ICVPN: Misconfigured IPv6 BGP peers

Christian "Shiva" Bricart cb at freifunk-aachen.de
Mo Sep 11 14:18:32 CEST 2017


Hi Sven,

thanks for the hint ..

first: aachen1 has not pulled the github repo[s] "for ages (tm)" as I 
obviously missed the python3 migration.. -> fixed and pulled now
second: also Quagga here - but still on good ol' Wheezy .. so the issue 
might be related to Tim's ..?

Christian


Am 2017-09-10 22:15, schrieb Tim Niemeyer:
> Hi Sven
> 
> Some hours later..
> 
> Am Sonntag, den 10.09.2017, 10:02 +0200 schrieb Sven Eckelmann:
>> Hi,
>> 
>> I've looked through my logs and noticed that a get a lot of messages 
>> related
>> to "Received: Required capability missing: 0104000200014600" from 
>> bird6
>> 
>>  * aachen1 (ok, actually Leo Krueger saw that in his logs)
>>  * augsburg1 (not in my logs but from lg.ff3l.net)
>>  * franken_fff_icvpn
> Yes, you are right. :(
> 
> The system was configured just as described on
> https://wiki.freifunk.net/IC-VPN
> 
> The system uses Quagga 1.1.1-3 (Debian Stretch).
> 
> I think the system now works correctly. For know let me just describe 
> my
> dirty hack. I'm not very comfortable with this solution, but may work
> for now and maybe could help others.
> 
> Unfortunately it seems, that Quagga stops processing the 
> "address-family
> ipv6" at certain config entries. Don't know why..
> 
> I moved "neighbor icvpn6 peer-group" just above the "address-family
> ipv6" in /etc/quagga/bgpd.conf.head_v6. And i added the line 36 to
> to /opt/icvpn-scripts/mkbgp:
>  35             neighbor {peer} description {name}
> +36             address-family ipv6
>  37             neighbor {peer} peer-group
> {template}""".format(peer=peer, asn=asn, name=name,
> template=template)))
> 
> I checked with
> "tcpdump -v -i icvpn 'ip6 and src fec0::a:cf:0:17 and port bgp'"
> and it now shows:
> --- %< ---
> 	Open Message (1), length: 67
> 	  Version 4, my AS 65024, Holdtime 180s, ID 10.207.0.23
> 	  Optional parameters, length: 38
> 	    Option Capabilities Advertisement (2), length: 6
> 	      Multiprotocol Extensions (1), length: 4
> 		AFI IPv4 (1), SAFI Unicast (1)
> 	    Option Capabilities Advertisement (2), length: 6
> 	      Multiprotocol Extensions (1), length: 4
> 		AFI IPv6 (2), SAFI Unicast (1)
> 	    Option Capabilities Advertisement (2), length: 2
> 	      Route Refresh (Cisco) (128), length: 0
> 	    Option Capabilities Advertisement (2), length: 2
> 	      Route Refresh (2), length: 0
> 	    Option Capabilities Advertisement (2), length: 6
> 	      32-Bit AS Number (65), length: 4
> 		 4 Byte AS 65024
> 	    Option Capabilities Advertisement (2), length: 4
> 	      Graceful Restart (64), length: 2
> 		Restart Flags: [none], Restart Time 120s
> --- >% ---
> 
> vtysh showed before my changes no ipv6 routes on "show ipv6 bgp" and 
> now
> it does. Also vtysh showed a different configuration at "show
> running-config" (this was the point where i found that the config 
> parser
> my read my settings different).
> 
> Kind regards
> Tim
> 
> 
>>  * innsbruck_ffibk1
>> 
>> 010400020001 is the multiprotocol extension which selects IPv6. This 
>> has to be
>> set for IPv6 peers to IPv6. An example BGP packet which incorrectly 
>> sets it to IPv4
>> in his OPEN message can be seen here:
>> 
>>     Frame 4349: 139 bytes on wire (1112 bits), 139 bytes captured 
>> (1112 bits)
>>     Ethernet II, Src: 4a:2a:22:45:37:c9 (4a:2a:22:45:37:c9), Dst: 
>> e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
>>     Internet Protocol Version 6, Src: fec0::a:cf:0:43, Dst: 
>> fec0::a:cf:0:25
>>     Transmission Control Protocol, Src Port: 38956, Dst Port: 179, 
>> Seq: 1, Ack: 1, Len: 53
>>     Border Gateway Protocol - OPEN Message
>>         Marker: ffffffffffffffffffffffffffffffff
>>         Length: 53
>>         Type: OPEN Message (1)
>>         Version: 4
>>         My AS: 65052
>>         Hold Time: 180
>>         BGP Identifier: 10.207.0.67
>>         Optional Parameters Length: 24
>>         Optional Parameters
>>             Optional Parameter: Capability
>>                 Parameter Type: Capability (2)
>>                 Parameter Length: 6
>>                 Capability: Multiprotocol extensions capability
>>                     Type: Multiprotocol extensions capability (1)
>>                     Length: 4
>>                     AFI: IPv4 (1)
>>                     Reserved: 00
>>                     SAFI: Unicast (1)
>>             Optional Parameter: Capability
>>                 Parameter Type: Capability (2)
>>                 Parameter Length: 2
>>                 Capability: Route refresh capability (Cisco)
>>                     Type: Route refresh capability (Cisco) (128)
>>                     Length: 0
>>             Optional Parameter: Capability
>>                 Parameter Type: Capability (2)
>>                 Parameter Length: 2
>>                 Capability: Route refresh capability
>>                     Type: Route refresh capability (2)
>>                     Length: 0
>>             Optional Parameter: Capability
>>                 Parameter Type: Capability (2)
>>                 Parameter Length: 6
>>                 Capability: Support for 4-octet AS number capability
>>                     Type: Support for 4-octet AS number capability 
>> (65)
>>                     Length: 4
>>                     AS Number: 65052
>> 
>> Please check why you have added an IPv6 peer to your IPv4 BGP 
>> configuration.
>> This currently breaks some of the BGP session for IPv6.
>> 
>> Kind regards,
>> 	Sven
>> -- franken-dev mailing list franken-dev at freifunk.net 
>> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net


Mehr Informationen über die Mailingliste franken-dev