ICVPN: Misconfigured IPv6 BGP peers

Tim Niemeyer tim at tn-x.org
So Sep 10 22:15:51 CEST 2017


Hi Sven

Some hours later.. 

Am Sonntag, den 10.09.2017, 10:02 +0200 schrieb Sven Eckelmann:
> Hi,
> 
> I've looked through my logs and noticed that a get a lot of messages related 
> to "Received: Required capability missing: 0104000200014600" from bird6
> 
>  * aachen1 (ok, actually Leo Krueger saw that in his logs)
>  * augsburg1 (not in my logs but from lg.ff3l.net)
>  * franken_fff_icvpn
Yes, you are right. :(

The system was configured just as described on
https://wiki.freifunk.net/IC-VPN

The system uses Quagga 1.1.1-3 (Debian Stretch).

I think the system now works correctly. For know let me just describe my
dirty hack. I'm not very comfortable with this solution, but may work
for now and maybe could help others.

Unfortunately it seems, that Quagga stops processing the "address-family
ipv6" at certain config entries. Don't know why..

I moved "neighbor icvpn6 peer-group" just above the "address-family
ipv6" in /etc/quagga/bgpd.conf.head_v6. And i added the line 36 to
to /opt/icvpn-scripts/mkbgp:
 35             neighbor {peer} description {name}
+36             address-family ipv6
 37             neighbor {peer} peer-group {template}""".format(peer=peer, asn=asn, name=name, template=template)))

I checked with 
"tcpdump -v -i icvpn 'ip6 and src fec0::a:cf:0:17 and port bgp'"
and it now shows:
--- %< ---
	Open Message (1), length: 67
	  Version 4, my AS 65024, Holdtime 180s, ID 10.207.0.23
	  Optional parameters, length: 38
	    Option Capabilities Advertisement (2), length: 6
	      Multiprotocol Extensions (1), length: 4
		AFI IPv4 (1), SAFI Unicast (1)
	    Option Capabilities Advertisement (2), length: 6
	      Multiprotocol Extensions (1), length: 4
		AFI IPv6 (2), SAFI Unicast (1)
	    Option Capabilities Advertisement (2), length: 2
	      Route Refresh (Cisco) (128), length: 0
	    Option Capabilities Advertisement (2), length: 2
	      Route Refresh (2), length: 0
	    Option Capabilities Advertisement (2), length: 6
	      32-Bit AS Number (65), length: 4
		 4 Byte AS 65024
	    Option Capabilities Advertisement (2), length: 4
	      Graceful Restart (64), length: 2
		Restart Flags: [none], Restart Time 120s
--- >% ---

vtysh showed before my changes no ipv6 routes on "show ipv6 bgp" and now
it does. Also vtysh showed a different configuration at "show
running-config" (this was the point where i found that the config parser
my read my settings different).

Kind regards
Tim


>  * innsbruck_ffibk1
> 
> 010400020001 is the multiprotocol extension which selects IPv6. This has to be 
> set for IPv6 peers to IPv6. An example BGP packet which incorrectly sets it to IPv4
> in his OPEN message can be seen here:
> 
>     Frame 4349: 139 bytes on wire (1112 bits), 139 bytes captured (1112 bits)
>     Ethernet II, Src: 4a:2a:22:45:37:c9 (4a:2a:22:45:37:c9), Dst: e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
>     Internet Protocol Version 6, Src: fec0::a:cf:0:43, Dst: fec0::a:cf:0:25
>     Transmission Control Protocol, Src Port: 38956, Dst Port: 179, Seq: 1, Ack: 1, Len: 53
>     Border Gateway Protocol - OPEN Message
>         Marker: ffffffffffffffffffffffffffffffff
>         Length: 53
>         Type: OPEN Message (1)
>         Version: 4
>         My AS: 65052
>         Hold Time: 180
>         BGP Identifier: 10.207.0.67
>         Optional Parameters Length: 24
>         Optional Parameters
>             Optional Parameter: Capability
>                 Parameter Type: Capability (2)
>                 Parameter Length: 6
>                 Capability: Multiprotocol extensions capability
>                     Type: Multiprotocol extensions capability (1)
>                     Length: 4
>                     AFI: IPv4 (1)
>                     Reserved: 00
>                     SAFI: Unicast (1)
>             Optional Parameter: Capability
>                 Parameter Type: Capability (2)
>                 Parameter Length: 2
>                 Capability: Route refresh capability (Cisco)
>                     Type: Route refresh capability (Cisco) (128)
>                     Length: 0
>             Optional Parameter: Capability
>                 Parameter Type: Capability (2)
>                 Parameter Length: 2
>                 Capability: Route refresh capability
>                     Type: Route refresh capability (2)
>                     Length: 0
>             Optional Parameter: Capability
>                 Parameter Type: Capability (2)
>                 Parameter Length: 6
>                 Capability: Support for 4-octet AS number capability
>                     Type: Support for 4-octet AS number capability (65)
>                     Length: 4
>                     AS Number: 65052
> 
> Please check why you have added an IPv6 peer to your IPv4 BGP configuration. 
> This currently breaks some of the BGP session for IPv6.
> 
> Kind regards,
> 	Sven
> -- franken-dev mailing list franken-dev at freifunk.net http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net

-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 473 bytes
Beschreibung: This is a digitally signed message part
URL         : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20170910/6cb3e12b/attachment.sig>


Mehr Informationen über die Mailingliste franken-dev