OSPF, missing external network prefix

[Eugene M. Zheganin]

Hi.

I have a bunch of bird routers. Recently I discovered that at least one
prefix from LSADB isn't installed in FIB:

(first here's what bird thinks about it)
# birdc
BIRD 1.4.4 ready.
bird> show ospf lsadb lsid 192.168.114.192

Global

 Type   LS ID   Router   Age  Sequence  Checksum
 0005  192.168.114.192 192.168.0.15  498  8385d906
bird> show route for 192.168.114.193
0.0.0.0/0  via 178.161.152.73 on vlan600 [bgpv4sat 2015-12-04] *
(100) [AS16285i]
bird> show route for 192.168.114.192/26
0.0.0.0/0  via 178.161.152.73 on vlan600 [bgpv4sat 2015-12-04] *
(100) [AS16285i]

(and the actual FIB)
# route -n get 192.168.114.193
   route to: 192.168.114.193
destination: 0.0.0.0
   mask: 0.0.0.0
gateway: 178.161.152.73
fib: 0
  interface: vlan600
  flags: 
 recvpipe  sendpipe  ssthresh  rtt,msecmtuweightexpire
   0 0 0 0  1500 1 0
[root@crystal-alpha:local/etc]# route -n get 192.168.114.192/26
route: writing to routing socket: No such process

I really want to inverstigate why. So far I have import ACL in bird, but
this prefix doesn't seem to match:

protocol ospf ospfv4 {
rfc1583compat yes;

export filter exportospfv4;
import filter importospfv4;

area 0.0.0.44 {
interface "vlan1";
interface "gre0";
interface "gre1" {
cost 15111;
};
};
}

filter importospfv4 {
if net ~ [ 172.16.0.0/31, 172.16.1.80/31, 172.16.1.81/32,
172.16.1.80/32, 172.16.0.0/32, 172.16.0.1/32 ] then {
print "ospfv4 import: net rejected: ", net;
reject;
}
if net = 0.0.0.0/0 then {
print "ospfv4 import: net rejected: ", net;
reject;
} else {
print "ospfv4 import: net accepted: ", net;
accept;
}
}

Anyway, there's no signs of this missing prefix in logs.
I've also noticed one more thing, may be important: this prefix is
originating from a branch office. It's present and installed on all othe
area 0 routers, no matter what vendor they're from, but is missing on
the routers which aren't from area 0, but only if they're bird. It's
present on Cisco ones (may be a coincident though, since I doesn't have
any Cisco device connected with area 0 via bird).

Thanks.
Eugene.

AW: default route via OSPF depending on the ISP

[Rohrmann Sascha]

Hi Christian,

> - Have a static route (in its own static protocol) in bird,
>  activated by default.

Check ✓

>- Run an external script, that pings the isp regularly. In
>  fact, I am considering to let icinga do that.
>- If the ping fails, let that script (icinga) call
>  "birdc disable static_isp_route"

What do you mean by "static_isp_route"?
Got some more detailed information of that?

>- If the ping works again, call
>  "birdc enable static_isp_route"


>- Finally: Be annoyed, that your isp doesn't support bfd or
>  ospf/bgp.

Check ✓

Thanks in advance. 

-Ursprüngliche Nachricht-
Von: Christian Tacke [mailto:christian.tacke+bird.network...@cosmokey.com] 
Gesendet: Donnerstag, 3. Dezember 2015 19:46
An: Rohrmann Sascha
Cc: bird-users@network.cz
Betreff: Re: default route via OSPF depending on the ISP


Hi Sascha,

On Thu, Dec 03, 2015 at 15:12:10 +, Rohrmann Sascha wrote:
[...]
> Second problem is, not every ISP supports BFD yet because BFD is kinda new. 
> I was thinking about a simple ping which checks the availability of the 
> opposite party. 
> Am I able to include a simple shell script in bird? 
> E.g.:
> ===
> Include ping.sh   (ping check)
> If (ping.sh = 1)
> {
>   export 0.0.0.0/0 via eth0;
> }
> ===
> 
> Do you have more information and/or tips for me, by chance? 
[...]

As I have exactly the same problem, here's, what I am planing to do:

- Have a static route (in its own static protocol) in bird,
  activated by default.
- Run an external script, that pings the isp regularly. In
  fact, I am considering to let icinga do that.
- If the ping fails, let that script (icinga) call
  "birdc disable static_isp_route"
- If the ping works again, call
  "birdc enable static_isp_route"
- Finally: Be annoyed, that your isp doesn't support bfd or
  ospf/bgp.

In our case, the major difference is: We're not going to ping, but query the 
state of the modem. Which in itself is annoying, because we're forced to use an 
avm fritzbox and the only way to ask it about its state is by doing upnp.


Cheers

Christian

--
www.cosmokey.com

AW: default route via OSPF depending on the ISP

[Rohrmann Sascha]

Hi Ondrej,

>> Do you have more information and/or tips for me, by chance? 

> As others wrote, you could do periodic pinging by e.g. fping and 
> enable/disable a static 
> protocol using birdc (birdc disable XXX). 
> See the attached script, which does something like that and estimating packet 
> loss.

Thank you very much for that script.

I have two additional questions about this:

1)  Why do you stop the whole routing process if the ISP is down? 
Isn't there a chance to "only" stop distributing the default-route and 
keep the OSPF process?
If yes, how am I able to realize that?
2)  If 1) isn't possible, is there a way to check and count incoming routes 
from eBGP so that the router sees that
the connection works and distributes the default-route after the check?

My goal is to only stop distributing the default-route and not to kill any 
routing-protocol such as OSPF.

Thanks in advance. 

-Ursprüngliche Nachricht-
Von: Ondrej Zajicek [mailto:santi...@crfreenet.org] 
Gesendet: Samstag, 5. Dezember 2015 16:34
An: Rohrmann Sascha
Cc: bird-users@network.cz
Betreff: Re: default route via OSPF depending on the ISP

On Thu, Dec 03, 2015 at 03:12:10PM +, Rohrmann Sascha wrote:
> > Well, you could use static default-route and 'check link' option, but that 
> > will help you only in the third case, not in the second one. 
> > For the second case, you must have some other way to establish 
> > whether ISP is up or down, either by running some routing protocol between 
> > you and ISP, or running BFD session.
> 
> Just as you said, that will only help me in the third case. 
> In which way should BFD be able to accomplish my goal?
> In my understandings BFD only checks if the link is available. If this isn't 
> given, BFD tells Bird this problem.

BFD checks whether specified/destination IP is available (but it also must run 
BFD).
Therefore both link and host must be up.


> Second problem is, not every ISP supports BFD yet because BFD is kinda new. 

That is true, and also BFD-controlled static routes are only in devel version 
of BIRD, not in v1.5.0


> I was thinking about a simple ping which checks the availability of the 
> opposite party. 
> Am I able to include a simple shell script in bird? 

No


> Do you have more information and/or tips for me, by chance? 

As others wrote, you could do periodic pinging by e.g. fping and enable/disable 
a static protocol using birdc (birdc disable XXX). See the attached script, 
which does something like that and estimating packet loss.


> > I was thinking about the bfd protocol, but bfd is kinda new and you can't 
> > run more than one instance in bird.
> > Well, is there any reason why to run multiple BFD instances in BIRD?
> 
> Well... you could create one bfd instance for one single interface.
> Furthermore you could then check the availability for e.g. my problem instead 
> of checking all BFD instances.

I don't understand here.


-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

ospf: Socket error on ix0: Permission denied + a lot KIF: Received address message for unknown interface

[SC SCx]

Hello.

I have a FreeBSD x64 10.2-p7 system with Bird 1.5.0 acting as a PPPOE
concentrator using MPD5 version 5.7

The system has 2 physical interfaces:

ix0 ( a /30 connection to another freebsd router - ABR running Bird  )
ix1 ( listening for PPPOE via MPD5 )

And many virtual interfaces when a PPPOE connection is established that
follow this pattern:

ng1, ng2, ng3 ... etc

Here's my bird config (This router is running in a Totally Stubby Area
0.0.0.1):

router id 172.16.116.5;

protocol kernel {
export all;
}

protocol direct {
interface "ix0", "ng*";
}

protocol device {
scan time 10;
}

protocol static {

}

protocol ospf {
tick 2;
area 0.0.0.1 {
stub yes;
summary no;

networks {
10.10.0.0/16;
125.40.44.0/22;
};

interface "ix0" {
dead count 4;
type broadcast;
};

interface "ng*" {
stub yes;
};
};
}

This router also has a firewall enabled (ipfw) with the following rules:

00100  deny ip from any to not 125.40.44.0/22 out recv ng* xmit ng*
01000  pipe tablearg ip from any to table(2) out via ng*
01010  deny ip from any to any out via ng*
01020  pipe tablearg ip from table(1) to any in via ng*
01030  deny ip from any to any in via ng*
65534  allow ip from any to any
65535  deny ip from any to any

What happens when I turn the system on and receive about 800 connections
(e.g around 800 ng interfaces are created) is this in the logs:

Dec  2 03:59:41 pppoe1 bird: ospf1: Socket error on ix0: Permission denied
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 124
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 123
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 125
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 126
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 127
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 128
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 130
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 129
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 131
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 133
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 132
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 134
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 136
Dec  2 03:59:41 pppoe1 last message repeated 2 times
Dec  2 03:59:41 pppoe1 bird: KIF: Received address message for unknown
interface 135
Dec  2 03:59:41 pppoe1 last message repeated 2 times
 and much more

As it can be seen I see tons of KIF: Received address message for unknown
interface messages which I am not sure if it means anything serious. These
happen anytime a ng interface is brought up/down.

The worst is ospf1: Socket error on ix0: Permission denied because bird
doesn't appear to listen and form any adjacency via ospf on this interface.

At first I thought this may be due to a race condition, e.g Bird might load
faster than the firewall rules and with ipfw the only loaded rule at
startup is 'deny ip from any to any' which could explain the permission
error. However if I manually stop bird and restart it after the system has
fully booted I still receive the permission error, despite that there's now
an 'allow ip from any to any' rule present.

Interestingly I have an identical setup created with VirtualBox for this
router and when I test with only 2 PPPOE connections it doesn't complain
about any permission error. Same firewall rules and everything else. System
starts up the same way, but no permission error. And the router forms
adjacency..

I do still see of KIF: Received address message for unknown interface
messages, though.

Any ideas what can be the cause?

Thank you.