Re: [Idr] Questions regarding BGP capabilities (RFC5492)
Donatas Abraitis <donatas.abraitis@gmail.com> Thu, 18 April 2024 14:40 UTC
Return-Path: <donatas.abraitis@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CF8EC14F60A for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3NXuJoqhwtN for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:40:08 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86940C14F616 for <idr@ietf.org>; Thu, 18 Apr 2024 07:40:07 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-de45e5c3c68so1137615276.0 for <idr@ietf.org>; Thu, 18 Apr 2024 07:40:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713451206; x=1714056006; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3YjVVo/0FmWMIk6ClxnePCT93NvUUOykfpaGjNJSeeE=; b=ej6/iqb6Wz6VkGYODSYzTq9EbDwrjAjsr++8Zekphlwfox8T1Y7iJjBZNXh3AzDDIS m2xkf1nk7e74iyG1xYR8uEQApSZlK1YjGE0/QqM9oiitb3Vnw+Mb13KhnCaLhG+81rDI rcPHi/FLMZvqXWGr1HZ90YkSAK25YUjzT6P/ULr6BoMpJqNhCBNSsxxK2blrly73Pwu1 VbrTFCxneeEeQISYdY+Xiu1A06oVWfF/GM/p5kUoj++k3bNZtIhTm0390cOSmJGMuTW4 eMoAVMWBhrSJadZvIzu7tcnjcIgPbLE8hnVw/Q+MRGQKRuTTQodlaqR30ZDuzDF9FkzE q13g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713451206; x=1714056006; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3YjVVo/0FmWMIk6ClxnePCT93NvUUOykfpaGjNJSeeE=; b=d30rWJco1n4eHBbC9Xhy4IPtcqLKu7aR183j3M8KJ5dgvdaWOPn9gml27b9J/EPsY7 wegluC0MnC+Lw0V9JtNXZP/HRAR4s1sImRVoZw/Qzy0SMVbyIB4ffBNZZaI4Iudg303r gA6ee4Lr6KKA4xho9l95OuUjHaMDKNa26VXCVJfU0dDysM4hNKo2zN4rWXKX6YOdjQM8 kiuFiRycT/0mC8y6X1qSpL3Sx6hLc0L/4Q1wYFw4ItMR4UbgkJ3wEQOkrnxykp6JaWlq Jy0c632+53+ejkXo289BbGhL9dZIloB9dZBwuswpdiJ0r21WtSGiAkRibOhqdhnNlURw X9IQ==
X-Forwarded-Encrypted: i=1; AJvYcCURwB18MAhEeDGsIrP2FCpX60CxtpWLDux81ZVk4YF5pIpAJhc2CLHWqHVZOXKOsDGwRmBwmz/Tr+2shfs=
X-Gm-Message-State: AOJu0YxNXStgDzxft/gazfjlTcL0FqNKgpNPeWsYuuBzevZtcYaNprJu MdRfG1Sp39MT5Uk56VbZDUp16Ky+uvR7pp5Uq4+oSo70D6b8onmDhdI5uTdiH+CCw2KIngnTLAn 1zk6Oy5tOzA6Xy78nN2VD/1LpBqd/QQCeOSo=
X-Google-Smtp-Source: AGHT+IH3VudeZ6qOFoiEMlaTuj3cB05WgXozmXXcL7Eqd3q5OjEvI2/giol1CACEaQwERXCAJQSK/UYKTGHeY6JV1Lw=
X-Received: by 2002:a25:a044:0:b0:de3:cce6:5dce with SMTP id x62-20020a25a044000000b00de3cce65dcemr3099392ybh.36.1713451206223; Thu, 18 Apr 2024 07:40:06 -0700 (PDT)
MIME-Version: 1.0
References: <ZiD21ViYxwCLju8p@diehard.n-r-g.com> <2119777B-672A-4B3E-928C-84D4FA5FCCE5@pfrc.org> <ZiEspNe+RcgX9noV@diehard.n-r-g.com>
In-Reply-To: <ZiEspNe+RcgX9noV@diehard.n-r-g.com>
From: Donatas Abraitis <donatas.abraitis@gmail.com>
Date: Thu, 18 Apr 2024 17:39:55 +0300
Message-ID: <CAPF+HwW8vxmQpxumWbGmzu++0K9TvSvWig=tMYX6wHDGoeOw9w@mail.gmail.com>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: Jeffrey Haas <jhaas@pfrc.org>, idr@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007cb6f906165ff2ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Z5rg9k39jYXk_gFSYoc-YH1xlv0>
Subject: Re: [Idr] Questions regarding BGP capabilities (RFC5492)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 14:40:12 -0000
>The call on line 1457 is for unsupported / superfluous capabilities (which should just be ignored). Yes, and no, IMO. If we explicitly require STRICT behavior, then I think NOTIFICATION(7) should be sent. >and the call on line 1468 does not include data Yes, will fix this - thanks for noticing ;) On Thu, Apr 18, 2024 at 5:22 PM Claudio Jeker <cjeker@diehard.n-r-g.com> wrote: > On Thu, Apr 18, 2024 at 09:02:10AM -0400, Jeffrey Haas wrote: > > > > > > > On Apr 18, 2024, at 6:32 AM, Claudio Jeker <cjeker@diehard.n-r-g.com> > wrote: > > > Are there still BGP implementations out there that do not support > > > capabilities (RFC5492)? > > > > "Implementations", yes. From current vendors or major open source > packages, probably not. > > > > BGP-4 is simple enough for basic ipv4 applications that people > continually make their own stuff even in spite of available tooling. > > Guess people need to slowly update their own stuff :) > > While we can configure session to have no capabilities (you need to turn > of 4-byte ASN, open policy and rrefresh) it is not our default. So people > with their own stuff need to fumble extra config knobs. Also I wonder how > many of those "implementations" do proper error handling :) > > > > > > > As explained in the "Overview of Operations" section, the Unsupported > > > Capability NOTIFICATION is a way for a BGP speaker to complain that > > > its peer does not support a required capability without which the > > > peering cannot proceed. It MUST NOT be used when a BGP speaker > > > receives a capability that it does not understand; such capabilities > > > MUST be ignored. > > > > > > I have an issue with "Each such capability is encoded in the same way > > > as it would be encoded in the OPEN message". The thing is for some > > > capabilities the system may not really know the exact encoding of the > > > missing capability. For example graceful restart could include some > > > AFI/SAFI pairs but those are optional. > > > > Generally, the desired behavior is you list the state you don't like. > > > > State you want but isn't present shouldn't be sent back in the > notification. > > Isn't that the inverse of the text in the RFC? > ... the Unsupported Capability NOTIFICATION is a way for a BGP speaker > to complain that its peer does not support a required capability > > At least my understanding is that 'Unsupported Capability NOTIFICATION' is > used to inform the peer that a required capability is missing. Stuff you > don't like falls under: > It MUST NOT be used when a BGP speaker receives a capability that it > does not understand; such capabilities MUST be ignored. > > In fact my interpretation of that sentence is that even badly encoded > capabilities need to be ignored and no NOTIFICATION should be sent back in > that case. > > > > > > > For OpenBGPD when parsing notifications only the first byte of data is > > > looked at so that we can log which capability code caused the problem. > > > When sending such a notification we build a capability with valid code > and > > > length fields but apart from capa 1 the payload of the capability is 0. > > > For capa 1 we do send the AFI/SAFI pair that is missing. > > > > > > How do other implementations handle this? > > > > Dirty conformance laundry: > > > > Junos will return unsupported capability for any known but malformed > > capability that isn't the multi-protocol capability with no error data. > > > > For multi-protocol, we'll encode the received mp-caps back in our data. > > We do this when there are no overlapping afi/safi to peer with. > > > > For tracing received notifications, mp is the only thing that we pretend > > to understand and dig inside. The rest is just dealt with as opaque hex > > data. > > > > > > > > I checked some other opensource BGP implementations and noticed that > > > both FRR and bird send this suberr 7 NOTIFICATION without any data! > > > I can not really check the behaviour of other propretary > implementations. > > > > The notification data is handy if you're trying to determine what the > > remote device didn't like. That said, if you're poking at a device in a > > non-consensual way (presuming they've left their bgp ports reachable), > > there's something to be said for less disclosure and not exercising code > > paths where you send in nonsense. > > > > > Also FRR seems to send suberr 7 NOTIFICATIONs for unknown or > superfluous > > > capabilities. Which violates the last sentence of Section 5. > > > > Yeah... don't do that. > > Guess our handling is good enough. > -- > :wq Claudio > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > -- Donatas
- [Idr] Questions regarding BGP capabilities (RFC54… Claudio Jeker
- Re: [Idr] Questions regarding BGP capabilities (R… Donatas Abraitis
- Re: [Idr] Questions regarding BGP capabilities (R… Claudio Jeker
- Re: [Idr] Questions regarding BGP capabilities (R… Jeffrey Haas
- Re: [Idr] Questions regarding BGP capabilities (R… Claudio Jeker
- Re: [Idr] Questions regarding BGP capabilities (R… Donatas Abraitis
- Re: [Idr] Questions regarding BGP capabilities (R… Jeffrey Haas
- Re: [Idr] Questions regarding BGP capabilities (R… Claudio Jeker