Thanks again! Junos uses the BGP multihop TTL value for BFD as well, and assumes the other side's default TTL is 255. So if I do: [edit protocols bgp group Anycast4 multihop] - ttl 2; + ttl 3;
Then Multi-hop min-recv-TTL drops to 253. I couldn't find any knob to set the default TTL of the remote side. So an easier workaround than recompiling Bird: I set that TTL to 193, which sets min-recv-TTL to 63 and the session went up. This requires firewall filters to only allow BGP and BFD from authorized peers. -- Arzhel On Tue, Mar 12, 2019, at 10:47, Ondrej Zajicek wrote: > On Tue, Mar 12, 2019 at 01:04:28PM -0400, Arzhel Younsi wrote: > > Bingo! As soon as I the system TTL to 255, the session went up. Thanks a > > lot! > > > > Now that we know where to look, we started to dig a bit in the code to not > > have to change the TTL system wide but only for Bird. > > > > It seems like there a TODO to make the TTL value customizable: > > https://github.com/BIRD/bird/blob/master/proto/bfd/packets.c#L453 > > And in some (so far unknown) cases, it sets the TTL to 255 > > https://github.com/BIRD/bird/blob/master/proto/bfd/packets.c#L456 > > That is for single-hop BFD cases. As i wrote in the previous e-mail: > > > For single-hop BFD sessions, the RFC 5880 requires TTL security > > mechanism and therefore BIRD specifies outgoing TTL 255. > > You can just change it to "sk->ttl = 255;" and recompile. > > Is this 'min-recv-TTL 254' some special setting in Juniper, or its > default BFD behavior? If the second case, then perhaps it would be best > to make a bugreport to Juniper as they have packet checks that are not > requested by BFD specifications. > > -- > Elen sila lumenn' omentielvo > > Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org) > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) > "To err is human -- to blame it on a computer is even more so." >