Re: Bgp 4 peer problems, 2 peer stay in connect

[Mattia Milani]

i had put every link on a /30 so the session between two peer have a
different network address for every link.

Thanks a lot for the help :)

2018-03-07 18:23 GMT+01:00 Mattia Milani :

> yeah that's right i can't ping H2 from H0 but H0 know only H1 it didn't
> try to reach H2 indeed when i try to ping H1.eth1 from H0.eth1 it works.
> this nitht i will modify my program to have different networks an i will
> notify you if it works.
>
> Another question, when it will be implemented Aggregation on BGP? have you
> planed it?
>
> Thanks, Mattia
>
> 2018-03-07 17:59 GMT+01:00 Daniel Suchy :
>
>> Hello,
>> as Ondrej mentioned already, you have wrong basic network setup - you're
>> using wrong network masks. H0 thinks, that all nodes (H1, H2, H3) ale in
>> single directly-connected L2 network.
>>
>> To have BGP working, you need to have basic L3 connectivity working -
>> that means, you must be able to ping each host (and this will not work
>> in your setup). It's not a problem with Bird.
>>
>> With regards,
>> Daniel
>>
>>
>> On 03/07/2018 05:20 PM, Mattia Milani wrote:
>> > all external interface of the peer belong to the same network, and the
>> > address of the network is 10.0.0.0/8  that is unic.
>> >
>> > sorry for the network picture, i noted after had sended the email that
>> > it get mangled.
>> > now i try to explain it more clearly
>> >
>> > H0 belong to AS2 and have the interface eth1 with the address
>> 10.0.0.1/8
>> >  and it is connected with H1
>> > H1 belong to AS4 and have two interfaces:
>> >  -eth1 with the address 10.0.1.1/8  that is
>> > connected with H0.eth1
>> >  -eth2 with the address 10.0.1.2/8  that is
>> > connected with H2.eth2
>> > H2 belong to AS3 and have two interfaces:
>> >  -eth1 with the address 10.0.2.1/8  that is
>> > connected with H3.eth1
>> >  -eth2 with the address 10.0.2.2/8  that is
>> > connected with H1.eth2
>> > H3 belong to AS1 and have the interface eth1 with the address
>> 10.0.3.1/8
>> >  and it is connected with H2
>> >
>> > i hope that this way to explain the network is more clearly
>> >
>> > every interace is on the same network address so do you mean that every
>> > bgp session between two peer need to have different network address?
>> >
>> >
>> >
>> > 2018-03-07 17:01 GMT+01:00 Ondrej Zajicek > > >:
>> >
>> > On Wed, Mar 07, 2018 at 04:45:55PM +0100, Mattia Milani wrote:
>> > > yeah they are a /8, so bird doesn't support /8?
>> > > now i'll try to modify them.
>> > >
>> > > but sorry, why bird doesn't support /8?
>> >
>> > BIRD of course supports /8 (and any other prefix lengths), but your
>> > network setup have more networks with the same network prefix
>> > (10.0.0.0/8 ), if i understand your network
>> > picture correctly (it get
>> > mangled in mail). Such network setup is not generally correct.
>> >
>> > --
>> > Elen sila lumenn' omentielvo
>> >
>> > Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org
>> > )
>> > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3,
>> > wwwkeys.pgp.net )
>> > "To err is human -- to blame it on a computer is even more so."
>> >
>> >
>>
>
>

Re: Bird2: BGP password & setkey

[Ondrej Zajicek]

On Thu, Mar 08, 2018 at 10:02:32PM +, Leo Vandewoestijne wrote:
> Hello,
> 
> 
> The setkey option caught my attention when reading the 2.x manual...
> 
> I'm using FreeBSD 11.1 and was trying to have Bird manage the IPSEC (MD5 
> checksum),
> which I've succesfully done already in OpenBGPd before NIC.CZ picked up the 
> Bird project.
> So I have a number of upstream pears that have it enabled.
> When the password option arrived in Bird I still used setkey,
> but in the later 1.x releases I needed to use only the 'password' option in 
> bird.conf,
> and had to drop my IPSEC settings at the OS level.
> 
> When I now -using bird 2.0.1- put in a BGP protocol block:
> 
>   password "bla";
>   setkey enabled;

Hello

Correct values are yes/no/on/off and nothing (means yes). But 'yes' is
the default value, so you do not need to use 'setkey' option. It is
supposed to work in the same way like in BIRD 1.6.x and there are almost
no related changes between 1.6.x and 2.0.x.

Aren't there any errors in logs? Could you verify that you have different
behavior in plain 1.6.3 and 2.0.1 without IPSEC settings at the OS level?


> But... having `setkey` in bird.conf -or not- doesn't seem to make any 
> difference.
> Meaning I still need to define the password both my regular IPSEC settings 
> AND those in Bird.
> So yes, I got it working, but -reading the manual- I highly doubt double 
> config was intented.
> 
> What is the correct/simple/efficient method to do this?

Just use 'password'.

> FYI in /etc/rc.conf I still have:
> 
>   ipsec_enable="YES"
>   ipsec_program="/sbin/setkey"
>   ipsec_file="/etc/setkey.conf"
> 
> The double config also makes me wonder if I might be confusing things;
> I find both "IPSEC" or "MD5 TCP checksum" sounds like improving authenticity 
> of a transport,
> where "BGP password" -to me- sounds like authentication.
> But reading both the Bird manual as well as the setkey manual it looks like 
> that's the same thing.
> 
> 
> 
> 
> Anyway, I also discovered you can set a password in a template (which I use 
> in a cascading way),
> and further on can overwrite/reset it for particular sessions using `password 
> "";`.
> As the manual doesn't mention it, I'm unsure if that's a bug or a feature, 
> but that's very nice!

Well, i am unsure too ;-). Using `password "";` to disable inherited
password seems to work on BSD, but not on Linux.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

Re: OSPF in VRF

[Ondrej Zajicek]

On Thu, Mar 08, 2018 at 09:55:03PM +, Ticlea Alexandru wrote:
> Hello 
> Is possible to run ospf instance over an interface which is part of an VRF?I 
> make a config but I see I see no package from local instance on VRF 
> interfaceThe log shows the Hello package are sent out using physical interface
> Config is like 

Hello

It should work, but require recent kernel. Works for me on 4.14.13,
i think (but not sure) it would work on 4.13, but not older.


> ipv4 table vrf_private;
> 
> protocol kernel kernel_vrf_private  {
>     scan time 1;
>     vrf "vrf-private";
>     #kernel table 200;

You should specify the kernel table associated with the VRF.


> protocol ospf ospf_local_core  {
>     vrf "vrf-private";
>     ipv4 {
>     table vrf_private;
>     import all;
>     export all;
>     };
>     disabled off;
>     instance id 0;
>     debug {
>   states,
>   routes,
>   filters,
>   interfaces,
>   events,
>   packets
>     };
>     area 0.0.0.0 {
>     interface  1.2.3.0/24, "ens256", "vrf-private" , 
> 172.31.254.0/24 {

I would not add "vrf-private" interface as an active OSPF interface. Just
the regular interfaces that are a part of the VRF.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

Bird2: BGP password & setkey

[Leo Vandewoestijne]

Hello,


The setkey option caught my attention when reading the 2.x manual...

I'm using FreeBSD 11.1 and was trying to have Bird manage the IPSEC (MD5 
checksum),
which I've succesfully done already in OpenBGPd before NIC.CZ picked up the 
Bird project.
So I have a number of upstream pears that have it enabled.
When the password option arrived in Bird I still used setkey,
but in the later 1.x releases I needed to use only the 'password' option in 
bird.conf,
and had to drop my IPSEC settings at the OS level.

When I now -using bird 2.0.1- put in a BGP protocol block:

password "bla";
setkey enabled;

I get returned:

bird: /usr/local/etc/bird.conf, line 42: Number expected

So therefor (after `enabled/disabled`) I tried `1/0`, and then `yes/no`, even 
`true/false`.
But nothing seems make the behaviour different. What was allowed was:

password "bla";
setkey;

But... having `setkey` in bird.conf -or not- doesn't seem to make any 
difference.
Meaning I still need to define the password both my regular IPSEC settings AND 
those in Bird.
So yes, I got it working, but -reading the manual- I highly doubt double config 
was intented.

What is the correct/simple/efficient method to do this?


FYI in /etc/rc.conf I still have:

ipsec_enable="YES"
ipsec_program="/sbin/setkey"
ipsec_file="/etc/setkey.conf"

The double config also makes me wonder if I might be confusing things;
I find both "IPSEC" or "MD5 TCP checksum" sounds like improving authenticity of 
a transport,
where "BGP password" -to me- sounds like authentication.
But reading both the Bird manual as well as the setkey manual it looks like 
that's the same thing.




Anyway, I also discovered you can set a password in a template (which I use in 
a cascading way),
and further on can overwrite/reset it for particular sessions using `password 
"";`.
As the manual doesn't mention it, I'm unsure if that's a bug or a feature, but 
that's very nice!

Another nice new behaviour I discovered is that now you can have mixed 
(enabled/disabled) sessions
on the same interface (which -in my case- is having multiple IP's). In 1.6 I 
never got that working.


-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>

OSPF in VRF

[Ticlea Alexandru]

Hello 
Is possible to run ospf instance over an interface which is part of an VRF?I 
make a config but I see I see no package from local instance on VRF 
interfaceThe log shows the Hello package are sent out using physical interface
Config is like 
ipv4 table vrf_private;

protocol kernel kernel_vrf_private  {
    scan time 1;
    vrf "vrf-private";
    #kernel table 200;
    ipv4 {
    table vrf_private;
    import all;
    export all;
    };
}

protocol direct direct_vrf_private {
    vrf "vrf-private";
    ipv4 {
    table vrf_private;
    };
}




protocol ospf ospf_local_core  {
    vrf "vrf-private";
    ipv4 {
    table vrf_private;
    import all;
    export all;
    };
    disabled off;
    instance id 0;
    debug {
  states,
  routes,
  filters,
  interfaces,
  events,
  packets
    };
    area 0.0.0.0 {
    interface  1.2.3.0/24, "ens256", "vrf-private" , 
172.31.254.0/24 {
    type broadcast;
    check link on;
    tx dscp 0x1a;
    bfd off;
    };
    };


In log I see 
2018-03-08 23:52:31.962  ospf_local_core: HELLO packet sent via ens256

tcpdump shows the packets from the neighbor coming into ens256

Re: [PATCH] babel: Use acknowledged retractions when losing a prefix

[Toke Høiland-Jørgensen]

Toke Høiland-Jørgensen  writes:

> In order to prevent routing loops, Babel installs temporary blackhole
> routes to prefixes that expire or are otherwise lost. These blackhole
> routes are maintained for a while to ensure the route has been flushed
> from the whole network; the default hold time is 64 seconds.
>
> In the updated IETF version of Babel (rfc6126bis), an alternative
> procedure was added which replaces this hold time with an explicit
> acknowledgement procedure. This procedure simply consists of sending a
> retraction along with an acknowledgement request to all neighbours, and
> removing the blackhole route once all neighbours have acknowledged the
> retraction. As this usually happens pretty quickly, the hold time during
> which the route is blackholed is almost completely avoided.
>
> This patch implements the above behaviour. It adds a generic facility to
> the Babel protocol which allows for sending sequences of acknowledgement
> requests to a number of neighbours, and executing a callback function
> once all the requests have been ACKed. This facility is then used to
> implement the acknowledgement scheme when a route is lost.
>
> Signed-off-by: Toke Høiland-Jørgensen 

Did anyone have a chance to look at this? :)

-Toke

BIRD 1.6.3 on Centos7

[Georg Kahest]

Hello,

I tried installing bird 1.6.3 from bird repos, but the install seems to
fail with dependency error:

Resolving Dependencies
--> Running transaction check
---> Package bird.x86_64 0:1.6.3-1 will be installed
--> Processing Dependency: libtinfo.so.6()(64bit) for package:
bird-1.6.3-1.x86_64
--> Processing Dependency: libncurses.so.6()(64bit) for package:
bird-1.6.3-1.x86_64
--> Finished Dependency Resolution
Error: Package: bird-1.6.3-1.x86_64 (bird)
   Requires: libtinfo.so.6()(64bit)
Error: Package: bird-1.6.3-1.x86_64 (bird)
   Requires: libncurses.so.6()(64bit)


Are the packages in BIRD repo broken ?

Georg