[N-D-R] Change neighbor connect mode when the BGP peer does not support passive mode

Bug #2040001 reported by Tiago Pires
This bug affects 4 people
Affects Status Importance Assigned to Milestone
In Progress
Tiago Pires

Bug Description

When using NDR, the speaker's current behavior is to work in ACTIVE mode which will not create a local TCP socket on TCP 179 port.
Therefore, in the switch's BGP session, it needs to be configured as passive.
Operators could have a switch brand that does not follow correctly the RFC 4271 regarding with the BGP FSM (8.2).
When the NDR and the switch has a health BGP session, the Operator could run a maintenance window in the switch or in the NRD and the session could flap and go down for while and on the switch side, the BGP session state can change to IDLE.
According to RFC 4271(8.2.2.), when a BGP session is in IDLE state, it refuses all inbound BGP connection attempts, and starts a TCP connection to the peer(NDR) and NDR will not answer because it is in ACTIVE mode and has no listen port for this. And if the switch correctly follow the RFC regarding BGP passive mode when enabled, it will ignore it and accept the incoming connection from the NDR and the connection will be restablished.
That is definitely a switch-side issue but when having this situation, we could have an NDR option that could create a BGP peer using the connect mode as CONNECT_MODE_BOTH and open the local TCP socket on the TCP 179 port in order to anwser incomming TCP connections.
This sounds like an RFE for me and I would like to hear your thoughts.

Tiago Pires (tiagohp)
description: updated
tags: added: l3-bgp
Revision history for this message
Brian Haley (brian-haley) wrote :


I have a few questions for you.

1) Operators could have a switch brand that does not follow correctly the RFC 4271 regarding with the BGP FSM (8.2)

So are you trying to work-around a non-compliant implementation?

2) Would implementing the change you mention in the last paragraph, would that make NDR non-compliant in some way?

Revision history for this message
Tiago Pires (tiagohp) wrote :


Following the answers:

1) Yes, it is a workaround for switch brands that are non-compliant but it is also a fragility from NDR that does not open the TCP port to answer incoming connection when the peer is in IDLE status

2) I believe no, the Operator would have the option to keep how NDR works nowadays by default without change anything or the Operator could add a configuration option(e.g. bgp_connect_mode = both) to enable and change the behavior

We are testing this internally (in a lab) and we can open an RFE with the proposal.

Revision history for this message
Roberto Bartzen Acosta (rbartzen) wrote :

Hi everyone,

I believe it would be useful to make configurable the two BGP/os_ken parameters related to BGP peer sessions: BGPSpeaker(bgp_server_port) and BGPSpeaker.neighbor_add(connect_mode).

Best regards,

tags: added: rfe
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-specs (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-specs/+/899210

Miguel Lavalle (minsel)
Changed in neutron:
status: New → Triaged
importance: Undecided → Wishlist
assignee: nobody → Tiago Pires (tiagohp)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-dynamic-routing (master)
Changed in neutron:
status: Triaged → In Progress
tags: added: rfe-approved
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.