensource BGP implementations and noticed that
> > both FRR and bird send this suberr 7 NOTIFICATION without any data!
> > I can not really check the behaviour of other propretary implementations.
> >
> > Also FRR seems to send suberr 7 NOTIFICATIONs for unknown or superfluous
> > capabilities. Which violates the last sentence of Section 5.
> > Again, do other implementations do the same?
> >
> > --
> > :wq Claudio
> >
> > _______________________________________________
> > Idr mailing list
> > Idr@ietf.org
> > https://www.ietf.org/mailman/listinfo/idr
> >
> 
> 
> -- 
> Donatas

-- 
:wq Claudio

v2.23.0 | Report a Bug | By Email