For IPv6 I would probably just have picked a separate IPv6 address for BFD and installed an entry for it in the FIB. For IPv4... well you mistake me for someone who cares. ;-)
Cheers, Ole > On 17 Feb 2017, at 14:07, Klement Sekera -X (ksekera - PANTHEON TECHNOLOGIES > at Cisco) <ksek...@cisco.com> wrote: > > Hi guys, > > BFD echo function allows testing datapaths only and thus using more > aggresive rates and faster detection by using packets, which are > processed only by the sender and simply looped back by the receiver. > Each peer declares the willingness/rate at which it will loop back > echo packets and each side decides to use the feature or not locally. > > For the BFD over UDP, the echo packets are recognized by having > destination port 3785. > > To implement this in VPP, we need to > > 1.) loop back echo packets from remote side - this is easy, already done > 2.) be able to send the packets out and receive them - this hits the > current spoofing protection, when a packet with destination set to our > own IP address gets dropped like this: > > ... > 00:00:00:708351: ip4-local > UDP: 172.16.2.1 -> 172.16.1.1 > tos 0x00, ttl 255, length 52, checksum 0x6096 > fragment id 0x0000 > UDP: 49152 -> 3785 > length 32, checksum 0x0000 > 00:00:00:708351: error-drop > ip4-input: ip4 spoofed local-address packet drops > > in this example 172.16.1.1 is the address on the interface receiving the > packet. > > Discussion with Neale yielded a few possible solutions, none of which is > great: > > 1.) add input feature to siphon BFD packets instead of going to > ip4-local node > 2a.) skip checks in ip4-local node based on BFD ports > 2b.) skip checks in ip4-local node based on UDP port registration (via > udp_register_dst_port()) > 3.) add information for prefix/address to FIB to skip checks for this > entry > > based on discussion, here are the downsides of each: > > 1.) taxes all input packets > 2.) layering violation, caches misses in b.) case > 3.) exposes VPP to spoofed packets for non-BFD traffic > > based on these, 2.) seems to hurt the least.. with 2a.) being the > easiest to implement to move forward.. > > I would appreciate thoughts/ideas from more experienced people.. > > Thanks, > Klement > _______________________________________________ > vpp-dev mailing list > vpp-dev@lists.fd.io > https://lists.fd.io/mailman/listinfo/vpp-dev
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
