IETF Logo Mail Archive

Re: [Idr] Questions regarding BGP capabilities (RFC5492)

Jeffrey Haas <jhaas@pfrc.org> Thu, 18 April 2024 13:02 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 101B5C14F615 for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 06:02:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBCtSP4tOHva for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 06:02:34 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 84DE6C14F6A7 for <idr@ietf.org>; Thu, 18 Apr 2024 06:02:12 -0700 (PDT)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id 2151A1E039; Thu, 18 Apr 2024 09:02:11 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <ZiD21ViYxwCLju8p@diehard.n-r-g.com>
Date: Thu, 18 Apr 2024 09:02:10 -0400
Cc: idr@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <2119777B-672A-4B3E-928C-84D4FA5FCCE5@pfrc.org>
References: <ZiD21ViYxwCLju8p@diehard.n-r-g.com>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/ONIBpHxf1j_9MDE8WyzWQbXJUGU>
Subject: Re: [Idr] Questions regarding BGP capabilities (RFC5492)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 13:02:39 -0000


> On Apr 18, 2024, at 6:32 AM, Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
> Are there still BGP implementations out there that do not support
> capabilities (RFC5492)?

"Implementations", yes.  From current vendors or major open source packages, probably not.

BGP-4 is simple enough for basic ipv4 applications that people continually make their own stuff even in spite of available tooling.

> 
>   As explained in the "Overview of Operations" section, the Unsupported
>   Capability NOTIFICATION is a way for a BGP speaker to complain that
>   its peer does not support a required capability without which the
>   peering cannot proceed.  It MUST NOT be used when a BGP speaker
>   receives a capability that it does not understand; such capabilities
>   MUST be ignored.
> 
> I have an issue with "Each such capability is encoded in the same way
> as it would be encoded in the OPEN message".  The thing is for some
> capabilities the system may not really know the exact encoding of the
> missing capability. For example graceful restart could include some
> AFI/SAFI pairs but those are optional.

Generally, the desired behavior is you list the state you don't like.  

State you want but isn't present shouldn't be sent back in the notification.


> 
> For OpenBGPD when parsing notifications only the first byte of data is
> looked at so that we can log which capability code caused the problem.
> When sending such a notification we build a capability with valid code and
> length fields but apart from capa 1 the payload of the capability is 0.
> For capa 1 we do send the AFI/SAFI pair that is missing.
> 
> How do other implementations handle this?

Dirty conformance laundry: 

Junos will return unsupported capability for any known but malformed capability that isn't the multi-protocol capability with no error data.

For multi-protocol, we'll encode the received mp-caps back in our data.  We do this when there are no overlapping afi/safi to peer with.

For tracing received notifications, mp is the only thing that we pretend to understand and dig inside.  The rest is just dealt with as opaque hex data.

> 
> I checked some other opensource BGP implementations and noticed that
> both FRR and bird send this suberr 7 NOTIFICATION without any data!
> I can not really check the behaviour of other propretary implementations.

The notification data is handy if you're trying to determine what the remote device didn't like.  That said, if you're poking at a device in a non-consensual way (presuming they've left their bgp ports reachable), there's something to be said for less disclosure and not exercising code paths where you send in nonsense.

> Also FRR seems to send suberr 7 NOTIFICATIONs for unknown or superfluous
> capabilities. Which violates the last sentence of Section 5.

Yeah... don't do that.

-- Jeff

v2.23.0 | Report a Bug | By Email