Knowledge Search


×
 

IPv6 RE protection filter might prevent IPv6 BGP session from establishing

  [KB34711] Show Article Properties


Summary:

This article provides the cautionary points of applying RE protection filter, especially for IPv6 filter.

Symptoms:

Applying IPv6 RE protection filter causes a situation for BGP session not to be able to establish.
Typical 'not working' scenario is to change or add a match criteria and action in the terms of filter.
In this case we begin our observation from the following filter, which accepts IPv6 BGP packet only.

set firewall family inet6 filter v6-filter term bgp from next-header tcp

set firewall family inet6 filter v6-filter term bgp from port bgp
set firewall family inet6 filter v6-filter term bgp then accept
set firewall family inet6 filter v6-filter term default then log
set firewall family inet6 filter v6-filter term default then discard
set interfaces lo0 unit 0 family inet6 filter input v6-filter
set interfaces lo0 unit 0 family inet6 address 2001:db8:ffff::1/128
set protocols bgp group test peer-as 65002
set protocols bgp group test neighbor 2001:db8::2 hold-time 300

If R1 filters ICMP6 packets, there is a possibility that neighbor status gets unreachable.

lab@R1> show ipv6 neighbors    
Jun 19 03:53:50
IPv6 Address           Linklayer Address  State       Exp Rtr Secure Interface
2001:db8::2            56:68:a3:1e:5d:b7  delay       1   yes no      ge-0/0/1.0  
fe80::2                56:68:a3:1e:5d:b7  stale       932 yes no      ge-0/0/1.0  

lab@R1> show ipv6 neighbors    
Jun 19 03:53:52
IPv6 Address           Linklayer Address  State       Exp Rtr Secure Interface
2001:db8::2            56:68:a3:1e:5d:b7  probe       0   yes no      ge-0/0/1.0  
fe80::2                56:68:a3:1e:5d:b7  stale       930 yes no      ge-0/0/1.0 

lab@R1> show ipv6 neighbors    
Jun 19 03:53:55
IPv6 Address           Linklayer Address  State       Exp Rtr Secure Interface
2001:db8::2            none               unreachable 3   yes no      ge-0/0/1.0  
fe80::2                56:68:a3:1e:5d:b7  stale       926 yes no      ge-0/0/1.0

lab@R1> show ipv6 neighbors    
Jun 19 03:54:02
IPv6 Address           Linklayer Address  State       Exp Rtr Secure Interface
2001:db8::2            none               incomplete  0   yes no      ge-0/0/1.0  
fe80::2                56:68:a3:1e:5d:b7  stale       920 yes no      ge-0/0/1.0  

lab@R1> show ipv6 neighbors    
Jun 19 03:54:03
IPv6 Address           Linklayer Address  State       Exp Rtr Secure Interface
2001:db8::2            none               unreachable 3   yes no      ge-0/0/1.0  
fe80::2                56:68:a3:1e:5d:b7  stale       918 yes no      ge-0/0/1.0  

BGP may keep Establish for a while.

lab@R1> show bgp summary       
Jun 19 03:55:25
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet6.0              
                       0          0          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
2001:db8::2           65002         10         10       0       0       13:07 Establ
  inet6.0: 0/0/0/0

R1 sends neighbor solicitation and R2 sends neighbor advertisement, however R1 cannot receive the packet due to firewall filter.

[R1]
03:56:57.467364 Out IP6 truncated-ip6 - 12 bytes missing!fe80::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation[|icmp6]
03:56:59.774319  In IP6 2001:db8::2.179 > 2001:db8::1.51512: P 265:284(19) ack 284 win 16384 <nop,nop,timestamp 3245735019[|tcp]>
03:57:01.752460 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation[|icmp6]
03:57:03.472431 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation[|icmp6]
03:57:04.472407 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation[|icmp6]

[R2]
03:56:57.468711  In IP6 fe80::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2001:db8::2, length 32
03:56:57.468887 Out IP6 truncated-ip6 - 12 bytes missing!fe80::2 > fe80::1: ICMP6, neighbor advertisement[|icmp6]
03:56:59.743782 Out IP6 truncated-ip6 - 31 bytes missing!2001:db8::2.179 > 2001:db8::1.51512: P 265:284(19) ack 284 win 16384 <[|tcp]>
03:57:01.753784  In IP6 2001:db8::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2001:db8::2, length 32
03:57:01.753850 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::2 > 2001:db8::1: ICMP6, neighbor advertisement[|icmp6]
03:57:03.473449  In IP6 2001:db8::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2001:db8::2, length 32
03:57:03.473516 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::2 > 2001:db8::1: ICMP6, neighbor advertisement[|icmp6]
03:57:04.473437  In IP6 2001:db8::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2001:db8::2, length 32
03:57:04.473499 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::2 > 2001:db8::1: ICMP6, neighbor advertisement[|icmp6]
03:57:04.591708 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::2 > 2001:db8::1: ICMP6, neighbor solicitation[|icmp6]
03:57:05.591721 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::2 > 2001:db8::1: ICMP6, neighbor solicitation[|icmp6]
03:57:06.591724 Out IP6 truncated-ip6 - 12 bytes missing!2001:db8::2 > 2001:db8::1: ICMP6, neighbor solicitation[|icmp6]

Eventually, BGP goes down.

[R2]
04:01:15.751713 Out IP6 truncated-ip6 - 90 bytes missing!2001:db8::2.179 > 2001:db8::1.51512: FP 265:343(78) ack 284 win 16384 <[|tcp]>

[R1]
04:01:15.754261  In IP6 2001:db8::2.179 > 2001:db8::1.51512: FP 265:343(78) ack 284 win 16384 <nop,nop,timestamp 3245991027[|tcp]>

lab@R1> show log messages
Jun 19 04:01:15  R1 rpd[8032]: bgp_handle_notify:4236: NOTIFICATION received from 2001:db8::2 (External AS 65002): code 4 (Hold Timer Expired Error), socket buffer sndacc: 57 rcvacc: 0 , socket buffer sndccc: 57 rcvccc: 0 TCP state: 5, snd_una: 1109012377 snd_nxt: 1109012434 snd_wnd: 16384 rcv_nxt: 1375199240 rcv_adv: 1375216033, hold timer 300s, hold timer remain 0s, last sent 78s, TCP port (local 51512, remote 179)
Solution:

BGP session failed because RE protection filter discard neighbor advertisement packet from R2. To fix this problem, terms that accept ICMPv6 and the other packets need to be added.

set firewall family inet6 filter v6-filter term icmp from next-header icmp6
set firewall family inet6 filter v6-filter term icmp from icmp-type [ echo-request echo-reply destination-unreachable time-exceeded neighbor-advertisement neighbor-solicit ]
set firewall family inet6 filter v6-filter term icmp then accept
set firewall family inet6 filter v6-filter term linklocal from destination-address fe80::/10
set firewall family inet6 filter v6-filter term linklocal then accept
set firewall family inet6 filter v6-filter term multicast from destination-address ff02::1/128
set firewall family inet6 filter v6-filter term multicast from destination-address ff02::2/128
set firewall family inet6 filter v6-filter term multicast then accept
set firewall family inet6 filter v6-filter term bgp from next-header tcp
set firewall family inet6 filter v6-filter term bgp from port bgp
set firewall family inet6 filter v6-filter term bgp then accept
set firewall family inet6 filter v6-filter term default then discard

05:18:11.697009 Out
    Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
      Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
      Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
      Device Interface Index Extension TLV #1, length 2, value: 141
      Logical Interface Index Extension TLV #4, length 4, value: 332
    -----original packet-----
    56:68:a3:1e:5d:c7 > 33:33:ff:00:00:02, ethertype IPv6 (0x86dd), length 86: (class 0xc0, hlim 255, next-header: ICMPv6 (58), length: 32) fe80::1 > ff02::1:ff00:2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8::2
      source link-address option (1), length 8 (1): 56:68:a3:1e:5d:c7
        0x0000: 5668 a31e 5dc7

05:18:11.700890  In
    Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
      Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
      Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
      Device Interface Index Extension TLV #1, length 2, value: 141
      Logical Interface Index Extension TLV #4, length 4, value: 332
    -----original packet-----
    PFE proto 6 (ipv6): (class 0xc0, hlim 255, next-header: ICMPv6 (58), length: 32) fe80::2 > fe80::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2001:db8::2, Flags [router, solicited, override]
      destination link-address option (2), length 8 (1): 56:68:a3:1e:5d:b7
        0x0000: 5668 a31e 5db7


When applying filter for loopback, please refer JSA10749 - IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability. The article shows caution for the filter from a vulnerability perspective.
Related Links: