On Thu, Apr 22, 2021 at 02:41:20PM +0800, cjt wrote:
> Hello.
> I have found two inconsistency about bgp error handling.
> First:
> I found that in RFC 4271 for the next hop syntactically incorrect, need to
> set invalid next hop. RFC Document fragmen as follow:
>
>
> If the NEXT_HOP attribute field is syntactically incorrect, then the Error
> Subcode MUST be set to Invalid NEXT_HOP Attribute. The Data field MUST
> contain the incorrect attribute (type, length, and value). Syntactic
> correctness means that the NEXT_HOP attribute represents a valid IP host
> address.
>
>
> We find that in the code of the openbgpd6.8, it's error code is
> ERR_UPD_NETWORK.
>
>
> /*
> * Check if the nexthop is a valid IP address. We consider
> * multicast and experimental addresses as invalid.
> */
> tmp32 = ntohl(nexthop.v4.s_addr);
> if (IN_MULTICAST(tmp32) || IN_BADCLASS(tmp32)) {
> rde_update_err(peer, ERR_UPDATE, ERR_UPD_NETWORK,
> op, len);
> return (-1);
> }
>
>
> Second:
> I found that in RFC 6286 for bgp identifer, it has two check. One is to zero,
> the other is to local bgp id. RFC Document fragmen as follow:
>
>
> For a BGP speaker that supports the AS-wide Unique BGP Identifier, the OPEN
> message error handling related to the BGP Identifier is modified as follows:
> If the BGP Identifier field of the OPEN message is zero, or if it is the
> same as the BGP Identifier of the local BGP speaker and the message is from
> an internal peer, then the Error Subcode is set to "Bad BGP Identifier".
>
>
> In the code of the openbgpd6.8, there missing the bgp id is the same check.
> (If openbgpd does not support RFC 6286, you can ignore it)
>
>
> /* check bgpid for validity - just disallow 0 */
> if (ntohl(bgpid) == 0) {
> log_peer_warnx(&peer->conf, "peer BGPID %u unacceptable",
> ntohl(bgpid));
> session_notification(peer, ERR_OPEN, ERR_OPEN_BGPID,
> NULL, 0);
> change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN);
> return (-1);
> }
>
Hi,
Thanks for the report. The following diff should address both issues.
Please double check. I moved the bgpid conflict check after template
sessions have been properly setup because until then the value of
peer->conf.ebgp is not yet valid.
--
:wq Claudio
Index: rde.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.517
diff -u -p -r1.517 rde.c
--- rde.c 16 Apr 2021 06:20:29 -0000 1.517
+++ rde.c 22 Apr 2021 08:12:04 -0000
@@ -1710,7 +1710,7 @@ bad_flags:
*/
tmp32 = ntohl(nexthop.v4.s_addr);
if (IN_MULTICAST(tmp32) || IN_BADCLASS(tmp32)) {
- rde_update_err(peer, ERR_UPDATE, ERR_UPD_NETWORK,
+ rde_update_err(peer, ERR_UPDATE, ERR_UPD_NEXTHOP,
op, len);
return (-1);
}
Index: session.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
retrieving revision 1.411
diff -u -p -r1.411 session.c
--- session.c 16 Feb 2021 08:29:16 -0000 1.411
+++ session.c 22 Apr 2021 08:12:26 -0000
@@ -2179,6 +2179,16 @@ parse_open(struct peer *peer)
return (-1);
}
+ /* on iBGP sessions check for bgpid collision */
+ if (!peer->conf.ebgp && peer->remote_bgpid == conf->bgpid) {
+ log_peer_warnx(&peer->conf, "peer BGPID %u conflicts with ours",
+ ntohl(bgpid));
+ session_notification(peer, ERR_OPEN, ERR_OPEN_BGPID,
+ NULL, 0);
+ change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN);
+ return (-1);
+ }
+
if (capa_neg_calc(peer) == -1) {
log_peer_warnx(&peer->conf,
"capability negotiation calculation failed");
