BGP peering with IPv6 link-local addresses

Hi,

I’m running BGP on my VyOS but seems like there are some issues communicating with other nodes using IPv6 link-local addresses.

Neighbors with IPv4 or IPv6 (not link-local) are exchanging prefixes but the two configured with link-local only are not connecting.

Checking the log I can see these lines:

Jun 27 18:41:43 dn42-it01 bgpd[998]: can't connect to fe80::XXX fd 33 : Invalid argument
Jun 27 18:42:55 dn42-it01 bgpd[998]: can't connect to fe80::YYY fd 33 : Invalid argument
Jun 27 18:43:30 dn42-it01 bgpd[998]: [EC 33554460] fe80::XXX: nexthop_set failed, resetting connection - intf 0x0
Jun 27 18:43:30 dn42-it01 bgpd[998]: [EC 100663299] bgp_connect_success: bgp_getsockname(): failed for peer fe80::XXX, fd 33

Am I missing something?

Also, as you can see from the image, I have a neighbour without multiprotocol enabled. Is there a way to avoid to try exchanging IPv6 prefix on IPv4 link and IPv4 prefixes on IPv6 link?

Im running 1.4-rolling-202106260417

Thanks in advance for all the help you will provide me with

Please share your configuration.

You have specified the update-source option for your neighbors?

I didn’t set the update-source before.

Setting it up changes the error log as follows:

Jun 27 20:09:49 dn42-it01 bgpd[998]: [EC 100663299] can't bind socket for fe80::<local address 1> : Invalid argument
Jun 27 20:10:05 dn42-it01 bgpd[998]: [EC 100663299] can't bind socket for fe80::<local address 2> : Invalid argument

Here the “problematic” neighbors config

set protocols bgp neighbor fe80::xxxx address-family ipv4-unicast route-map export 'DN42-ROA'
set protocols bgp neighbor fe80::xxxx address-family ipv4-unicast route-map import 'DN42-ROA'
set protocols bgp neighbor fe80::xxxx address-family ipv6-unicast route-map export 'DN42-ROA'
set protocols bgp neighbor fe80::xxxx address-family ipv6-unicast route-map import 'DN42-ROA'
set protocols bgp neighbor fe80::xxxx ebgp-multihop '20'
set protocols bgp neighbor fe80::xxxx remote-as '424242xxxx'
set protocols bgp neighbor fe80::xxxx update-source 'wgxxxx'
set protocols bgp neighbor fe80::yyyy address-family ipv4-unicast route-map export 'DN42-ROA'
set protocols bgp neighbor fe80::yyyy address-family ipv4-unicast route-map import 'DN42-ROA'
set protocols bgp neighbor fe80::yyyy address-family ipv6-unicast route-map export 'DN42-ROA'
set protocols bgp neighbor fe80::yyyy address-family ipv6-unicast route-map import 'DN42-ROA'
set protocols bgp neighbor fe80::yyyy ebgp-multihop '20'
set protocols bgp neighbor fe80::yyyy remote-as '424242yyyy'
set protocols bgp neighbor fe80::yyyy update-source 'wgyyyy'

Ok, for that specific question I noticed that completely removing the ipv6-unicast section from the IPv4 neighbor disables it. I thought it would have been left enabled without any filtering.

It can be this bug T1976

Uhm… well… in this case it was exactly what I wanted… I didn’t know it was a bug of some sort… :sweat_smile:

The real issue is that I can’t make BGP work on link-local IPv6 addresses… :pensive:
I tried setting update-source… nothing
Removed the default link-local address from the interfaces (leaving only the manually configured one)… nothing…

I can ping the link-local address of the peer, but BGP gives me the errors…

Are BGP peers direct connected? I see ebgp-multihop being configured, which makes no sense for link local addresses

The connection between all of my peers are made with wireguard. A different interface for every peer of course.

For peers with “non-link-local” addresses I had to set that option to make BGP work.

But you’re right, it makes no sense. I eventually removed the option for link-local peers but nothing changed unfortunately…

Could be related to this? ⚓ T941 BGP neighbours with IPv6 link-local addresses

How does Vyos figure out, on which interface neighbor link local address is connected?
Can you get around this using a fe80::xxxxx/128 interface route?

Theoretically it should be able to know using the “update-source” property. It contains the interface name.

I already tried (before and after using update-source) to set up a static route but nothing changes.
With the static route set I’m able to ping the peer without using the %interfacename at the end of the address, but BGP side the issue persists as before.

I’m really curious to know which is the invalid argument mentioned in the error

Jun 28 12:09:15 dn42-it01 bgpd[968]: [EC 100663299] can't bind socket for fe80::<my link-local address> : Invalid argument

Hi MaTwolf

yes, I can reproduce the issues , it is something strange ,but i can’t establish a bgp ipv6 neighbors with the link-local address :

run show bgp ipv6 neighbors
BGP neighbor is fe80::5200:ff:fe0c:1, remote AS 65005, local AS 65000, external link
  BGP version 4, remote router ID 0.0.0.0, local router ID 2.2.2.2
  BGP state = Active
  Last read 00:11:49, Last write never
  Hold time is 180, keepalive interval is 60 seconds
  Graceful restart information:
    Local GR Mode: Helper*
    Remote GR Mode: NotApplicable
    R bit: False
    Timers:
      Configured Restart Time(sec): 120
      Received Restart Time(sec): 0
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  0          0
    Notifications:          0          0
    Updates:                0          0
    Keepalives:             0          0
    Route Refresh:          0          0
    Capability:             0          0
    Total:                  0          0
  Minimum time between advertisement runs is 0 seconds
  Update source is fe80::5200:ff:fe07:1

 For address family: IPv6 Unicast
  Not part of any update group
  Community attribute sent to this neighbor(all)
  Inbound path policy configured
  Route map for incoming advertisements is *BGP-IPV6
  0 accepted prefixes

  Connections established 0; dropped 0
  Last reset 00:11:49,  Waiting for peer OPEN
  External BGP neighbor may be up to 2 hops away.
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 12 seconds
Read thread: off  Write thread: off  FD used: -1

!!!!!!!!!!!!!!!!!!!


Jun 28 12:42:36 vyos-ipv6-pl2 sudo[4993]: pam_unix(sudo:session): session closed for user root
Jun 28 12:42:36 vyos-ipv6-pl2 commit[4996]: Successful change to active configuration by user vyos on /dev/ttyS0
Jun 28 12:42:36 vyos-ipv6-pl2 bgpd[978]: [EC 100663299] can't bind socket for fe80::5200:ff:fe07:1 : Invalid argument
Jun 28 12:44:36 vyos-ipv6-pl2 bgpd[978]: [EC 100663299] can't bind socket for fe80::5200:ff:fe07:1 : Invalid argument
Jun 28 12:46:36 vyos-ipv6-pl2 bgpd[978]: [EC 100663299] can't bind socket for fe80::5200:ff:fe07:1 : Invalid argument
Jun 28 12:48:36 vyos-ipv6-pl2 bgpd[978]: [EC 100663299] can't bind socket for fe80::5200:ff:fe07:1 : Invalid argument

so I create a task to try to solve this behavior :

https://phabricator.vyos.net/T3657

1 Like

Thanks @fernando !

I think it is a bug… I cannot reproduce the behavior with IPv6 neighbors. Now I have neighbors without section ipv4-unicast configured but they appear within IPv4 neighbors as “NoNeg”.
Activating parameters default no-ipv4-unicast makes no difference.

I have neighbors with IPv6 addresses and no ipv4-unicast section configured who appear within the IPv4 neighbors and neighbors with IPv4 address and no ipv6-unicast section configured which do not appear within the IPv6 neighbors…

But maybe I am doing it wrong…
Which is the right way to disable IPv4/IPv6 protocols for a neighbor without multiprotocol enabled?

Thanks