Hi Forwarding a mail about source ports of BFD on Linux.
----- Forwarded message from "SHAW, JASON via RT" <bird-supp...@network.cz> ----- Date: Fri, 28 Sep 2018 19:37:05 +0200 Subject: BFD on Linux From: "SHAW, JASON via RT" <bird-supp...@network.cz> Hi. We're using Bird 2.0 for a project here at AT&T and I wanted to reach out and let you know that we've identified a potential alternate approach to adjusting /proc/sys/net/ipv4/ip_local_port_range on Linux systems to support BFD. Our Linux configuration uses a port range via: net.ipv4.ip_local_port_range = 1024 65000 As you are already aware, the BFD RFC states that "The source port MUST be in the range 49152 through 65535.". With the above configuration our BFD source port for any given BFD session, as selected by the Linux kernel, was sometimes in the "allowed" range and sometimes not. Cisco's implementation of BFD in our architecture enforces that source port range and drops BFD packets while the Juniper implementation (on the a different adjacent element in our architecture) does not. As a result, we were running BFD with the Juniper element successfully but had to disable it on the Cisco side. Our solution is to use iptables SNAT rules to solve the issue where our Linux system is running BGP with the Cisco neighbor on two separate interfaces eth3.181 and eth4.182. I selected port 65535 as it is a) the top of the range specified by the RFP and b) outside of the range specified in net.ipv4.ip_local_port_range we have configured. On vlan 181 (eth3.181) our local IP is 172.26.4.7 and the Cisco box is 172.26.4.6. Similarly, on vlan 182 (eth4.182) our IP is 172.26.5.7 and the Cisco box is 172.26.5.6. We run BGP using bird with this addressing scheme. I added the following two rules on our Linux hosts: iptables -A POSTROUTING -t nat -d 172.26.4.6 -p udp --dport 3784 -j SNAT --to-source 172.26.4.7:65535 iptables -A POSTROUTING -t nat -d 172.26.5.6 -p udp --dport 3784 -j SNAT --to-source 172.26.5.7:65535 A subsequent tcpdump on either eth3.181 or eth4.182 shows that all BFD packets are always sourced with a port # of 65535, regardless of what is assigned by the Linux kernel. Moreover, the Cisco box accepts these BFD packets and we're able to get BFD sessions up successfully. The same port # can be used on both sides, as they're separate source IPs on separate networks. Hopefully this helps somebody else and is a useful documentation addition. _______________ Jason Shaw Principal Member of Technical Staff Wireless Network Architecture and Design AT&T js7...@att.com<mailto:js7...@att.com> ----- End forwarded message ----- -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
