Re: OSPF over OpenVPN

[Michael McConnell]

I’ve also tried with pointtopoint and declared my neighors under the tap 
interface and made it pointtopoint without success;

   interface "tap*" {
type pointopoint;
cost 5;
hello 5;
wait 10;
dead 25;
authentication cryptographic; password “boogers";
neighbors {
10.10.10.34;
};

};




> On Mar 21, 2018, at 3:08 PM, Michael McConnell  
> wrote:
> 
> Hello all,
> 
> I am trying to establish OSPF over OpenVPN without any luck. The client side 
> always turns up with no neighbours. I’ve tried pointtopoint and exclusively 
> listing my neighbours all with no luck. 
> 
> I originally was using the tun interface and switched to tap hoping that 
> would help, but still nothing.
> 
> Below are my configurations, does anyone see anything obvious that I am 
> missing?
> 
> Thanks so much for your time and thoughts!
> 
> 
> ===
> show ospf 
> ospf1:
> RFC1583 compatibility: disabled
> Stub router: No
> RT scheduler tick: 1
> Number of areas: 1
> Number of LSAs in DB: 1
>   Area: 0.0.0.0 (0) [BACKBONE]
>   Stub:   No
>   NSSA:   No
>   Transit:No
>   Number of interfaces:   0
>   Number of neighbors:0
>   Number of adjacent neighbors:   0
> 
> 
> Server ===
> 
> protocol ospf {
>import all;
>export filter {
>ospf_metric1 = 1000;
>if source = RTS_STATIC then accept; else reject;
>};
>area 0 {
>networks {
>   10.40.32.0/24;
>10.10.10.32/27;
>};
> 
>interface "bond1" {
>type broadcast;
>cost 5;
>hello 5;
>wait 10;
>dead 25;
>authentication cryptographic; password “boogers";
>};
> 
>interface "tap*" {
>type broadcast;
>cost 5;
>hello 5;
>wait 10;
>dead 25;
>authentication cryptographic; password “boogers";
>};
> 
> 
> 
>interface "*" {
>cost 1000;
>stub;
>#type pointopoint;
>};
> 
>};
> 
> 
> 
> Client  ===
> protocol ospf {
>import all;
>export filter {
>ospf_metric1 = 1000;
>if source = RTS_STATIC then accept; else reject;
>};
>area 0 {
>networks {
>10.40.32.0/24;
>10.10.10.32/27;
>};
> 
>interface "bond1" {
>type broadcast;
>cost 5;
>hello 5;
>wait 10;
>dead 25;
>authentication cryptographic; password “boogers";
>};
>interface "tap*" {
>type broadcast;
>cost 5;
>hello 5;
>wait 10;
>dead 25;
>authentication cryptographic; password "boogers";
>};
> 
>interface "*" {
>cost 1000;
>stub;
>#type pointopoint;
>};
>};
> 
> 
> --
> Michael McConnell
> WINK Streaming;
> email: mich...@winkstreaming.com
> toll free: 877-GO-4-WINK x 7400
> direct: +1 312 281-5434
> cell: +506 8706-2389
> skype: wink-michael
> web: http://winkstreaming.com
> 
> 
> 

Re: Static Route /24

[Michael McConnell]

Thank you Charles, I am a little red in the face for having not tried / know 
that.

I’ll give it a go, thanks again for the help and prompt response!
Mike

--
Michael McConnell
WINK Streaming;
email: mich...@winkstreaming.com
toll free: 877-GO-4-WINK x 7400
direct: +1 312 281-5434
cell: +506 8706-2389
skype: wink-michael
web: http://winkstreaming.com

> On Mar 21, 2018, at 8:54 AM, Charles van Niman  wrote:
> 
> Hey Mike,
> 
>Not sure what platform you're running BIRD on, but in Ubuntu/Linux, I use 
> loopback interfaces to do this. Here is what my interfaces file / BIRD config 
> look like. I am using /32s, but I don't think there are any issues with /24s 
> going into BGP. Let me know if you have any questions or I missed your 
> questions in some way.
> 
> 
> /etc/network/interfaces:
> # The loopback network interface
> auto lo
> iface lo inet loopback
> 
> auto lo:10
> iface lo:10 inet static
> address 172.22.150.126
> netmask 255.255.255.255
> 
> auto lo:11
> iface lo:11 inet static
> address 172.27.255.29
> netmask 255.255.255.255
> 
> auto lo:20
> iface lo:20 inet static
> address 172.22.150.119
> netmask 255.255.255.255
> 
> bird.conf:
> 
> protocol direct {
>   interface "lo*";
> }
> 
> /Charles van Niman
> 
> On Wed, Mar 21, 2018 at 7:13 AM, Michael McConnell  > wrote:
> Hello fellow Bird users,
> 
> I’ve run into a strange issue trying to subnet a /24 into a series of smaller 
> /27 and /28’s and have the routed via BGP.
> 
> I currently do the following; route 10.10.10.0/24  
> reject;
> 
> However if I don’t bring the interface up as a /24 (i.e. ifconfig eth0:10 
> 10.10.10.10 netmask 255.255.255.0 up) I am unable to get the route explored 
> when I run show route - the interface needs to be online in order for “show 
> route” to show the import as a unreachable.
> 
> I can kinda make this work through a series of strange static routes, but 
> this seems incorrect. Can anyone suggest a better way to ensure my /24 is 
> announced regardless so that I can then subnet it down for the purpose of 
> serving over a VPN the /28’s and /27’s?
> 
> Hopefully that question makes sense and isn’t too much nonsense.
> 
> Thanks for you help and comments!
> Mike
> 
> --
> Michael McConnell
> WINK Streaming;
> email: mich...@winkstreaming.com 
> toll free: 877-GO-4-WINK x 7400
> direct: +1 312 281-5434 
> cell: +506 8706-2389 
> skype: wink-michael
> web: http://winkstreaming.com 
> 

Re: Static Route /24

[Charles van Niman]

Hey Mike,

   Not sure what platform you're running BIRD on, but in Ubuntu/Linux, I
use loopback interfaces to do this. Here is what my interfaces file / BIRD
config look like. I am using /32s, but I don't think there are any issues
with /24s going into BGP. Let me know if you have any questions or I missed
your questions in some way.


/etc/network/interfaces:
# The loopback network interface
auto lo
iface lo inet loopback

auto lo:10
iface lo:10 inet static
address 172.22.150.126
netmask 255.255.255.255

auto lo:11
iface lo:11 inet static
address 172.27.255.29
netmask 255.255.255.255

auto lo:20
iface lo:20 inet static
address 172.22.150.119
netmask 255.255.255.255

bird.conf:

protocol direct {
  interface "lo*";
}

/Charles van Niman

On Wed, Mar 21, 2018 at 7:13 AM, Michael McConnell <
mich...@winkstreaming.com> wrote:

> Hello fellow Bird users,
>
> I’ve run into a strange issue trying to subnet a /24 into a series of
> smaller /27 and /28’s and have the routed via BGP.
>
> I currently do the following; route 10.10.10.0/24 reject;
>
> However if I don’t bring the interface up as a /24 (i.e. ifconfig eth0:10
> 10.10.10.10 netmask 255.255.255.0 up) I am unable to get the route explored
> when I run show route - the interface needs to be online in order for “show
> route” to show the import as a unreachable.
>
> I can kinda make this work through a series of strange static routes, but
> this seems incorrect. Can anyone suggest a better way to ensure my /24 is
> announced regardless so that I can then subnet it down for the purpose of
> serving over a VPN the /28’s and /27’s?
>
> Hopefully that question makes sense and isn’t too much nonsense.
>
> Thanks for you help and comments!
> Mike
>
> --
>
>
> *Michael McConnellWINK Streaming;email:* mich...@winkstreaming.com
> *toll free:* 877-GO-4-WINK x 7400
> *direct: *+1 312 281-5434 <(312)%20281-5434>
> *cell:* +506 8706-2389 <+506%208706%202389>
> *skype:* wink-michael
> *web:* http://winkstreaming.com
>
>

Re: BIRD 1.6.3 + ROA crashing issue

[Javor Kliachev]

Hi,

Thank you very much for the fast response.

The patch has completely fixed the issue!

One more question about the ROA:

Is it possible to use roa_check() into another function and first 
parameter of the roa_check to be some argument like peer_as for an example:


roa table 65501 {
    roa 1.2.3.0/24 max 32 as 65501;
}


function BGP_IN(*int peer_as*) {

 if roa_check(*peer_as*, net, bgp_path.last) = ROA_INVALID then {
    print "ROA check failed for ", net, " from ASN ", 
bgp_path.last; return false;

 }

 if roa_check(*peer_as*, net, bgp_path.last) = ROA_UNKNOWN then {
 print "ROA check failed: unallowed prefix - ", net, " origin 
ASN ", bgp_path.last , " - AS-PATH", bgp_path , " via ", proto; return 
false;

 }
return true;
}

When I put the above lines in the configuration and try to reconfigure I 
got the following error:


/root@rs2-lab:/usr/local/bird-new/etc# birdc c//
//BIRD 1.6.3 ready.//
//Reading configuration from /usr/local/bird-new/etc/bird.conf//
///usr/local/bird-new/etc/roa.conf, line 8: peer_as is not a ROA table/

It makes me think that such implementation is not possible or may be I'm 
totally wrong or miss a bit something.


Thank you once again!

Best~

On 21.03.2018 15:40, Ondrej Zajicek wrote:

On Wed, Mar 21, 2018 at 12:45:54PM +0200, Javor Kliachev wrote:

Hello,

We have been using BIRD 1.6.3 on Ubuntu 16.04 as Route Server for a long
time.

Recently we decided to implement a ROA check filtration but we're
experiencing the daemon is crashing whenever
removing roa table from the file config even when the roa table is not
applied anywhere.

Hello

Is the issue fixed by this patch:

https://gitlab.labs.nic.cz/labs/bird/commit/0ff86d054efa8005c5df943acf6d2122781d3175

?



--
---


   Javor Kliachev


   Senior Engineer IP Services

office:+359 2 974 33 11
mobile:+359 885 98 84 95
www.neterra.net  

Re: BIRD 1.6.3 + ROA crashing issue

[Ondrej Zajicek]

On Wed, Mar 21, 2018 at 12:45:54PM +0200, Javor Kliachev wrote:
> Hello,
> 
> We have been using BIRD 1.6.3 on Ubuntu 16.04 as Route Server for a long
> time.
> 
> Recently we decided to implement a ROA check filtration but we're
> experiencing the daemon is crashing whenever
> removing roa table from the file config even when the roa table is not
> applied anywhere.

Hello

Is the issue fixed by this patch:

https://gitlab.labs.nic.cz/labs/bird/commit/0ff86d054efa8005c5df943acf6d2122781d3175

?

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

Static Route /24

[Michael McConnell]

Hello fellow Bird users,

I’ve run into a strange issue trying to subnet a /24 into a series of smaller 
/27 and /28’s and have the routed via BGP.

I currently do the following; route 10.10.10.0/24 reject;

However if I don’t bring the interface up as a /24 (i.e. ifconfig eth0:10 
10.10.10.10 netmask 255.255.255.0 up) I am unable to get the route explored 
when I run show route - the interface needs to be online in order for “show 
route” to show the import as a unreachable.

I can kinda make this work through a series of strange static routes, but this 
seems incorrect. Can anyone suggest a better way to ensure my /24 is announced 
regardless so that I can then subnet it down for the purpose of serving over a 
VPN the /28’s and /27’s?

Hopefully that question makes sense and isn’t too much nonsense.

Thanks for you help and comments!
Mike

--
Michael McConnell
WINK Streaming;
email: mich...@winkstreaming.com
toll free: 877-GO-4-WINK x 7400
direct: +1 312 281-5434
cell: +506 8706-2389
skype: wink-michael
web: http://winkstreaming.com

Re: constant not available everywhere and passing variables from protocols

[Jan Maria Matejka]

> Are there considerations in future to pass bgp_neighbour object to
> filter, to discriminate on neighbor address, ifname, asn, etc? JunOS
> allows this. This would allow me to keep single 'define backup_int =
> "XYZ". On ingress I'd match against protocol, on egress I'd match
> against bgp_neighbour.ifname. So only thing I'd define for
> backup/primary selection is single const, which could be included in a
> single line config file.
> 
> Something like this:
> 
> 
> filter bgp_primary_out {
>   if ifname = "lo" then {
> if bgp_neighbor.ifname = backup_int then bgp_path.prepend(local_as);
> accept;
>   }
>   reject;
> }
> 
> filter bgp_primary_in {
>   if proto = backup_int then bgp_local_pref = 50;
>   if net = default_candidate_net then accept;
>   reject;
> }

Probably yes (or something like that) . See this thread.
http://bird.network.cz/pipermail/bird-users/2018-January/011881.html

>> Anyway, it should be possible to 'define default_candidate_ip = 
>> default_candidate_net.ip;'
>> and then use the constant as IP.
> 
> This works. Curiously won't work if the next-hop is
> default_candidate_net.ip; Actually have to assign own constant to it.

Yes, you have to assign an own constant for it due to current
configuration syntax restrictions. It may change in future.

M.

Re: constant not available everywhere and passing variables from protocols

[Saku Ytti]

On 21 March 2018 at 12:13, Jan Maria Matejka  wrote:

>> Why not? It barfs with 'line 10: IP address expected'
>
> In v1.6.x, nobody implemented it. In v2, it should work.

Thanks, will consider upgrading.

> Try 'import where yourCustomImportFunction(arg1, arg2, arg3, ... argN)'.

Thanks.


Are there considerations in future to pass bgp_neighbour object to
filter, to discriminate on neighbor address, ifname, asn, etc? JunOS
allows this. This would allow me to keep single 'define backup_int =
"XYZ". On ingress I'd match against protocol, on egress I'd match
against bgp_neighbour.ifname. So only thing I'd define for
backup/primary selection is single const, which could be included in a
single line config file.

Something like this:


filter bgp_primary_out {
  if ifname = "lo" then {
if bgp_neighbor.ifname = backup_int then bgp_path.prepend(local_as);
accept;
  }
  reject;
}

filter bgp_primary_in {
  if proto = backup_int then bgp_local_pref = 50;
  if net = default_candidate_net then accept;
  reject;
}


>Anyway, it should be possible to 'define default_candidate_ip = 
>default_candidate_net.ip;'
> and then use the constant as IP.

This works. Curiously won't work if the next-hop is
default_candidate_net.ip; Actually have to assign own constant to it.

-- 
  ++ytti

BIRD 1.6.3 + ROA crashing issue

[Javor Kliachev]

Hello,

We have been using BIRD 1.6.3 on Ubuntu 16.04 as Route Server for a long 
time.


Recently we decided to implement a ROA check filtration but we're 
experiencing the daemon is crashing whenever
removing roa table from the file config even when the roa table is not 
applied anywhere.


In simple words: The ROA table is only defined in the config.

Here is а specific example:

root@rs2-lab:/usr/local/bird-new/etc# cat roa.conf

roa table r65501 {

    roa 1.2.3.0/24 max 32 as 65501;

}

#

*Here is our simple bird config:*

root@rs2-lab:/usr/local/bird-new/etc# cat bird.conf
log "/var/log/bird.log" all;
log syslog all;

debug protocols { events };
router id 10.10.10.100;
define myas = 12345;
protocol device {}

include "roa.conf";

#

So when I remove/comment "roa.conf" from the config - bird process is 
crashing


/root@rs2-lab:/usr/local/bird-new/etc# birdc c//
//BIRD 1.6.3 ready.//
//Connection closed by server/

*Here is dmesg with the crash info:*

/[62285.414645] bird[11272]: segfault at 0 ip 0040ace7 sp 
7ffd5040e950 error 4 in bird[40+74000]//
//[62508.998315] bird[11487]: segfault at 0 ip 0040ace7 sp 
7ffe148741c0 error 4 in bird[40+74000]//
//[62599.558242] bird[11570]: segfault at 0 ip 0040ace7 sp 
7ffdfa129070 error 4 in bird[40+74000]//
//[62649.377296] bird[11575]: segfault at 0 ip 0040ace7 sp 
7ffd5d8da0a0 error 4 in bird[40+74000]//
//[63895.137084] bird[11730]: segfault at 0 ip 0040ace7 sp 
7ffdd4f08f00 error 4 in bird[40+74000]//
//[63927.053383] bird[11738]: segfault at 0 ip 0040ace7 sp 
7ffe9c5c8110 error 4 in bird[40+74000]//
//[66260.552622] bird[13629]: segfault at 0 ip 0040ace7 sp 
7ffc58de2ad0 error 4 in bird[40+74000]//
//[69835.274826] bird[14098]: segfault at 0 ip 0040ace7 sp 
7ffe306bc640 error 4 in bird[40+74000]//
//[70481.342658] bird[14218]: segfault at 0 ip 0040ace7 sp 
7ffd556c04c0 error 4 in bird[40+74000]//
//[70587.636343] bird[14234]: segfault at 0 ip 0040ace7 sp 
7ffdbc90e4d0 error 4 in bird[40+74000]/


Could someone BIRD developer can help on this issue?

Thanks in advance!

Best~
--
---


   Javor Kliachev


   Senior Engineer IP Services

office:+359 2 974 33 11
mobile:+359 885 98 84 95
www.neterra.net  

Re: constant not available everywhere and passing variables from protocols

[Jan Maria Matejka]

On 03/21/2018 10:00 AM, Saku Ytti wrote:
> My config:
> 
> define local_ip  = 129.250.14.127;
> define default_candidate_net = 129.250.0.0/16;
> define default_candidate_ip  = 129.250.0.0;
> define default_net   = 0.0.0.0/0;
> include "common.conf";
> 
> protocol static {
>   route 0.0.0.0/0 recursive default_candidate_ip;
> }
> 
> # ens192
> protocol bgp active from NTT {
>   neighbor 204.141.224.0;
> }
> 
> # ens 224
> protocol bgp backup from NTT {
>   neighbor 204.141.224.2;
> }
> 
> 
> 1) constant not available everywhere
> 
> a) this works
> - define default_candidate_ip  = 129.250.0.0;
> - route 0.0.0.0/0 recursive default_candidate_ip;
> 
> b) this does not
> - define default_route = 0.0.0.0/0;
> - route default_route recursive 129.250.0.0;
> 
> Why not? It barfs with 'line 10: IP address expected'

In v1.6.x, nobody implemented it. In v2, it should work.

> 2) passing variables from protocols
> 
> I'm thinking how to tell which neighbour is backup which is primary. My 
> thoughts
> 
> a) 'import (backup, bgp_in)
> => no way to define >1 filter?
> 
> b) 'bool backup = true'
> => no way to set variables in protocols
> 
> c) 'define backup = true'
> => no way to set constants in protocols
> 
> d) ''import bgp_in(true)'
> => no way to pass variables to filters
> 
> I resorted to matching to protocol name, and call the backup group
> backup. But I'd really prefer way to give neighbour or protocol some
> information I can use in filter to discriminate.

Try 'import where yourCustomImportFunction(arg1, arg2, arg3, ... argN)'.

> Are constants considered strings? If so, should the strings have some
> methods, like split, sub, []? I bit needlessly need to define
> 129.250.0.0 and 129.250.0.0/16 as one is used as static route next-hop
> another is used as filter to permit prefix. I could just maybe say
> 'default_candidate_net.split('/')[0]'.

Try 'default_candidate_net.ip' and 'default_candidate_net.len'. Both of them
are available only in filters.

Anyway, it should be possible to 'define default_candidate_ip = 
default_candidate_net.ip;'
and then use the constant as IP.

M.

constant not available everywhere and passing variables from protocols

[Saku Ytti]

My config:

define local_ip  = 129.250.14.127;
define default_candidate_net = 129.250.0.0/16;
define default_candidate_ip  = 129.250.0.0;
define default_net   = 0.0.0.0/0;
include "common.conf";

protocol static {
  route 0.0.0.0/0 recursive default_candidate_ip;
}

# ens192
protocol bgp active from NTT {
  neighbor 204.141.224.0;
}

# ens 224
protocol bgp backup from NTT {
  neighbor 204.141.224.2;
}


1) constant not available everywhere

a) this works
- define default_candidate_ip  = 129.250.0.0;
- route 0.0.0.0/0 recursive default_candidate_ip;

b) this does not
- define default_route = 0.0.0.0/0;
- route default_route recursive 129.250.0.0;

Why not? It barfs with 'line 10: IP address expected'



2) passing variables from protocols

I'm thinking how to tell which neighbour is backup which is primary. My thoughts

a) 'import (backup, bgp_in)
=> no way to define >1 filter?

b) 'bool backup = true'
=> no way to set variables in protocols

c) 'define backup = true'
=> no way to set constants in protocols

d) ''import bgp_in(true)'
=> no way to pass variables to filters

I resorted to matching to protocol name, and call the backup group
backup. But I'd really prefer way to give neighbour or protocol some
information I can use in filter to discriminate.





Are constants considered strings? If so, should the strings have some
methods, like split, sub, []? I bit needlessly need to define
129.250.0.0 and 129.250.0.0/16 as one is used as static route next-hop
another is used as filter to permit prefix. I could just maybe say
'default_candidate_net.split('/')[0]'.



-- 
  ++ytti