ICVPN: Misconfigured IPv6 BGP peers
Christian "Shiva" Bricart
cb at freifunk-aachen.de
Mo Sep 11 14:18:32 CEST 2017
Hi Sven,
thanks for the hint ..
first: aachen1 has not pulled the github repo[s] "for ages (tm)" as I
obviously missed the python3 migration.. -> fixed and pulled now
second: also Quagga here - but still on good ol' Wheezy .. so the issue
might be related to Tim's ..?
Christian
Am 2017-09-10 22:15, schrieb Tim Niemeyer:
> Hi Sven
>
> Some hours later..
>
> Am Sonntag, den 10.09.2017, 10:02 +0200 schrieb Sven Eckelmann:
>> Hi,
>>
>> I've looked through my logs and noticed that a get a lot of messages
>> related
>> to "Received: Required capability missing: 0104000200014600" from
>> bird6
>>
>> * aachen1 (ok, actually Leo Krueger saw that in his logs)
>> * augsburg1 (not in my logs but from lg.ff3l.net)
>> * franken_fff_icvpn
> Yes, you are right. :(
>
> The system was configured just as described on
> https://wiki.freifunk.net/IC-VPN
>
> The system uses Quagga 1.1.1-3 (Debian Stretch).
>
> I think the system now works correctly. For know let me just describe
> my
> dirty hack. I'm not very comfortable with this solution, but may work
> for now and maybe could help others.
>
> Unfortunately it seems, that Quagga stops processing the
> "address-family
> ipv6" at certain config entries. Don't know why..
>
> I moved "neighbor icvpn6 peer-group" just above the "address-family
> ipv6" in /etc/quagga/bgpd.conf.head_v6. And i added the line 36 to
> to /opt/icvpn-scripts/mkbgp:
> 35 neighbor {peer} description {name}
> +36 address-family ipv6
> 37 neighbor {peer} peer-group
> {template}""".format(peer=peer, asn=asn, name=name,
> template=template)))
>
> I checked with
> "tcpdump -v -i icvpn 'ip6 and src fec0::a:cf:0:17 and port bgp'"
> and it now shows:
> --- %< ---
> Open Message (1), length: 67
> Version 4, my AS 65024, Holdtime 180s, ID 10.207.0.23
> Optional parameters, length: 38
> Option Capabilities Advertisement (2), length: 6
> Multiprotocol Extensions (1), length: 4
> AFI IPv4 (1), SAFI Unicast (1)
> Option Capabilities Advertisement (2), length: 6
> Multiprotocol Extensions (1), length: 4
> AFI IPv6 (2), SAFI Unicast (1)
> Option Capabilities Advertisement (2), length: 2
> Route Refresh (Cisco) (128), length: 0
> Option Capabilities Advertisement (2), length: 2
> Route Refresh (2), length: 0
> Option Capabilities Advertisement (2), length: 6
> 32-Bit AS Number (65), length: 4
> 4 Byte AS 65024
> Option Capabilities Advertisement (2), length: 4
> Graceful Restart (64), length: 2
> Restart Flags: [none], Restart Time 120s
> --- >% ---
>
> vtysh showed before my changes no ipv6 routes on "show ipv6 bgp" and
> now
> it does. Also vtysh showed a different configuration at "show
> running-config" (this was the point where i found that the config
> parser
> my read my settings different).
>
> Kind regards
> Tim
>
>
>> * innsbruck_ffibk1
>>
>> 010400020001 is the multiprotocol extension which selects IPv6. This
>> has to be
>> set for IPv6 peers to IPv6. An example BGP packet which incorrectly
>> sets it to IPv4
>> in his OPEN message can be seen here:
>>
>> Frame 4349: 139 bytes on wire (1112 bits), 139 bytes captured
>> (1112 bits)
>> Ethernet II, Src: 4a:2a:22:45:37:c9 (4a:2a:22:45:37:c9), Dst:
>> e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
>> Internet Protocol Version 6, Src: fec0::a:cf:0:43, Dst:
>> fec0::a:cf:0:25
>> Transmission Control Protocol, Src Port: 38956, Dst Port: 179,
>> Seq: 1, Ack: 1, Len: 53
>> Border Gateway Protocol - OPEN Message
>> Marker: ffffffffffffffffffffffffffffffff
>> Length: 53
>> Type: OPEN Message (1)
>> Version: 4
>> My AS: 65052
>> Hold Time: 180
>> BGP Identifier: 10.207.0.67
>> Optional Parameters Length: 24
>> Optional Parameters
>> Optional Parameter: Capability
>> Parameter Type: Capability (2)
>> Parameter Length: 6
>> Capability: Multiprotocol extensions capability
>> Type: Multiprotocol extensions capability (1)
>> Length: 4
>> AFI: IPv4 (1)
>> Reserved: 00
>> SAFI: Unicast (1)
>> Optional Parameter: Capability
>> Parameter Type: Capability (2)
>> Parameter Length: 2
>> Capability: Route refresh capability (Cisco)
>> Type: Route refresh capability (Cisco) (128)
>> Length: 0
>> Optional Parameter: Capability
>> Parameter Type: Capability (2)
>> Parameter Length: 2
>> Capability: Route refresh capability
>> Type: Route refresh capability (2)
>> Length: 0
>> Optional Parameter: Capability
>> Parameter Type: Capability (2)
>> Parameter Length: 6
>> Capability: Support for 4-octet AS number capability
>> Type: Support for 4-octet AS number capability
>> (65)
>> Length: 4
>> AS Number: 65052
>>
>> Please check why you have added an IPv6 peer to your IPv4 BGP
>> configuration.
>> This currently breaks some of the BGP session for IPv6.
>>
>> Kind regards,
>> Sven
>> -- franken-dev mailing list franken-dev at freifunk.net
>> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Mehr Informationen über die Mailingliste franken-dev