Discussion:
OpenBGPd match clause with multihop BGP session
Laurent CARON
2013-12-13 10:31:02 UTC
Permalink
Hi,

I'm using cymru[1] bogon feed onto a router receiving several full tables.

On this router I have:

neighbor $CYMRU_PEER_v4 {
descr cymru-fullbogon-v4-001
local-address $NERIM_MY_v4
max-prefix 9550 restart 10
}

bgpctl show rib correctly shows the prefixes being added with nexthop
$CYMRU_PEER_v4

This nexthop however is invalid (because I can't reach it directly),
which doesn't matter to me since this traffic should be blackholed
anyway.

To blackhole this traffic I use:
match from group cymru_bogons set nexthop blackhole

The traffic never gets blackholed....unless I use
set nexthop $NERIM_PEER_v4
in the neighbor stanza.

Is it a normal behavior, a misunderstanding on my side, or a bug ?

Thanks

Laurent

PS:
$CYMRU_PEER_v4 = IPv4 address of the cymru router
$NERIM_MY_v4 = my public IPv4 address
$NERIM_PEER_v4 = my IPv4 gateway (ISP side)
[1]: http://www.team-cymru.org/Services/Bogons/bgp-examples.html
Sebastian Benoit
2014-01-23 23:38:46 UTC
Permalink
Post by Laurent CARON
Hi,
I'm using cymru[1] bogon feed onto a router receiving several full tables.
neighbor $CYMRU_PEER_v4 {
descr cymru-fullbogon-v4-001
local-address $NERIM_MY_v4
max-prefix 9550 restart 10
}
bgpctl show rib correctly shows the prefixes being added with nexthop
$CYMRU_PEER_v4
This nexthop however is invalid (because I can't reach it directly),
which doesn't matter to me since this traffic should be blackholed
anyway.
match from group cymru_bogons set nexthop blackhole
The traffic never gets blackholed....unless I use
set nexthop $NERIM_PEER_v4
in the neighbor stanza.
Is it a normal behavior, a misunderstanding on my side, or a bug ?
This is normal behaivor (and perhaps a misunderstanding on your side):

bgpd will only put routes into the fib that are best and valid in the rib.

A route comming from an EBGP-peer is only valid if the nexthop is directly
connected. To make the route valid you can force the nexthop to a useable
nexthop, for exampe your $NERIM_PEER_v4. you could also use $NERIM_MY_v4.

/Benno
Laurent CARON
2014-01-24 08:24:26 UTC
Permalink
Post by Sebastian Benoit
bgpd will only put routes into the fib that are best and valid in the rib.
A route comming from an EBGP-peer is only valid if the nexthop is directly
connected. To make the route valid you can force the nexthop to a useable
nexthop, for exampe your $NERIM_PEER_v4. you could also use $NERIM_MY_v4.
/Benno
I perfectly understand bgpd needs a 'valid' nexthop to put routes into
the fib. I however (mistakingly?) thought having set nexthop blackhole
in the peer's stanza would make it.
Sebastian Benoit
2014-01-24 09:32:28 UTC
Permalink
Post by Laurent CARON
Post by Sebastian Benoit
bgpd will only put routes into the fib that are best and valid in the rib.
A route comming from an EBGP-peer is only valid if the nexthop is directly
connected. To make the route valid you can force the nexthop to a useable
nexthop, for exampe your $NERIM_PEER_v4. you could also use $NERIM_MY_v4.
/Benno
I perfectly understand bgpd needs a 'valid' nexthop to put routes into
the fib. I however (mistakingly?) thought having set nexthop blackhole
in the peer's stanza would make it.
well, currently it does not. with a diff comited today you can use
127.0.0.1.

However, it might be useful to have the blackhole depend on the
reachablility of some other ip (the way it currently is). Does anybody use
that or knows a use case for that? Otherwise we might just remove that and
make it work the way you thought it would.

Loading...