Hi Lukas, Actually I saw support for TTL security in BFD code: https://gitlab.nic.cz/labs/bird/-/blob/master/proto/bfd/packets.c#L496
And I see in your config example that you use multihop BFD, but RFC you refer is talking about single-hop BFD usage. So it does not seem like a bug here. Maybe the other side does not consider this BFD sessions multihop and thus applying the TTL security policy? Regards, Alexander On Sat, Jan 20, 2024 at 11:18 AM Lukas Haase <lukasha...@gmx.at> wrote: > > Hi, > > After long debugging I finally figured out why Bird's bfd cannot establish a > session with FRR (VyOS): Packets are sent with TTL 64. However, according to > https://datatracker.ietf.org/doc/rfc5881/, Section 5: "If BFD authentication > is not in use on a session, all BFD Control packets for the session MUST be > sent with a Time to Live (TTL) or Hop Limit value of 255". > > This is the reason why FRR just drops packets received from bird and the > session never establishes. > > As a quick workaround, I could get it working with: > > sysctl -w net.ipv4.ip_default_ttl="255" > > However, bird should set TTL appropriately. > > Is this something that was missed or is there an setting I am missing? > > Thanks, > Luke > > > > > > > Gesendet: Mittwoch, 17. Januar 2024 um 01:24 Uhr > > Von: "Lukas Haase via Bird-users" <bird-users@network.cz> > > An: "Alexander Zubkov" <gr...@qrator.net> > > Cc: bird-users@network.cz > > Betreff: Re: BFD sessions with FFR (VyOS) won't establish > > > > Hi Alexander, > > > > Thanks. I have tried > > > > sysctl -w net.ipv4.ip_local_port_range="49152 65535" > > > > but unfortunately no change. > > What I do not understand is that Interval and Timeout is wrong on the > > non-working peer: > > > > # birdc show bfd sess > > BIRD 2.0.8 ready. > > bfd1: > > IP address Interface State Since Interval > > Timeout > > 172.20.215.130 --- Up 2024-01-16 0.100 > > 0.500 > > 172.20.215.131 --- Init 2024-01-16 1.000 > > 10.000 > > > > Do these parameters need to be identical among peers, similar as with OSPF? > > Note, they are identical to my knowledge but could there be any implicit > > setting that causes discrepancy between the peers and would cause a > > connection being stuck in "Up"? For example, in bird I have "idle tx > > interval 500 ms" but I could not find a corresponding option in VyOS/FFR. > > > > Could you think of any tcpdump/netcat debug? > > > > Thanks, > > Luke > > > > > > > > > Gesendet: Mittwoch, 17. Januar 2024 um 00:35 Uhr > > > Von: "Alexander Zubkov" <gr...@qrator.net> > > > An: "Lukas Haase" <lukasha...@gmx.at> > > > Cc: bird-users@network.cz > > > Betreff: Re: BFD sessions with FFR (VyOS) won't establish > > > > > > Hi, > > > > > > There were reports here in the list that some BFD peers do not allow > > > connections from non-standard ports and bird do not choose source port > > > specifically. So you might need to tune your sysctl like that: > > > > > > net.ipv4.ip_local_port_range = 49152 65535 > > > > > > Not sure if this is the case, but I would try that first. > > > > > > Regards, > > > Alexander > > > > > > On Tue, Jan 16, 2024 at 9:15 AM Lukas Haase via Bird-users > > > <bird-users@network.cz> wrote: > > > > > > > > Hello, > > > > > > > > My BFD session between bird work fine but the ones but the ones to VyOS > > > > (which uses FFR) just won't connect: > > > > > > > > # birdc show bfd sess > > > > BIRD 2.0.8 ready. > > > > bfd1: > > > > IP address Interface State Since Interval Timeout > > > > 172.20.215.131 --- Init 10:39:14.183 1.000 10.000 > > > > 172.20.215.130 --- Up 10:42:03.901 0.100 0.500 > > > > > > > > 172.20.215.131 is here a VyOS box and its FFR config looks like: > > > > > > > > ! > > > > bfd > > > > peer 172.20.215.129 multihop local-address 172.20.215.131 > > > > detect-multiplier 10 > > > > transmit-interval 100 > > > > receive-interval 100 > > > > exit > > > > ! > > > > exit > > > > ! > > > > end > > > > > > > > > > > > For reference, my bird config is trivially: > > > > > > > > protocol bfd > > > > { > > > > interface "local-ibgp" { > > > > min rx interval 100 ms; > > > > min tx interval 100 ms; > > > > idle tx interval 500 ms; > > > > multiplier 10; > > > > }; > > > > neighbor 172.20.215.130 local 172.20.215.129 multihop; > > > > neighbor 172.20.215.131 local 172.20.215.129 multihop; > > > > } > > > > > > > > > > > > I have turned off firewall. What else could go wrong? > > > > > > > > > > > > Thanks, > > > > Luke > > > > > > >
