From 7059f423858212acd42987acb8945ac8b18d1468 Mon Sep 17 00:00:00 2001 From: abdosi <58047199+abdosi@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:51:40 -0700 Subject: [PATCH] [chassis/multi-asic] Make sure iBGP session established as directly connected (#16777) What I did: Make Sure for internal iBGP we are one-hop away (directly connected) by using Generic TTL security mechanism. Why I did: Without this change it's possible on packet chassis i-BGP can be established even if there no direct connection. Below is the example - Let's say we have 3 LC's LC1/LC2/LC3 each having i-BGP session session with each other over Loopback4096 - Each LC's have static route towards other LC's Loopback4096 to establish i-BGP session - LC1 learn default route 0.0.0.0/0 from it's e-BGP peers and send it over to LC2 and LC3 over i-BGP - Now for some reason on LC2 static route towards LC3 is removed/not-present/some-issue we expect i-BGP session should go down between LC2 and LC3 - However i-BGP between LC2 and LC3 does not go down because of feature ip nht-resolve-via-default where LC2 will use default route to reach Loopback4096 of LC3. As it's using default route BGP packets from LC2 towards LC3 will first route to LC1 and then go to LC3 from there. Above scenario can result in packet mis-forwarding on data plane How I fixed it:- To make sure BGP packets between i-BGP peers are not going with extra routing hop enable using GTSM feature neighbor PEER ttl-security hops NUMBER This command enforces Generalized TTL Security Mechanism (GTSM), as specified in RFC 5082. With this command, only neighbors that are the specified number of hops away will be allowed to become neighbors. This command is mutually exclusive with ebgp-multihop. We set hop count as 1 which makes FRR to reject BGP connection if we receive BGP packets if it's TTL < 255. Also setting this attribute make sure i-BGP frames are originated with IP TTL of 255. How I verify: Manual Verification of above scenario. See blow BGP packets receive with IP TTL 254 (additional routing hop) we are seeing FIN TCP flags as BGP is rejecting the connection Signed-off-by: Abhishek Dosi --- .../frr/bgpd/templates/internal/peer-group.conf.j2 | 2 ++ .../frr/bgpd/templates/voq_chassis/peer-group.conf.j2 | 2 ++ .../tests/data/internal/peer-group.conf/result_back.conf | 2 ++ .../data/internal/peer-group.conf/result_chasiss_packet.conf | 2 ++ .../tests/data/internal/peer-group.conf/result_front.conf | 2 ++ .../tests/data/voq_chassis/peer-group.conf/result_all.conf | 2 ++ .../tests/data/voq_chassis/peer-group.conf/result_base.conf | 2 ++ 7 files changed, 14 insertions(+) diff --git a/dockers/docker-fpm-frr/frr/bgpd/templates/internal/peer-group.conf.j2 b/dockers/docker-fpm-frr/frr/bgpd/templates/internal/peer-group.conf.j2 index b12f8e8c84a3..d2d2be87e7f3 100644 --- a/dockers/docker-fpm-frr/frr/bgpd/templates/internal/peer-group.conf.j2 +++ b/dockers/docker-fpm-frr/frr/bgpd/templates/internal/peer-group.conf.j2 @@ -15,6 +15,7 @@ neighbor INTERNAL_PEER_V4 route-map FROM_BGP_INTERNAL_PEER_V4 in neighbor INTERNAL_PEER_V4 route-map TO_BGP_INTERNAL_PEER_V4 out neighbor INTERNAL_PEER_V4 send-community + neighbor INTERNAL_PEER_V4 ttl-security hops 1 exit-address-family {% if CONFIG_DB__DEVICE_METADATA['localhost']['switch_type'] == 'chassis-packet' %} neighbor INTERNAL_PEER_V6 update-source Loopback4096 @@ -28,6 +29,7 @@ neighbor INTERNAL_PEER_V6 route-map FROM_BGP_INTERNAL_PEER_V6 in neighbor INTERNAL_PEER_V6 route-map TO_BGP_INTERNAL_PEER_V6 out neighbor INTERNAL_PEER_V6 send-community + neighbor INTERNAL_PEER_V6 ttl-security hops 1 exit-address-family ! ! end of template: bgpd/templates/internal/peer-group.conf.j2 diff --git a/dockers/docker-fpm-frr/frr/bgpd/templates/voq_chassis/peer-group.conf.j2 b/dockers/docker-fpm-frr/frr/bgpd/templates/voq_chassis/peer-group.conf.j2 index 802aa15ca60f..44552c055db8 100644 --- a/dockers/docker-fpm-frr/frr/bgpd/templates/voq_chassis/peer-group.conf.j2 +++ b/dockers/docker-fpm-frr/frr/bgpd/templates/voq_chassis/peer-group.conf.j2 @@ -13,6 +13,7 @@ neighbor VOQ_CHASSIS_V4_PEER route-map FROM_VOQ_CHASSIS_V4_PEER in neighbor VOQ_CHASSIS_V4_PEER route-map TO_VOQ_CHASSIS_V4_PEER out neighbor VOQ_CHASSIS_V4_PEER send-community + neighbor VOQ_CHASSIS_V4_PEER ttl-security hops 1 exit-address-family address-family ipv6 {% if CONFIG_DB__DEVICE_METADATA['localhost']['type'] == 'ToRRouter' %} @@ -24,6 +25,7 @@ neighbor VOQ_CHASSIS_V6_PEER route-map FROM_VOQ_CHASSIS_V6_PEER in neighbor VOQ_CHASSIS_V6_PEER route-map TO_VOQ_CHASSIS_V6_PEER out neighbor VOQ_CHASSIS_V6_PEER send-community + neighbor VOQ_CHASSIS_V6_PEER ttl-security hops 1 exit-address-family ! ! end of template: bgpd/templates/voq_chassis/peer-group.conf.j2 diff --git a/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_back.conf b/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_back.conf index c6acef329eff..da0e6b77339e 100644 --- a/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_back.conf +++ b/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_back.conf @@ -10,6 +10,7 @@ neighbor INTERNAL_PEER_V4 route-map FROM_BGP_INTERNAL_PEER_V4 in neighbor INTERNAL_PEER_V4 route-map TO_BGP_INTERNAL_PEER_V4 out neighbor INTERNAL_PEER_V4 send-community + neighbor INTERNAL_PEER_V4 ttl-security hops 1 exit-address-family address-family ipv6 neighbor INTERNAL_PEER_V6 route-reflector-client @@ -18,6 +19,7 @@ neighbor INTERNAL_PEER_V6 route-map FROM_BGP_INTERNAL_PEER_V6 in neighbor INTERNAL_PEER_V6 route-map TO_BGP_INTERNAL_PEER_V6 out neighbor INTERNAL_PEER_V6 send-community + neighbor INTERNAL_PEER_V6 ttl-security hops 1 exit-address-family ! ! end of template: bgpd/templates/internal/peer-group.conf.j2 diff --git a/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_chasiss_packet.conf b/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_chasiss_packet.conf index e4fb05eeb766..64b30e514d8c 100644 --- a/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_chasiss_packet.conf +++ b/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_chasiss_packet.conf @@ -10,6 +10,7 @@ neighbor INTERNAL_PEER_V4 route-map FROM_BGP_INTERNAL_PEER_V4 in neighbor INTERNAL_PEER_V4 route-map TO_BGP_INTERNAL_PEER_V4 out neighbor INTERNAL_PEER_V4 send-community + neighbor INTERNAL_PEER_V4 ttl-security hops 1 exit-address-family neighbor INTERNAL_PEER_V6 update-source Loopback4096 address-family ipv6 @@ -18,6 +19,7 @@ neighbor INTERNAL_PEER_V6 route-map FROM_BGP_INTERNAL_PEER_V6 in neighbor INTERNAL_PEER_V6 route-map TO_BGP_INTERNAL_PEER_V6 out neighbor INTERNAL_PEER_V6 send-community + neighbor INTERNAL_PEER_V6 ttl-security hops 1 exit-address-family ! ! end of template: bgpd/templates/internal/peer-group.conf.j2 diff --git a/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_front.conf b/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_front.conf index 7b6ee2667de9..363040eb12f5 100644 --- a/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_front.conf +++ b/src/sonic-bgpcfgd/tests/data/internal/peer-group.conf/result_front.conf @@ -9,6 +9,7 @@ neighbor INTERNAL_PEER_V4 route-map FROM_BGP_INTERNAL_PEER_V4 in neighbor INTERNAL_PEER_V4 route-map TO_BGP_INTERNAL_PEER_V4 out neighbor INTERNAL_PEER_V4 send-community + neighbor INTERNAL_PEER_V4 ttl-security hops 1 exit-address-family address-family ipv6 neighbor INTERNAL_PEER_V6 soft-reconfiguration inbound @@ -16,6 +17,7 @@ neighbor INTERNAL_PEER_V6 route-map FROM_BGP_INTERNAL_PEER_V6 in neighbor INTERNAL_PEER_V6 route-map TO_BGP_INTERNAL_PEER_V6 out neighbor INTERNAL_PEER_V6 send-community + neighbor INTERNAL_PEER_V6 ttl-security hops 1 exit-address-family ! ! end of template: bgpd/templates/internal/peer-group.conf.j2 diff --git a/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_all.conf b/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_all.conf index 350ff0eeeb41..3a80739e3cb8 100644 --- a/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_all.conf +++ b/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_all.conf @@ -11,6 +11,7 @@ neighbor VOQ_CHASSIS_V4_PEER route-map FROM_VOQ_CHASSIS_V4_PEER in neighbor VOQ_CHASSIS_V4_PEER route-map TO_VOQ_CHASSIS_V4_PEER out neighbor VOQ_CHASSIS_V4_PEER send-community + neighbor VOQ_CHASSIS_V4_PEER ttl-security hops 1 exit-address-family address-family ipv6 neighbor VOQ_CHASSIS_V6_PEER allowas-in 1 @@ -20,6 +21,7 @@ neighbor VOQ_CHASSIS_V6_PEER route-map FROM_VOQ_CHASSIS_V6_PEER in neighbor VOQ_CHASSIS_V6_PEER route-map TO_VOQ_CHASSIS_V6_PEER out neighbor VOQ_CHASSIS_V6_PEER send-community + neighbor VOQ_CHASSIS_V6_PEER ttl-security hops 1 exit-address-family ! ! end of template: bgpd/templates/voq_chassis/peer-group.conf.j2 diff --git a/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_base.conf b/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_base.conf index 9818358a771f..450e8a911eb1 100644 --- a/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_base.conf +++ b/src/sonic-bgpcfgd/tests/data/voq_chassis/peer-group.conf/result_base.conf @@ -10,6 +10,7 @@ neighbor VOQ_CHASSIS_V4_PEER route-map FROM_VOQ_CHASSIS_V4_PEER in neighbor VOQ_CHASSIS_V4_PEER route-map TO_VOQ_CHASSIS_V4_PEER out neighbor VOQ_CHASSIS_V4_PEER send-community + neighbor VOQ_CHASSIS_V4_PEER ttl-security hops 1 exit-address-family address-family ipv6 neighbor VOQ_CHASSIS_V6_PEER activate @@ -18,6 +19,7 @@ neighbor VOQ_CHASSIS_V6_PEER route-map FROM_VOQ_CHASSIS_V6_PEER in neighbor VOQ_CHASSIS_V6_PEER route-map TO_VOQ_CHASSIS_V6_PEER out neighbor VOQ_CHASSIS_V6_PEER send-community + neighbor VOQ_CHASSIS_V6_PEER ttl-security hops 1 exit-address-family ! ! end of template: bgpd/templates/voq_chassis/peer-group.conf.j2