OpenBGPD support for BGP-MPLS VPN with IPv6

[Matt Kassawara]

Hi,

Do any plans exist to implement the BGP-MPLS IP VPN extension for IPv6 VPN
(RFC 4659) in OpenBGPD?

Thanks,
Matt

BGP MPLS VPN Question

[Matt Schwartz]

Is it possible to setup a multi-site BGP MPLS VPN? Currently, I have it
working great between two sites running OpenBSD 5.9-current. I tried adding
a third site to my simulation but it hasn't worked. The third site I have
sharing the same MPLS label and routing domain. Is this where I am going
wrong? Do I need to create a separate routing domain for the third site,
another mpe interface with different MPLS label, and create static routes
between the rdomains?

Thank you again,
Matt

Re: BGP/MPLS VPN

[Claudio Jeker]

On Tue, Apr 05, 2011 at 01:07:49PM -0700, Matt S wrote:
> Hello misc@
> 
> I have read over the various postings for BGP/MPLS VPN, 
> particularly http://marc.info/?l=openbsd-misc&m=127470697232025&w=2 and 
> http://marc.info/?l=openbsd-misc&m=129112614017103&w=2.
>   For learning purposes, I would like to build my own L3 BGP/MPLS VPN 
> network. 
>  For now, I am going to try to do this between two locations connected by 
> broadband to the internet.  My guess is I will need to use a GRE tunnel to 
> provide the point to point connection between the locations.  How would you 
> go 
> about doing this?  Here is what I am thinking:
> 
> 1. Setup the gre(4) tunnel between locations and test connectivity
> 2. Create the mpe(4) and define mpls labels
> 3. Configure ospf and bgp
>  
> I learned from a previous post that ldp is not necessary when using gre 
> tunnels 
> but I do not understand why.  Finally, correct me if I am wrong, but I most 
> likely should protect the traffic using IPSEC.  Is this necessary?
> 

1. setup the network the way you like it
2. either use full static routing or use ospfd to handle the route
   distribution inside your test network.
3. make sure you can reach everything. Ping, traceroute and tcpdump is
   your friend.
4. enable MPLS on the gre interfaces and all other interfaces that may
   have tagged traffic (hint mpe(4) is not one of them)
  ifconfig gre0 mpls
5. run ldpd (the interface list should be the same as in step 4)
6. test again, see if you see MPLS tagged packets inside the gre tunnel
7. setup bgpd and the mpe interface

To be honest on directly attached systems you could probably skip step 5
since PNP will kick in but as soon as you run something one hop further
down the tunnel ldpd is needed.

Don't forget to set net.inet.gre.allow to 1 :)

-- 
:wq Claudio

Re: using bgp mpls vpn

[Claudio Jeker]

On Fri, Dec 03, 2010 at 01:10:30AM +0200, Imre Oolberg wrote:
> Hi!
> 
> Claudio Jeker wrote:
> 
> > It looks like the connection from PE1 to PE2 is not using MPLS. It looks
> > like the ldp session between PE1 and the P router is not established.
> 
> Thank you very much for your suggestion to look over the network below,
> i didnt expect it to be a source of my problems and excuse me to waste
> time for such a stupid reason. Now packets with double labels come and
> go, so i search bgp mpls vpn further using several PE routers and
> create  relationships between networks behind them etc.
> 
> Is my understanding correct that mpls-labeled packets going thru network
> themselves dont need ip networking configured on P routers (and not even
> net.inet.ip.forwarding switched on) but since ldpd needs to run on them
> and it uses udp multicast and tcp-based connections ip configuration is
> still needed? And usually ldpd processes communicate only with other
> ldpd processes which run on their adjacent neighbors?
> 

You need an IP backbone that connects all P and PE routers because that's
the way the topology and pathes are calculated. LDP currently only runs on
top of IP and that will not change any time soon.
So you need an IP backbone to build the label pathes on which the various
mpls VPN will be switched over.

Currently you must enable IP forwarding (because of penultimate hop
popping) on all routers. Every ethernet interface needs an IP address so
that LDP can be run over those links. Additionally you need the IP address
as nexthop on the MPLS pathes. In theory it is possible to use static
setups using MAC addresses as nexthops but such static networks are
unfeasible in reality.

-- 
:wq Claudio


> 
> Just for the record, my second attempt was made using OpenBSD
> 4.8-current (GENERIC) #501: Mon Nov 29 11:58:38 MST 2010 and i386.
> 
> Claudio Jeker wrote:
> 
> > On Fri, Nov 26, 2010 at 11:02:06PM +0200, Imre Oolberg wrote:
> >   
> >> eHi!
> >>
> >> I am using 'OpenBSD 4.8-current (GENERIC) #313: Mon Nov  1 11:04:25 MDT
> >> 2010' i set up some good number of testing machines and started to try
> >> out the bgp mpls vpn stuff (based on man bgpd.conf, man ldpd.conf man
> >> man route + http://marc.info/?l=openbsd-misc&m=127470697232025&w=1 and i
> >> also did some general reading on mpls & mpls-vpn)
> >> 
> >
> > This is a fairly old current. But IIRC nothing super important happend in
> > between.
> >  
> >   
> >> What i got so far is working bgp mpls vpn between two computers if they
> >> are directly connected like this. (The objective was to create behind
> >> PE1 two private vlans 172.116.93/24 and 172.117.93/24 into different
> >> rdomains which can communicate which their respective counterpart vlans
> >> behind PE2, 172.116.94/24 and 172.117.94/24))
> >>
> >> 
> >
> > ... big snip ...
> >
> >  
> >   
> >> at P in the middle it says
> >>
> >> mpls-4:~# ldpctl show lib  
> >> 
> >> Destination  Nexthop   Local LabelRemote Label   In 
> >> Use
> >> 0.0.0.0/0192.168.10.25416 Untagged   yes
> >> 10.0.11.0/24 10.0.171.117 Pop tagyes
> >> 10.0.12.0/24 10.0.172.118 Untagged   yes
> >> 10.0.171.0/2410.0.171.254  3  Untagged   yes
> >> 10.0.171.0/240.0.0.0   3  Untagged   yes
> >> 10.0.172.0/2410.0.172.254  3  Untagged   yes
> >> 10.0.172.0/240.0.0.0   3  Untagged   yes
> >> 10.10.11.1/3210.0.171.119 19 yes
> >> 10.10.12.1/3210.0.172.120 Untagged   yes
> >> 192.168.10.0/24  10.0.172.13  Untagged   yes
> >> 192.168.10.0/24  10.0.171.13  Pop tagyes
> >> 192.168.10.0/24  0.0.0.0   3  Untagged   yes
> >>
> >> mpls-4:~# route -n show -mpls 
> >> Routing tables
> >>
> >> MPLS:
> >> In label  Out label Op GatewayFlags   Refs  Use   Mtu  
> >> Prio Interface
> >> 16- LOCAL  192.168.10.254 UGT00 -  
> >>8 em0  
> >> 17- POP10.0.171.1 UGT0 

Re: using bgp mpls vpn

[Imre Oolberg]

Hi!

Claudio Jeker wrote:

> It looks like the connection from PE1 to PE2 is not using MPLS. It looks
> like the ldp session between PE1 and the P router is not established.

Thank you very much for your suggestion to look over the network below,
i didnt expect it to be a source of my problems and excuse me to waste
time for such a stupid reason. Now packets with double labels come and
go, so i search bgp mpls vpn further using several PE routers and
create  relationships between networks behind them etc.

Is my understanding correct that mpls-labeled packets going thru network
themselves dont need ip networking configured on P routers (and not even
net.inet.ip.forwarding switched on) but since ldpd needs to run on them
and it uses udp multicast and tcp-based connections ip configuration is
still needed? And usually ldpd processes communicate only with other
ldpd processes which run on their adjacent neighbors?


Imre

Just for the record, my second attempt was made using OpenBSD
4.8-current (GENERIC) #501: Mon Nov 29 11:58:38 MST 2010 and i386.

Claudio Jeker wrote:

> On Fri, Nov 26, 2010 at 11:02:06PM +0200, Imre Oolberg wrote:
>   
>> eHi!
>>
>> I am using 'OpenBSD 4.8-current (GENERIC) #313: Mon Nov  1 11:04:25 MDT
>> 2010' i set up some good number of testing machines and started to try
>> out the bgp mpls vpn stuff (based on man bgpd.conf, man ldpd.conf man
>> man route + http://marc.info/?l=openbsd-misc&m=127470697232025&w=1 and i
>> also did some general reading on mpls & mpls-vpn)
>> 
>
> This is a fairly old current. But IIRC nothing super important happend in
> between.
>  
>   
>> What i got so far is working bgp mpls vpn between two computers if they
>> are directly connected like this. (The objective was to create behind
>> PE1 two private vlans 172.116.93/24 and 172.117.93/24 into different
>> rdomains which can communicate which their respective counterpart vlans
>> behind PE2, 172.116.94/24 and 172.117.94/24))
>>
>> 
>
> ... big snip ...
>
>  
>   
>> at P in the middle it says
>>
>> mpls-4:~# ldpctl show lib
>>   
>> Destination  Nexthop   Local LabelRemote Label   In Use  
>>   
>> 0.0.0.0/0192.168.10.25416 Untagged   yes
>> 10.0.11.0/24 10.0.171.117 Pop tagyes
>> 10.0.12.0/24 10.0.172.118 Untagged   yes
>> 10.0.171.0/2410.0.171.254  3  Untagged   yes
>> 10.0.171.0/240.0.0.0   3  Untagged   yes
>> 10.0.172.0/2410.0.172.254  3  Untagged   yes
>> 10.0.172.0/240.0.0.0   3  Untagged   yes
>> 10.10.11.1/3210.0.171.119 19 yes
>> 10.10.12.1/3210.0.172.120 Untagged   yes
>> 192.168.10.0/24  10.0.172.13  Untagged   yes
>> 192.168.10.0/24  10.0.171.13  Pop tagyes
>> 192.168.10.0/24  0.0.0.0   3  Untagged   yes
>>
>> mpls-4:~# route -n show -mpls 
>> Routing tables
>>
>> MPLS:
>> In label  Out label Op GatewayFlags   Refs  Use   Mtu  
>> Prio Interface
>> 16- LOCAL  192.168.10.254 UGT00 -
>>  8 em0  
>> 17- POP10.0.171.1 UGT00 -
>> 32 em1  
>> 18- LOCAL  10.0.172.1 UGT00 -
>> 32 em2  
>> 1919SWAP   10.0.171.1 UGT0   10 -
>> 32 em1  
>> 20- LOCAL  10.0.172.1 UGT00 -
>> 32 em2  
>>
>>
>> 
>
> Looking at the routing table you show here it seems that there is an issue
> with ldpd. There are to many Untagged FEC in the ldpctl show lib output.
> It looks like the session between the P/PE systems did not get up.
> Did you look at the ldpctl show nei output?
> Btw. look at the "route -n show -inet" output and check which routes have
> MPLS pathes attached to them (T in the flags section). You can also use
> route -n get  or route -n get -mpls -in  to get more info.
>
>   
>> I suspect i miss one of these
>>
>> 1. i misuse ldpd
>> 
>
> The ldpd config looks about right. I use a very simple one on my test
> setups:
> router-id 10.42.21.1
> interface re1
> interface re2
> interf

Re: using bgp mpls vpn

[Claudio Jeker]

On Fri, Nov 26, 2010 at 11:02:06PM +0200, Imre Oolberg wrote:
> eHi!
> 
> I am using 'OpenBSD 4.8-current (GENERIC) #313: Mon Nov  1 11:04:25 MDT
> 2010' i set up some good number of testing machines and started to try
> out the bgp mpls vpn stuff (based on man bgpd.conf, man ldpd.conf man
> man route + http://marc.info/?l=openbsd-misc&m=127470697232025&w=1 and i
> also did some general reading on mpls & mpls-vpn)

This is a fairly old current. But IIRC nothing super important happend in
between.
 
> What i got so far is working bgp mpls vpn between two computers if they
> are directly connected like this. (The objective was to create behind
> PE1 two private vlans 172.116.93/24 and 172.117.93/24 into different
> rdomains which can communicate which their respective counterpart vlans
> behind PE2, 172.116.94/24 and 172.117.94/24))
> 

... big snip ...

 
> at P in the middle it says
> 
> mpls-4:~# ldpctl show lib 
>  
> Destination  Nexthop   Local LabelRemote Label   In Use   
>  
> 0.0.0.0/0192.168.10.25416 Untagged   yes
> 10.0.11.0/24 10.0.171.117 Pop tagyes
> 10.0.12.0/24 10.0.172.118 Untagged   yes
> 10.0.171.0/2410.0.171.254  3  Untagged   yes
> 10.0.171.0/240.0.0.0   3  Untagged   yes
> 10.0.172.0/2410.0.172.254  3  Untagged   yes
> 10.0.172.0/240.0.0.0   3  Untagged   yes
> 10.10.11.1/3210.0.171.119 19 yes
> 10.10.12.1/3210.0.172.120 Untagged   yes
> 192.168.10.0/24  10.0.172.13  Untagged   yes
> 192.168.10.0/24  10.0.171.13  Pop tagyes
> 192.168.10.0/24  0.0.0.0   3  Untagged   yes
> 
> mpls-4:~# route -n show -mpls 
> Routing tables
> 
> MPLS:
> In label  Out label Op GatewayFlags   Refs  Use   Mtu  
> Prio Interface
> 16- LOCAL  192.168.10.254 UGT00 - 
> 8 em0  
> 17- POP10.0.171.1 UGT00 -
> 32 em1  
> 18- LOCAL  10.0.172.1 UGT00 -
> 32 em2  
> 1919SWAP   10.0.171.1 UGT0   10 -
> 32 em1  
> 20- LOCAL  10.0.172.1 UGT00 -
> 32 em2  
> 
> 

Looking at the routing table you show here it seems that there is an issue
with ldpd. There are to many Untagged FEC in the ldpctl show lib output.
It looks like the session between the P/PE systems did not get up.
Did you look at the ldpctl show nei output?
Btw. look at the "route -n show -inet" output and check which routes have
MPLS pathes attached to them (T in the flags section). You can also use
route -n get  or route -n get -mpls -in  to get more info.

> I suspect i miss one of these
> 
> 1. i misuse ldpd

The ldpd config looks about right. I use a very simple one on my test
setups:
router-id 10.42.21.1
interface re1
interface re2
interface re3
This is for a P router but the PE ones have exactly the same config :)

> 2. i havent configured correctly on P routers mpls forwarding (read on
> man route something about -in, -out, -push, -swap but have no idea how
> to use them)

You do not need to use route(8) to manipulate the routing table. ldpd and
ospfd should do all the work.

> 3. i read that doing mpls-vpn there are actually two mpls labels used,
> one to choose correct rdomain in PE and the other to get packet thru
> MPLS network, i cant get on my packets the top label

When sending out packets the mpls-vpn packet should have two labels.
The first one is the LSP to the BGP nexthop of the VRF route and the last
label is the label of the terminating mpe(4) device.

> 
> I would be very glad if you could point me to the right direction!
> 

When building up MPLS networks I use normaly these steps:

1) configure interface etc. make sure you mpls-enabled the interfaces
doing MPLS. I normaly assign loopback IPs on all routers (at least do it
on the PE)
2) setup and start ospf
3) make sure you get all routes and you're able to ping all loopbacks.
4) setup and start ldpd
5) check the routing tables and make sure that you get labels.
6) ping and traceroute -v various IPs and see if they actually use MPLS.
7) setup and start bgpd on the two PE routers (best is to use the loopback
IPs here for the MPLS VPN connection).

In your case I think the problem is in step 4-6.
According to 

using bgp mpls vpn

[Imre Oolberg]

eHi!

I am using 'OpenBSD 4.8-current (GENERIC) #313: Mon Nov  1 11:04:25 MDT 2010' i 
set up some good number of testing machines and started to try out the bgp mpls 
vpn stuff (based on man bgpd.conf, man ldpd.conf man man route + 
http://marc.info/?l=openbsd-misc&m=127470697232025&w=1 and i also did some 
general reading on mpls & mpls-vpn)

What i got so far is working bgp mpls vpn between two computers if they are 
directly connected like this. (The objective was to create behind PE1 two 
private vlans 172.116.93/24 and 172.117.93/24 into different rdomains which can 
communicate which their respective counterpart vlans behind PE2, 172.116.94/24 
and 172.117.94/24))

em0 - management interface
em1 - interface running mpls
em2 - rdomains interface running vlans

 PE1
  em0  _  em2 (up)
  | |
  |_| lo1 (inet 10.10.11.1 255.255.255.0 NONE)
 |vlan116 (rdomain 116
 | vlan 116 vlandev em2
 | inet 172.116.93.1 255.255.255.0 NONE)
 |vlan117 (rdomain 117
 | vlan 117 vlandev em2
 | inet 172.117.93.1 255.255.255.0 NONE)
 |mpe116  (rdomain 116 mplslabel 11693
 | inet 10.168.116.93 255.255.255.255)
 |mpe117  (rdomain 117 mplslabel 11793
 | inet 10.168.117.93 255.255.255.255)
 |em1 (inet 10.0.11.1 255.255.255.0 NONE mpls)
 |
 |
 |
 |
 |
 |lo1 (inet 10.10.12.1 255.255.255.0 NONE)
 |vlan116 (rdomain 116
 | vlan 116 vlandev em2
 | inet 172.116.94.1 255.255.255.0 NONE)
 |vlan117 (rdomain 117
 | vlan 117 vlandev em2
 | inet 172.117.94.1 255.255.255.0 NONE) |
 |mpe116  (rdomain 116 mplslabel 11694
 | inet 10.168.116.94 255.255.255.255)
 |mpe117  (rdomain 117 mplslabel 11794
 | inet 10.168.117.94 255.255.255.255)
 |em1 (inet 10.0.11.254 255.255.255.0 NONE mpls)
   __|__
  | |
  |_|
  em0 em2 (up)
PE2

where relevant configuration files are like this

configs on PE1

# cat /etc/bgpd.conf
AS 65001
router-id 10.10.11.1
listen on 10.10.11.1

rdomain 116 {
  descr "cust 116 site a"
  rd 65001:1
  import-target rt 65001:116
  export-target rt 65001:116
  depend on mpe116
  network 172.116.93.0/24
}

rdomain 117 {
  descr "cust 117 site a"
  rd 65001:1
  import-target rt 65001:117
  export-target rt 65001:117
  depend on mpe117
  network 172.117.93.0/24
}

neighbor 10.10.12.1 {
  remote-as   65001
  descr   AS65001
  announce IPv4 vpn
  announce IPv4 unicast
  local-address 10.10.11.1
}

allow from any

# cat /etc/ospfd.conf
redistribute connected
redistribute 10.10.11.1/32

area 0.0.0.5 {
interface em1 {
}
}

configs on PE2

# cat /etc/bgpd.conf
AS 65001
router-id 10.10.12.1
listen on 10.10.12.1

rdomain 116 {
  descr "cust 116 site b"
  rd 65001:1
  import-target rt 65001:116
  export-target rt 65001:116
  depend on mpe116
  network 172.116.94.0/24
}

rdomain 117 {
  descr "cust 117 site b"
  rd 65001:1
  import-target rt 65001:117
  export-target rt 65001:117
  depend on mpe117
  network 172.117.94.0/24
}

neighbor 10.10.11.1 {
  remote-as   65001
  descr   AS65001
announce IPv4 vpn
announce IPv4 unicast
local-address 10.10.12.1
}

allow from any

# cat /etc/ospfd.conf
redistribute connected
redistribute 10.10.12.1/32

area 0.0.0.5 {
interface em1 {
}
}

As a result i can issue successfully on PE1

PE1# ping -V 116 -I 172.116.93.1 172.116.94.1

and i can see witch tcpdump MPLS traffic between em1 devices. Please comment on 
this setup, maybe something is still wrong here althougt it seems to work.

But now to the problem part. When i try to set up between two PE routers three 
P routers then i loose connections between vpn's.

What i do in addition to above described setup is

1. configure on P routers ordinary ip interfaces + mpls, like this

inet 10.0.171.254 255.255.255.0 NONE
mpls

2. enable ip forwarding the ordinary way (net.inet.ip.forwarding=1) and use 
ospfd

3. run on all P routers ldpd with (router-id is uniq on each)

fast="2"
router-id  10.10.11.9

distribution independent
retention liberal
advertisement unsolicited

interface em1 {
}

interface em2 {
}

4. run on both PE routers ldpd with (router id is the same as bgp router id)

fast="2"
router-id  10.10.12.1
distribution independent
retention liberal
advertisement unsolicited

interface lo0 {
}

interface em1 {
}

And what i observe is MPLE packet gets out from PE and i see it on first P 
routers ingress interface but thats all, it seems it does not get routed 
further. And when i look at the labels w