IETF Logo Mail Archive

Re: [Idr] Questions regarding BGP capabilities (RFC5492)

Donatas Abraitis <donatas.abraitis@gmail.com> Thu, 18 April 2024 14:40 UTC

Return-Path: <donatas.abraitis@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CF8EC14F60A for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3NXuJoqhwtN for <idr@ietfa.amsl.com>; Thu, 18 Apr 2024 07:40:08 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86940C14F616 for <idr@ietf.org>; Thu, 18 Apr 2024 07:40:07 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-de45e5c3c68so1137615276.0 for <idr@ietf.org>; Thu, 18 Apr 2024 07:40:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713451206; x=1714056006; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3YjVVo/0FmWMIk6ClxnePCT93NvUUOykfpaGjNJSeeE=; b=ej6/iqb6Wz6VkGYODSYzTq9EbDwrjAjsr++8Zekphlwfox8T1Y7iJjBZNXh3AzDDIS m2xkf1nk7e74iyG1xYR8uEQApSZlK1YjGE0/QqM9oiitb3Vnw+Mb13KhnCaLhG+81rDI rcPHi/FLMZvqXWGr1HZ90YkSAK25YUjzT6P/ULr6BoMpJqNhCBNSsxxK2blrly73Pwu1 VbrTFCxneeEeQISYdY+Xiu1A06oVWfF/GM/p5kUoj++k3bNZtIhTm0390cOSmJGMuTW4 eMoAVMWBhrSJadZvIzu7tcnjcIgPbLE8hnVw/Q+MRGQKRuTTQodlaqR30ZDuzDF9FkzE q13g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713451206; x=1714056006; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3YjVVo/0FmWMIk6ClxnePCT93NvUUOykfpaGjNJSeeE=; b=d30rWJco1n4eHBbC9Xhy4IPtcqLKu7aR183j3M8KJ5dgvdaWOPn9gml27b9J/EPsY7 wegluC0MnC+Lw0V9JtNXZP/HRAR4s1sImRVoZw/Qzy0SMVbyIB4ffBNZZaI4Iudg303r gA6ee4Lr6KKA4xho9l95OuUjHaMDKNa26VXCVJfU0dDysM4hNKo2zN4rWXKX6YOdjQM8 kiuFiRycT/0mC8y6X1qSpL3Sx6hLc0L/4Q1wYFw4ItMR4UbgkJ3wEQOkrnxykp6JaWlq Jy0c632+53+ejkXo289BbGhL9dZIloB9dZBwuswpdiJ0r21WtSGiAkRibOhqdhnNlURw X9IQ==
X-Forwarded-Encrypted: i=1; AJvYcCURwB18MAhEeDGsIrP2FCpX60CxtpWLDux81ZVk4YF5pIpAJhc2CLHWqHVZOXKOsDGwRmBwmz/Tr+2shfs=
X-Gm-Message-State: AOJu0YxNXStgDzxft/gazfjlTcL0FqNKgpNPeWsYuuBzevZtcYaNprJu MdRfG1Sp39MT5Uk56VbZDUp16Ky+uvR7pp5Uq4+oSo70D6b8onmDhdI5uTdiH+CCw2KIngnTLAn 1zk6Oy5tOzA6Xy78nN2VD/1LpBqd/QQCeOSo=
X-Google-Smtp-Source: AGHT+IH3VudeZ6qOFoiEMlaTuj3cB05WgXozmXXcL7Eqd3q5OjEvI2/giol1CACEaQwERXCAJQSK/UYKTGHeY6JV1Lw=
X-Received: by 2002:a25:a044:0:b0:de3:cce6:5dce with SMTP id x62-20020a25a044000000b00de3cce65dcemr3099392ybh.36.1713451206223; Thu, 18 Apr 2024 07:40:06 -0700 (PDT)
MIME-Version: 1.0
References: <ZiD21ViYxwCLju8p@diehard.n-r-g.com> <2119777B-672A-4B3E-928C-84D4FA5FCCE5@pfrc.org> <ZiEspNe+RcgX9noV@diehard.n-r-g.com>
In-Reply-To: <ZiEspNe+RcgX9noV@diehard.n-r-g.com>
From: Donatas Abraitis <donatas.abraitis@gmail.com>
Date: Thu, 18 Apr 2024 17:39:55 +0300
Message-ID: <CAPF+HwW8vxmQpxumWbGmzu++0K9TvSvWig=tMYX6wHDGoeOw9w@mail.gmail.com>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: Jeffrey Haas <jhaas@pfrc.org>, idr@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007cb6f906165ff2ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Z5rg9k39jYXk_gFSYoc-YH1xlv0>
Subject: Re: [Idr] Questions regarding BGP capabilities (RFC5492)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 14:40:12 -0000

>The call on line 1457 is for unsupported / superfluous capabilities (which
should just be ignored).

Yes, and no, IMO. If we explicitly require STRICT behavior, then I think
NOTIFICATION(7) should be sent.

>and the call on line 1468 does not include data

Yes, will fix this - thanks for noticing ;)

On Thu, Apr 18, 2024 at 5:22 PM Claudio Jeker <cjeker@diehard.n-r-g.com>
wrote:

> On Thu, Apr 18, 2024 at 09:02:10AM -0400, Jeffrey Haas wrote:
> >
> >
> > > On Apr 18, 2024, at 6:32 AM, Claudio Jeker <cjeker@diehard.n-r-g.com>
> wrote:
> > > Are there still BGP implementations out there that do not support
> > > capabilities (RFC5492)?
> >
> > "Implementations", yes.  From current vendors or major open source
> packages, probably not.
> >
> > BGP-4 is simple enough for basic ipv4 applications that people
> continually make their own stuff even in spite of available tooling.
>
> Guess people need to slowly update their own stuff :)
>
> While we can configure session to have no capabilities (you need to turn
> of 4-byte ASN, open policy and rrefresh) it is not our default. So people
> with their own stuff need to fumble extra config knobs. Also I wonder how
> many of those "implementations" do proper error handling :)
>
> > >
> > >   As explained in the "Overview of Operations" section, the Unsupported
> > >   Capability NOTIFICATION is a way for a BGP speaker to complain that
> > >   its peer does not support a required capability without which the
> > >   peering cannot proceed.  It MUST NOT be used when a BGP speaker
> > >   receives a capability that it does not understand; such capabilities
> > >   MUST be ignored.
> > >
> > > I have an issue with "Each such capability is encoded in the same way
> > > as it would be encoded in the OPEN message".  The thing is for some
> > > capabilities the system may not really know the exact encoding of the
> > > missing capability. For example graceful restart could include some
> > > AFI/SAFI pairs but those are optional.
> >
> > Generally, the desired behavior is you list the state you don't like.
> >
> > State you want but isn't present shouldn't be sent back in the
> notification.
>
> Isn't that the inverse of the text in the RFC?
>     ... the Unsupported Capability NOTIFICATION is a way for a BGP speaker
>     to complain that its peer does not support a required capability
>
> At least my understanding is that 'Unsupported Capability NOTIFICATION' is
> used to inform the peer that a required capability is missing. Stuff you
> don't like falls under:
>     It MUST NOT be used when a BGP speaker receives a capability that it
>     does not understand; such capabilities MUST be ignored.
>
> In fact my interpretation of that sentence is that even badly encoded
> capabilities need to be ignored and no NOTIFICATION should be sent back in
> that case.
>
> > >
> > > For OpenBGPD when parsing notifications only the first byte of data is
> > > looked at so that we can log which capability code caused the problem.
> > > When sending such a notification we build a capability with valid code
> and
> > > length fields but apart from capa 1 the payload of the capability is 0.
> > > For capa 1 we do send the AFI/SAFI pair that is missing.
> > >
> > > How do other implementations handle this?
> >
> > Dirty conformance laundry:
> >
> > Junos will return unsupported capability for any known but malformed
> > capability that isn't the multi-protocol capability with no error data.
> >
> > For multi-protocol, we'll encode the received mp-caps back in our data.
> > We do this when there are no overlapping afi/safi to peer with.
> >
> > For tracing received notifications, mp is the only thing that we pretend
> > to understand and dig inside.  The rest is just dealt with as opaque hex
> > data.
> >
> > >
> > > I checked some other opensource BGP implementations and noticed that
> > > both FRR and bird send this suberr 7 NOTIFICATION without any data!
> > > I can not really check the behaviour of other propretary
> implementations.
> >
> > The notification data is handy if you're trying to determine what the
> > remote device didn't like.  That said, if you're poking at a device in a
> > non-consensual way (presuming they've left their bgp ports reachable),
> > there's something to be said for less disclosure and not exercising code
> > paths where you send in nonsense.
> >
> > > Also FRR seems to send suberr 7 NOTIFICATIONs for unknown or
> superfluous
> > > capabilities. Which violates the last sentence of Section 5.
> >
> > Yeah... don't do that.
>
> Guess our handling is good enough.
> --
> :wq Claudio
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>


-- 
Donatas

v2.23.0 | Report a Bug | By Email