Hi guys,
BFD echo function allows testing datapaths only and thus using more
aggresive rates and faster detection by using packets, which are
processed only by the sender and simply looped back by the receiver.
Each peer declares the willingness/rate at which it will loop back
echo packets and each side decides to use the feature or not locally.
For the BFD over UDP, the echo packets are recognized by having
destination port 3785.
To implement this in VPP, we need to
1.) loop back echo packets from remote side - this is easy, already done
2.) be able to send the packets out and receive them - this hits the
current spoofing protection, when a packet with destination set to our
own IP address gets dropped like this:
...
00:00:00:708351: ip4-local
UDP: 172.16.2.1 -> 172.16.1.1
tos 0x00, ttl 255, length 52, checksum 0x6096
fragment id 0x0000
UDP: 49152 -> 3785
length 32, checksum 0x0000
00:00:00:708351: error-drop
ip4-input: ip4 spoofed local-address packet drops
in this example 172.16.1.1 is the address on the interface receiving the
packet.
Discussion with Neale yielded a few possible solutions, none of which is
great:
1.) add input feature to siphon BFD packets instead of going to
ip4-local node
2a.) skip checks in ip4-local node based on BFD ports
2b.) skip checks in ip4-local node based on UDP port registration (via
udp_register_dst_port())
3.) add information for prefix/address to FIB to skip checks for this
entry
based on discussion, here are the downsides of each:
1.) taxes all input packets
2.) layering violation, caches misses in b.) case
3.) exposes VPP to spoofed packets for non-BFD traffic
based on these, 2.) seems to hurt the least.. with 2a.) being the
easiest to implement to move forward..
I would appreciate thoughts/ideas from more experienced people..
Thanks,
Klement
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
