Re: bgpd between two 6.4 boxes. IPv6 flapping, IPv4 rock solid

Tue, 02 Apr 2019 11:04:58 -0700 



Mar 30, 2019, 11:10 AM by s...@spacehopper.org:

> On 2019-03-29, Rachel Roch <> rr...@tutanota.de <mailto:rr...@tutanota.de>> > 
> wrote:
>
>> Hi,
>>
>> Has anyone encountered this before ?
>>
>> Neighbor            AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd
>> EXT-V6-R2           65515         50         40     0 00:02:55 Active
>> EXT-V4-R2           65515         38         37     0 00:27:42      1
>> After approx just over 2 minutes, the V6 flaps, bu the V4 remains rock solid.
>>
>> The boxes are sitting right next to each other, connected over an OpenBSD 
>> LACP trunk.
>>
>> I have made the pf rules as simple as possible:
>>
>> table <my_router_interfaces> counters {self}
>> table <bsd_friends> counters {192.0.2.1,2001:DB8::1}
>> pass in quick proto {tcp,udp,icmp} from <bsd_friends> to 
>> <my_router_interfaces> modulate state
>> pass out quick proto {tcp,udp,icmp} from <my_router_interfaces> to 
>> <bsd_friends> modulate state
>>
>
> A few tips:
>
> Start with an explicit "block any" rule so you don't have any traffic
> caught by the implicit "pass flags any no state" default. (If you want
> some "stateless" traffic as may often be the case on a BGP router, make
> it explicit in the ruleset). Otherwise you risk state being created 
> on something other than a SYN, so PF doesn't know the TCP window scaling
> value (which is *only* sent on SYN packets), which can result in the
> connection being killed after some traffic passes (state tracking gets
> out of sync).
>
> You don't have a rule for icmp6. IPv6's equivalent to ARP runs over icmp6
> and you do need a rule for that. It will currently be passed by the implicit
> default rule but that will stop when you add "block any"..
>
> "modulate state" really isn't as simple as possible ;)
>

A belated thanks for this !

Re: icmp6:
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv
pass quick inet6 proto ipv6-icmp all icmp6-type echoreq
pass quick inet6 proto ipv6-icmp all icmp6-type echorep

Re: "modulate state" I thought that was meant to be a good option these days 
instead of one of the more traditional state techniques ?























					Reply via email to