Juniper Openstack

TTL manipulation when doing SNAT+DNAT for BGPaaS

Bug #1567586 reported by Nischal Sheth
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
Medium
Divakar Dharanalakota
Juniper Openstack r3.0.4.0
R3.1
Fix Committed
Medium
Divakar Dharanalakota
Juniper Openstack r3.1.0.0-fcs
R3.2
Fix Committed
Medium
Divakar Dharanalakota
Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk
Fix Committed
Medium
Divakar Dharanalakota
Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

When doing SNAT+DNAT for bgpaas it would it be useful to use a new fixed
TTL value for the forward flow. The client VM typically uses a TTL of 1
for its eBGP session by default - this causes problems if user forgets to configure multi hop on the bgp session. Note that the client thinks it's
setting up the session to the default GW and DNS server IPs, so it's not
intuitive to use multi hop.

Proposed fix (from Divakar) is to have agent maintain TTL in flow entry
and when Vrouter sees a non-zero TTL, it copies this value to the packet.
The fixed value can be hard coded value like 64 or can be picked up from
net.ipv4.ip_default_ttl sysctl.

There are 2 additional items that would be nice to have:

- If the incoming TTL for the forward flow is 1, then vRouter sets the
outgoing TTL in reverse packet going back to the VM to 1 as well
- If the incoming TTL for the forward flow is 255, then vRouter sets the
outgoing TTL in reverse packet going back to the VM to 255 as well

The second item is useful if the client VM is using GTSM for BGP session.
See https://tools.ietf.org/html/rfc5082.

The first item is just to further the illusion that the bgp server(s) are
directly connected to the client VM.

See original description
Tags: bgpaas vrouter
Nischal Sheth (nsheth)
description: updated
description: updated
Nischal Sheth (nsheth)
description: updated
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/19629
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/19657
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/19946
Submitter: Manish Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/19657
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/19629
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/19657
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/20772
Submitter: Manish Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/22344
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/22344
Committed: http://github.org/Juniper/contrail-vrouter/commit/42bd7ddcf68897f9cede4099052cf162ea396404
Submitter: Zuul
Branch: R3.1

commit 42bd7ddcf68897f9cede4099052cf162ea396404
Author: Divakar <email address hidden>
Date: Fri May 27 15:15:23 2016 +0530

Manipulating the TTL of the Packet

Right now the TTL of the packet is not overwritten by Vrouter. It is
only decremented like a hop, for the required packets. But BGP packets
in VM (due to BGP as service), can come to Vrouter to with ttl of 1. In
a multi hop environment, we require this ttl to be more than 1. For this
purpose flow entry is added with another ttl field and if Agent sets
this, vrouter unconditionally sets this ttl in the packet and calculates
the checksum again.

partial-bug: #1567586

Change-Id: I53a192666731f4c3662e3791006dd7294bccf116

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/22696
Submitter: Manish Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/22696
Committed: http://github.org/Juniper/contrail-controller/commit/b7cc0d7cd984d89b382b163d5b636a88814288f5
Submitter: Zuul
Branch: R3.1

commit b7cc0d7cd984d89b382b163d5b636a88814288f5
Author: Manish <email address hidden>
Date: Fri May 6 00:51:14 2016 +0530

In BGP service if VM sends TTL 1 session doesnt come up.

If TTL is sent as 1 by VM, modify it to 255 and for reverse keep it at 2.
(Logic for 2 is that vrouter decrements TTL because of routing and hence VM
should get packet back with 1).
If TTL is anything else than 1, then honor it.

Closes-bug: #1567586

Conflicts:
 src/vnsw/agent/pkt/flow_entry.cc
 src/vnsw/agent/pkt/pkt_flow_info.h
 src/vnsw/agent/vrouter/ksync/flowtable_ksync.cc
Change-Id: Ie2f5e5c3513d2e1a1b26d0c47f906a3a70f32abb

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/22707
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/22707
Committed: http://github.org/Juniper/contrail-vrouter/commit/14f0f112496145de880d0c398ff1d7b5d158f1b2
Submitter: Zuul
Branch: master

commit 14f0f112496145de880d0c398ff1d7b5d158f1b2
Author: Divakar <email address hidden>
Date: Fri May 27 15:15:23 2016 +0530

Manipulating the TTL of the Packet

Right now the TTL of the packet is not overwritten by Vrouter. It is
only decremented like a hop, for the required packets. But BGP packets
in VM (due to BGP as service), can come to Vrouter to with ttl of 1. In
a multi hop environment, we require this ttl to be more than 1. For this
purpose flow entry is added with another ttl field and if Agent sets
this, vrouter unconditionally sets this ttl in the packet and calculates
the checksum again.

partial-bug: #1567586

Change-Id: I53a192666731f4c3662e3791006dd7294bccf116

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/25561
Submitter: Manish Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/25562
Submitter: Manish Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/25561
Committed: http://github.org/Juniper/contrail-controller/commit/9512b2b136bba5594f4beda000d834ec56510f7a
Submitter: Zuul
Branch: master

commit 9512b2b136bba5594f4beda000d834ec56510f7a
Author: Manish <email address hidden>
Date: Fri May 6 00:51:14 2016 +0530

In BGP service if VM sends TTL 1 session doesnt come up.

If TTL is sent as 1 by VM, modify it to 255 and for reverse keep it at 2.
(Logic for 2 is that vrouter decrements TTL because of routing and hence VM
should get packet back with 1).
If TTL is anything else than 1, then honor it.

Closes-bug: #1567586

Conflicts:
 src/vnsw/agent/pkt/flow_entry.cc
 src/vnsw/agent/pkt/pkt_flow_info.h
 src/vnsw/agent/vrouter/ksync/flowtable_ksync.cc

(cherry picked from commit b7cc0d7cd984d89b382b163d5b636a88814288f5)

Change-Id: I3f9f148c0bf987346fe8096e8d4d72e29a372b9b

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/25562
Committed: http://github.org/Juniper/contrail-controller/commit/48f5a7d43e201bef3a3d324f6e79248e71792b58
Submitter: Zuul
Branch: R3.2

commit 48f5a7d43e201bef3a3d324f6e79248e71792b58
Author: Manish <email address hidden>
Date: Fri May 6 00:51:14 2016 +0530

In BGP service if VM sends TTL 1 session doesnt come up.

If TTL is sent as 1 by VM, modify it to 255 and for reverse keep it at 2.
(Logic for 2 is that vrouter decrements TTL because of routing and hence VM
should get packet back with 1).
If TTL is anything else than 1, then honor it.

Closes-bug: #1567586

Conflicts:
 src/vnsw/agent/pkt/flow_entry.cc
 src/vnsw/agent/pkt/pkt_flow_info.h
 src/vnsw/agent/vrouter/ksync/flowtable_ksync.cc

(cherry picked from commit b7cc0d7cd984d89b382b163d5b636a88814288f5)

Change-Id: I5f5c634f9a6a6a19d1e7c37427a1b549019fcf6b

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/25815
Submitter: Manish Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/25817
Submitter: Divakar Dharanalakota (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/25817
Committed: http://github.org/Juniper/contrail-vrouter/commit/afbd37c8c07e9b1baa87e45f4b21e7bc5a31c5c0
Submitter: Zuul
Branch: R3.0

commit afbd37c8c07e9b1baa87e45f4b21e7bc5a31c5c0
Author: Divakar <email address hidden>
Date: Fri May 27 15:15:23 2016 +0530

Manipulating the TTL of the Packet

Right now the TTL of the packet is not overwritten by Vrouter. It is
only decremented like a hop, for the required packets. But BGP packets
in VM (due to BGP as service), can come to Vrouter to with ttl of 1. In
a multi hop environment, we require this ttl to be more than 1. For this
purpose flow entry is added with another ttl field and if Agent sets
this, vrouter unconditionally sets this ttl in the packet and calculates
the checksum again.

Change-Id: I4619e81ad324827e29dc487857020ddd9e429f2c
partial-bug: #1567586

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/25815
Committed: http://github.org/Juniper/contrail-controller/commit/99d28fe2a5feb681125be8280727c22118772b12
Submitter: Zuul
Branch: R3.0

commit 99d28fe2a5feb681125be8280727c22118772b12
Author: Manish <email address hidden>
Date: Fri May 6 00:51:14 2016 +0530

In BGP service if VM sends TTL 1 session doesnt come up.

If TTL is sent as 1 by VM, modify it to 255 and for reverse keep it at 2.
(Logic for 2 is that vrouter decrements TTL because of routing and hence VM
should get packet back with 1).
If TTL is anything else than 1, then honor it.

Closes-bug: #1567586

Conflicts:
 src/vnsw/agent/pkt/flow_entry.cc
 src/vnsw/agent/pkt/pkt_flow_info.h
 src/vnsw/agent/vrouter/ksync/flowtable_ksync.cc

(cherry picked from commit b7cc0d7cd984d89b382b163d5b636a88814288f5)

(cherry picked from commit 48f5a7d43e201bef3a3d324f6e79248e71792b58)

Conflicts:
 src/vnsw/agent/pkt/flow_entry.cc
 src/vnsw/agent/pkt/pkt_flow_info.h
 src/vnsw/agent/vrouter/ksync/flowtable_ksync.cc

Change-Id: I5f5c634f9a6a6a19d1e7c37427a1b549019fcf6b

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.