Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using RTR with BMP triggers a RIB-DUMP upon RTR Refresh #17533

Closed
2 tasks done
ichdasich opened this issue Nov 29, 2024 · 45 comments · Fixed by #17586
Closed
2 tasks done

Using RTR with BMP triggers a RIB-DUMP upon RTR Refresh #17533

ichdasich opened this issue Nov 29, 2024 · 45 comments · Fixed by #17586
Assignees

Comments

@ichdasich
Copy link

Description

We are currently running a set (~30) of FRR routers in three ASes that send BMP to a central collector using the following configuration:

bmp mirror buffer-limit 512000000
 !
 bmp targets nlnetlabs
  bmp monitor ipv4 unicast pre-policy
  bmp monitor ipv6 unicast pre-policy
  bmp connect <bmp-host> port 11019 min-retry 1000 max-retry 2000
 exit
exit

We noticed that the BMP host receives +100mbit of inbound traffic from the routers every ~30 minutes. We found that the FRR hosts dump the full RIB at that time, seemingly in sync across ASes.

All FRR hosts are configured to use the same RTR hosts:

rpki
 rpki polling_period 300
 rpki cache <rtr1> 323 preference 3
 rpki cache <rtr2> 323 preference 2
 rpki cache <rtr3> 323 preference 1
exit

When the event starts, the FRR daemons show consistently:

Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:763515): RTR Socket: Serial Notify received (502)
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:763678): RTR Socket: sending serial query, SN: 501
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:763896): RTR_MGR: Group(1) status changed to: RTR_MGR_ESTABLISHED
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:763953): RTR Socket: State: RTR_SYNC
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:864695): RTR Socket: Cache Response PDU received
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:899017): RTR Socket: EOD PDU received.
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:899103): RTR Socket: New interval values: expire_interval:7200, refresh_interval:3600, retry_interval:600
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:905238): RTR Socket: v4 prefixes added
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:905395): RTR Socket: v6 prefixes added
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:905447): RTR Socket: spki data added
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:905499): RTR Socket: Sync successful, received 382 Prefix PDUs, 0 Router Key PDUs, session_id: 34948, SN: 502
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:905560): RTR Socket: State: RTR_ESTABLISHED
Nov 28 21:54:08 gw01 frrinit.sh[2294]: (2024/11/28 21:54:08:905634): RTR Socket: waiting 3600 sec. till next sync
Nov 28 21:54:13 gw01 bgpd[2294]: [HKQ2F-8D0MY][EC 100663315] Thread Starvation: {(thread *)0x55a8720a9e20 arg=0x0 timer  r=-4.431     bgp_sync_label_manager() &bm->t_bgp_sync_label_manager from ../bgpd/bgp_labelpool.c:576} was scheduled to pop greater than 4s ago

I would argue that FRR should not repush the whole RIB upon RTR refresh; Only changed routes should be sent.

Version

9.1.2

How to reproduce

  • Setup FRR as a full-table eBGP router
  • Connect FRR to an RTR cache that updates itself every N minutes
  • Configure a BMP collector as per the config above in FRR
  • Observe the RIB being dumped upon each RTR update

Expected behavior

Only routes that changed their validation state are sent via BMP.

Actual behavior

The full RIB is dumped, generating notable traffic.

Additional context

No response

Checklist

  • I have searched the open issues for this bug.
  • I have not included sensitive information in this report.
@ichdasich ichdasich added the triage Needs further investigation label Nov 29, 2024
@ton31337
Copy link
Member

ton31337 commented Nov 29, 2024

I'm a bit confused what's wrong yet.

Could you show the full config?

Do you have custom compiled version of librtr?

What do you mean dumped (logs saying that)?

@ton31337 ton31337 self-assigned this Nov 29, 2024
@ichdasich
Copy link
Author

ichdasich commented Nov 30, 2024

I'm a bit confused what's wrong yet.

Upon an RTR update the router re-sends the full rib. Causes a bit of traffic:

image

image

BMP has been activated between Week 46 and Week 47

Could you show the full config?

frr version 9.1.2
frr defaults traditional
hostname gw01
log syslog
log facility local7
service integrated-vtysh-config
!
ipv6 route 2a0c:2f07:9459::b11/128 2a06:d1c3:1::2
!
vrf mgmt
 ipv6 route ::/0 2a0d:8d04:d:2::1
exit-vrf
!
router bgp 215250
 bgp router-id 10.0.0.1
 no bgp default ipv4-unicast
 no bgp network import-check
 neighbor autopeer10 peer-group
 neighbor autopeer10 passive
 neighbor autopeer10 local-role peer
 neighbor autopeer10 capability extended-nexthop
 neighbor autopeer100 peer-group
 neighbor autopeer100 passive
 neighbor autopeer100 local-role peer
 neighbor autopeer100 capability extended-nexthop
 neighbor autopeer1000 peer-group
 neighbor autopeer1000 passive
 neighbor autopeer1000 local-role peer
 neighbor autopeer1000 capability extended-nexthop
 neighbor autopeer10000 peer-group
 neighbor autopeer10000 passive
 neighbor autopeer10000 local-role peer
 neighbor autopeer10000 capability extended-nexthop
 neighbor autopeer100000 peer-group
 neighbor autopeer100000 passive
 neighbor autopeer100000 local-role peer
 neighbor autopeer100000 capability extended-nexthop
 neighbor autopeer1000000 peer-group
 neighbor autopeer1000000 passive
 neighbor autopeer1000000 local-role peer
 neighbor autopeer1000000 capability extended-nexthop
 neighbor autors10 peer-group
 neighbor autors10 local-role rs-client
 neighbor autors10 capability extended-nexthop
 neighbor autors100 peer-group
 neighbor autors100 local-role rs-client
 neighbor autors100 capability extended-nexthop
 neighbor autors1000 peer-group
 neighbor autors1000 local-role rs-client
 neighbor autors1000 capability extended-nexthop
 neighbor ebgp peer-group
 neighbor ebgp local-role customer
 neighbor ebgp capability extended-nexthop
 neighbor ibgp-dist-v6 peer-group
 neighbor ibgp-dist-v6 remote-as internal
 neighbor ibgp-dist-v6 update-source 2a06:d1c3::1
 neighbor ibgp-dist-v6 capability extended-nexthop
 neighbor ibgp-ll-enh peer-group
 neighbor ibgp-ll-enh local-as 64601 no-prepend replace-as
 neighbor ibgp-ll-enh capability extended-nexthop
 neighbor lookingglass peer-group
 neighbor lookingglass ebgp-multihop 64
 neighbor lookingglass local-role provider
 neighbor lookingglass capability extended-nexthop
 neighbor 2a06:d1c3:1::2 remote-as 59645
 neighbor 2a06:d1c3:1::2 peer-group ebgp
 neighbor 2a06:d1c3::2 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::3 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::4 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::5 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::6 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::7 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::8 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::9 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::a peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::b peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::c peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::11 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::12 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::13 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::14 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::21 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::51 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::61 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3::71 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3:2:4::1 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3:4:4::1 peer-group ibgp-dist-v6
 neighbor 2a06:d1c3:1:2::2 remote-as 64611
 neighbor 2a06:d1c3:1:2::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:2::2 update-source 2a06:d1c3:1:2::1
 neighbor 2a06:d1c3:1:3::2 remote-as 64602
 neighbor 2a06:d1c3:1:3::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:3::2 update-source 2a06:d1c3:1:3::1
 neighbor 2a06:d1c3:1:9::2 remote-as 64621
 neighbor 2a06:d1c3:1:9::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:9::2 update-source 2a06:d1c3:1:9::1
 neighbor 2a06:d1c3:1:c::2 remote-as 64605
 neighbor 2a06:d1c3:1:c::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:c::2 update-source 2a06:d1c3:1:c::1
 neighbor 2a06:d1c3:1:d::2 remote-as 64606
 neighbor 2a06:d1c3:1:d::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:d::2 update-source 2a06:d1c3:1:d::1
 neighbor 2a06:d1c3:1:e::2 remote-as 64607
 neighbor 2a06:d1c3:1:e::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:e::2 update-source 2a06:d1c3:1:e::1
 neighbor 2a06:d1c3:1:f::2 remote-as 64608
 neighbor 2a06:d1c3:1:f::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:f::2 update-source 2a06:d1c3:1:f::1
 neighbor 2a06:d1c3:1:10::2 remote-as 64609
 neighbor 2a06:d1c3:1:10::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:10::2 update-source 2a06:d1c3:1:10::1
 neighbor 2a06:d1c3:1:11::2 remote-as 64900
 neighbor 2a06:d1c3:1:11::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:11::2 update-source 2a06:d1c3:1:11::1
 neighbor 2a06:d1c3:1:12::2 remote-as 64901
 neighbor 2a06:d1c3:1:12::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:12::2 update-source 2a06:d1c3:1:12::1
 neighbor 2a06:d1c3:1:13::2 remote-as 64902
 neighbor 2a06:d1c3:1:13::2 peer-group ibgp-ll-enh
 neighbor 2a06:d1c3:1:13::2 update-source 2a06:d1c3:1:13::1
 neighbor 2a0c:2f07:9459::b11 remote-as 212232
 neighbor 2a0c:2f07:9459::b11 peer-group lookingglass
 !
 address-family ipv4 unicast
  neighbor autopeer10 activate
  neighbor autopeer10 soft-reconfiguration inbound
  neighbor autopeer10 maximum-prefix 10
  neighbor autopeer10 route-map EBGP-AUTO-IN-v4 in
  neighbor autopeer10 route-map EBGP-OUT-v4 out
  neighbor autopeer100 activate
  neighbor autopeer100 soft-reconfiguration inbound
  neighbor autopeer100 maximum-prefix 100
  neighbor autopeer100 route-map EBGP-AUTO-IN-v4 in
  neighbor autopeer100 route-map EBGP-OUT-v4 out
  neighbor autopeer1000 activate
  neighbor autopeer1000 soft-reconfiguration inbound
  neighbor autopeer1000 maximum-prefix 1000
  neighbor autopeer1000 route-map EBGP-AUTO-IN-v4 in
  neighbor autopeer1000 route-map EBGP-OUT-v4 out
  neighbor autopeer10000 activate
  neighbor autopeer10000 soft-reconfiguration inbound
  neighbor autopeer10000 maximum-prefix 10000
  neighbor autopeer10000 route-map EBGP-AUTO-IN-v4 in
  neighbor autopeer10000 route-map EBGP-OUT-v4 out
  neighbor autopeer100000 activate
  neighbor autopeer100000 soft-reconfiguration inbound
  neighbor autopeer100000 maximum-prefix 100000
  neighbor autopeer100000 route-map EBGP-AUTO-IN-v4 in
  neighbor autopeer100000 route-map EBGP-OUT-v4 out
  neighbor autopeer1000000 activate
  neighbor autopeer1000000 soft-reconfiguration inbound
  neighbor autopeer1000000 maximum-prefix 1000000
  neighbor autopeer1000000 route-map EBGP-AUTO-IN-v4 in
  neighbor autopeer1000000 route-map EBGP-OUT-v4 out
  neighbor autors10 activate
  neighbor autors10 soft-reconfiguration inbound
  neighbor autors10 maximum-prefix 10
  neighbor autors10 route-map EBGP-AUTO-IN-v4 in
  neighbor autors10 route-map EBGP-OUT-v4 out
  neighbor autors100 activate
  neighbor autors100 soft-reconfiguration inbound
  neighbor autors100 maximum-prefix 100
  neighbor autors100 route-map EBGP-AUTO-IN-v4 in
  neighbor autors100 route-map EBGP-OUT-v4 out
  neighbor autors1000 activate
  neighbor autors1000 soft-reconfiguration inbound
  neighbor autors1000 maximum-prefix 1000
  neighbor autors1000 route-map EBGP-AUTO-IN-v4 in
  neighbor autors1000 route-map EBGP-OUT-v4 out
  neighbor ebgp activate
  neighbor ebgp soft-reconfiguration inbound
  neighbor ebgp route-map EBGP-IN-v4 in
  neighbor ebgp route-map EBGP-OUT-v4 out
  neighbor ibgp-dist-v6 activate
  neighbor ibgp-dist-v6 soft-reconfiguration inbound
  neighbor ibgp-ll-enh activate
  neighbor ibgp-ll-enh soft-reconfiguration inbound
  neighbor ibgp-ll-enh route-map IBGP-LL in
  neighbor ibgp-ll-enh route-map IBGP-LL out
  neighbor lookingglass activate
  neighbor lookingglass soft-reconfiguration inbound
  neighbor lookingglass route-map EBGP-LG-IN in
  neighbor lookingglass route-map EBGP-LG-OUT out
 exit-address-family
 !
 address-family ipv6 unicast
  network 2a06:d1c3::1/128 route-map RM-2a06-d1c3-K-1-128-LCOM
  network 2a06:d1c3:1::/64 route-map RM-2a06-d1c3-1-K-64-LCOM
  network 2a06:d1c3:1:2::/64 route-map RM-2a06-d1c3-1-2-K-64-LCOM
  network 2a06:d1c3:1:3::/64 route-map RM-2a06-d1c3-1-3-K-64-LCOM
  network 2a06:d1c3:1:9::/64 route-map RM-2a06-d1c3-1-9-K-64-LCOM
  network 2a06:d1c3:1:c::/64 route-map RM-2a06-d1c3-1-c-K-64-LCOM
  network 2a06:d1c3:1:d::/64 route-map RM-2a06-d1c3-1-d-K-64-LCOM
  network 2a06:d1c3:1:e::/64 route-map RM-2a06-d1c3-1-e-K-64-LCOM
  network 2a06:d1c3:1:f::/64 route-map RM-2a06-d1c3-1-f-K-64-LCOM
  network 2a06:d1c3:1:10::/64 route-map RM-2a06-d1c3-1-10-K-64-LCOM
  network 2a06:d1c3:1:11::/64 route-map RM-2a06-d1c3-1-11-K-64-LCOM
  network 2a06:d1c3:1:12::/64 route-map RM-2a06-d1c3-1-12-K-64-LCOM
  network 2a06:d1c3:1:13::/64 route-map RM-2a06-d1c3-1-13-K-64-LCOM
  neighbor autopeer10 activate
  neighbor autopeer10 soft-reconfiguration inbound
  neighbor autopeer10 maximum-prefix 10
  neighbor autopeer10 route-map EBGP-AUTO-IN-v6 in
  neighbor autopeer10 route-map EBGP-OUT-v6 out
  neighbor autopeer100 activate
  neighbor autopeer100 soft-reconfiguration inbound
  neighbor autopeer100 maximum-prefix 100
  neighbor autopeer100 route-map EBGP-AUTO-IN-v6 in
  neighbor autopeer100 route-map EBGP-OUT-v6 out
  neighbor autopeer1000 activate
  neighbor autopeer1000 soft-reconfiguration inbound
  neighbor autopeer1000 maximum-prefix 1000
  neighbor autopeer1000 route-map EBGP-AUTO-IN-v6 in
  neighbor autopeer1000 route-map EBGP-OUT-v6 out
  neighbor autopeer10000 activate
  neighbor autopeer10000 soft-reconfiguration inbound
  neighbor autopeer10000 maximum-prefix 10000
  neighbor autopeer10000 route-map EBGP-AUTO-IN-v6 in
  neighbor autopeer10000 route-map EBGP-OUT-v6 out
  neighbor autopeer100000 activate
  neighbor autopeer100000 soft-reconfiguration inbound
  neighbor autopeer100000 maximum-prefix 100000
  neighbor autopeer100000 route-map EBGP-AUTO-IN-v6 in
  neighbor autopeer100000 route-map EBGP-OUT-v6 out
  neighbor autopeer1000000 activate
  neighbor autopeer1000000 soft-reconfiguration inbound
  neighbor autopeer1000000 maximum-prefix 1000000
  neighbor autopeer1000000 route-map EBGP-AUTO-IN-v6 in
  neighbor autopeer1000000 route-map EBGP-OUT-v6 out
  neighbor autors10 activate
  neighbor autors10 soft-reconfiguration inbound
  neighbor autors10 maximum-prefix 10
  neighbor autors10 route-map EBGP-AUTO-IN-v6 in
  neighbor autors10 route-map EBGP-OUT-v6 out
  neighbor autors100 activate
  neighbor autors100 soft-reconfiguration inbound
  neighbor autors100 maximum-prefix 100
  neighbor autors100 route-map EBGP-AUTO-IN-v6 in
  neighbor autors100 route-map EBGP-OUT-v6 out
  neighbor autors1000 activate
  neighbor autors1000 soft-reconfiguration inbound
  neighbor autors1000 maximum-prefix 1000
  neighbor autors1000 route-map EBGP-AUTO-IN-v6 in
  neighbor autors1000 route-map EBGP-OUT-v6 out
  neighbor ebgp activate
  neighbor ebgp soft-reconfiguration inbound
  neighbor ebgp route-map EBGP-IN-v6 in
  neighbor ebgp route-map EBGP-OUT-v6 out
  neighbor ibgp-dist-v6 activate
  neighbor ibgp-dist-v6 soft-reconfiguration inbound
  neighbor ibgp-dist-v6 route-map IBGP-DIST-IN in
  neighbor ibgp-dist-v6 route-map IBGP-DIST-OUT out
  neighbor ibgp-ll-enh activate
  neighbor ibgp-ll-enh soft-reconfiguration inbound
  neighbor ibgp-ll-enh route-map IBGP-LL in
  neighbor ibgp-ll-enh route-map IBGP-LL out
  neighbor lookingglass activate
  neighbor lookingglass soft-reconfiguration inbound
  neighbor lookingglass route-map EBGP-LG-IN in
  neighbor lookingglass route-map EBGP-LG-OUT out
 exit-address-family
 !
 bmp mirror buffer-limit 512000000
 !
 bmp targets nlnetlabs
  bmp monitor ipv4 unicast pre-policy
  bmp monitor ipv6 unicast pre-policy
  bmp connect 2a06:d1c0:dead:2:195:191:197:177 port 11019 min-retry 1000 max-retry 2000
 exit
exit
!
ip prefix-list AS215250-CONE-NETWORKS description IPv4 Networks AS215250 Cone
ip prefix-list AS215250-CONE-NETWORKS seq 1 permit 45.91.12.0/24
ip prefix-list AS215250-CONE-NETWORKS seq 2 permit 193.31.54.0/24
ip prefix-list AS215250-CONE-NETWORKS seq 3 permit 193.31.55.0/24
ip prefix-list AS215250-CONE-NETWORKS seq 999 deny 0.0.0.0/0 le 32
ip prefix-list AS215250-CONE-NETWORKS-INV description IPv4 Networks AS215250 Cone
ip prefix-list AS215250-CONE-NETWORKS-INV seq 1 deny 45.91.12.0/24
ip prefix-list AS215250-CONE-NETWORKS-INV seq 2 deny 193.31.54.0/24
ip prefix-list AS215250-CONE-NETWORKS-INV seq 3 deny 193.31.55.0/24
ip prefix-list AS215250-CONE-NETWORKS-INV seq 999 permit 0.0.0.0/0 le 32
ip prefix-list AS215250-NETWORKS description IPv4 Networks AS215250
ip prefix-list AS215250-NETWORKS seq 1 permit 45.91.12.0/24
ip prefix-list AS215250-NETWORKS seq 2 permit 193.31.54.0/24
ip prefix-list AS215250-NETWORKS seq 3 permit 193.31.55.0/24
ip prefix-list AS215250-NETWORKS seq 999 deny 0.0.0.0/0 le 32
ip prefix-list AS215250-NETWORKS-INV description IPv4 Networks AS215250
ip prefix-list AS215250-NETWORKS-INV seq 1 deny 45.91.12.0/24
ip prefix-list AS215250-NETWORKS-INV seq 2 deny 193.31.54.0/24
ip prefix-list AS215250-NETWORKS-INV seq 3 deny 193.31.55.0/24
ip prefix-list AS215250-NETWORKS-INV seq 999 permit 0.0.0.0/0 le 32
ip prefix-list BOGONS seq 10 deny 0.0.0.0/8 le 32
ip prefix-list BOGONS seq 11 deny 10.0.0.0/8 le 32
ip prefix-list BOGONS seq 12 deny 100.64.0.0/10 le 32
ip prefix-list BOGONS seq 13 deny 127.0.0.0/8 le 32
ip prefix-list BOGONS seq 14 deny 172.16.0.0/12 le 32
ip prefix-list BOGONS seq 15 deny 192.0.2.0/24 le 32
ip prefix-list BOGONS seq 16 deny 192.88.99.0/24 le 32
ip prefix-list BOGONS seq 17 deny 192.168.0.0/16 le 32
ip prefix-list BOGONS seq 18 deny 198.18.0.0/15 le 32
ip prefix-list BOGONS seq 19 deny 198.51.100.0/24 le 32
ip prefix-list BOGONS seq 20 deny 203.0.113.0/24 le 32
ip prefix-list BOGONS seq 21 deny 224.0.0.0/4 le 32
ip prefix-list BOGONS seq 22 deny 240.0.0.0/4 le 32
ip prefix-list DEFROUTE description Allow v4 Default Route
ip prefix-list DEFROUTE seq 10 permit 0.0.0.0/0
ip prefix-list GRT description IPv4 Prefix list matching longest/shortest prefixes
ip prefix-list GRT seq 10 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list LOOPBACK description IPv4 Loopback/Link Prefixes
ip prefix-list LOOPBACK seq 1 permit 10.0.0.1/32
!
ipv6 prefix-list AS215250-CONE-NETWORKS description IPv6 Networks AS215250 Cone
ipv6 prefix-list AS215250-CONE-NETWORKS seq 1 permit 2a06:d1c3::/32
ipv6 prefix-list AS215250-CONE-NETWORKS seq 999 deny ::/0 le 128
ipv6 prefix-list AS215250-CONE-NETWORKS-INV description IPv6 Networks AS215250 Cone
ipv6 prefix-list AS215250-CONE-NETWORKS-INV seq 1 deny 2a06:d1c3::/32
ipv6 prefix-list AS215250-CONE-NETWORKS-INV seq 999 permit ::/0 le 128
ipv6 prefix-list AS215250-NETWORKS description IPv6 Networks AS215250
ipv6 prefix-list AS215250-NETWORKS seq 1 permit 2a06:d1c3::/32
ipv6 prefix-list AS215250-NETWORKS seq 999 deny ::/0 le 128
ipv6 prefix-list AS215250-NETWORKS-INV description IPv6 Networks AS215250
ipv6 prefix-list AS215250-NETWORKS-INV seq 1 deny 2a06:d1c3::/32
ipv6 prefix-list AS215250-NETWORKS-INV seq 999 permit ::/0 le 128
ipv6 prefix-list BOGONS seq 10 deny ::/8 le 128
ipv6 prefix-list BOGONS seq 11 deny 100::/64 le 128
ipv6 prefix-list BOGONS seq 12 deny 2001:2::/48 le 128
ipv6 prefix-list BOGONS seq 13 deny 2001:10::/28 le 128
ipv6 prefix-list BOGONS seq 14 deny 2001:db8::/32 le 128
ipv6 prefix-list BOGONS seq 15 deny 2002::/16 le 128
ipv6 prefix-list BOGONS seq 16 deny 3ffe::/16 le 128
ipv6 prefix-list BOGONS seq 17 deny fc00::/7 le 128
ipv6 prefix-list BOGONS seq 18 deny fe80::/10 le 128
ipv6 prefix-list BOGONS seq 19 deny fec0::/10 le 128
ipv6 prefix-list BOGONS seq 20 deny ff00::/8 le 128
ipv6 prefix-list DEFROUTE description Allow v6 Default Route
ipv6 prefix-list DEFROUTE seq 10 permit ::/0
ipv6 prefix-list GRT description IPv6 Prefix list matching lonest/shortest prefixes
ipv6 prefix-list GRT seq 10 permit ::/0 ge 16 le 48
ipv6 prefix-list LOOPBACK description IPv6 Loopback/Link Prefixes
ipv6 prefix-list LOOPBACK seq 1 permit 2a06:d1c3::1/128
ipv6 prefix-list LOOPBACK seq 2 permit 2a06:d1c3:1::/64
ipv6 prefix-list LOOPBACK seq 3 permit 2a06:d1c3:1:2::/64
ipv6 prefix-list LOOPBACK seq 4 permit 2a06:d1c3:1:3::/64
ipv6 prefix-list LOOPBACK seq 5 permit 2a06:d1c3:1:9::/64
ipv6 prefix-list LOOPBACK seq 6 permit 2a06:d1c3:1:c::/64
ipv6 prefix-list LOOPBACK seq 7 permit 2a06:d1c3:1:d::/64
ipv6 prefix-list LOOPBACK seq 8 permit 2a06:d1c3:1:e::/64
ipv6 prefix-list LOOPBACK seq 9 permit 2a06:d1c3:1:f::/64
ipv6 prefix-list LOOPBACK seq 10 permit 2a06:d1c3:1:10::/64
ipv6 prefix-list LOOPBACK seq 11 permit 2a06:d1c3:1:11::/64
ipv6 prefix-list LOOPBACK seq 12 permit 2a06:d1c3:1:12::/64
ipv6 prefix-list LOOPBACK seq 13 permit 2a06:d1c3:1:13::/64
!
bgp as-path access-list AS211286 seq 1 permit ^211286$
bgp as-path access-list AS211286 seq 2 permit ^59645 211286$
bgp as-path access-list NOTAS211286 seq 1 permit 211286
!
bgp community-list expanded SELFCOMMUNITY seq 1 permit 215250:.*
bgp large-community-list expanded COM-LST-ANNOUNCE-TO-EXT seq 1 permit 215250:1:1
bgp large-community-list expanded COM-LST-NO-ANNOUNCE-TO-EXT seq 1 permit 215250:0:0
bgp large-community-list expanded IBGP seq 1 deny 215250:0:1
bgp large-community-list expanded IBGP seq 2 permit 215250:0:.*
bgp large-community-list expanded IBGP seq 3 permit 215250:0:0
bgp large-community-list expanded IBGP seq 4 permit 215250:1:1
bgp large-community-list expanded IBGP seq 5 permit 215250:1:.*
bgp large-community-list expanded IBGP seq 6 permit 215250:100:.*
bgp large-community-list expanded IBGP seq 7 permit 215250:101:.*
bgp large-community-list expanded IBGP seq 8 permit 215250:102:.*
bgp large-community-list expanded IBGP seq 9 permit 215250:103:.*
bgp large-community-list expanded IBGP seq 10 permit 215250:104:.*
bgp large-community-list expanded IBGP seq 999 deny 215250:.*:.*
bgp large-community-list expanded IBGP-PREPEND-1 seq 102 deny 215250:101:20[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-1 seq 103 deny 215250:101:21[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-1 seq 104 deny 215250:101:20[02-9]1
bgp large-community-list expanded IBGP-PREPEND-1 seq 201 permit 215250:101:2015
bgp large-community-list expanded IBGP-PREPEND-1 seq 999 deny 215250:.*:.*
bgp large-community-list expanded IBGP-PREPEND-2 seq 101 deny 215250:101:2015
bgp large-community-list expanded IBGP-PREPEND-2 seq 202 permit 215250:101:20[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-2 seq 203 permit 215250:101:21[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-2 seq 204 permit 215250:101:20[02-9]1
bgp large-community-list expanded IBGP-PREPEND-2 seq 999 deny 215250:.*:.*
bgp large-community-list expanded IBGP-PREPEND-3 seq 101 deny 215250:101:2015
bgp large-community-list expanded IBGP-PREPEND-3 seq 102 deny 215250:101:20[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-3 seq 103 deny 215250:101:21[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-3 seq 104 deny 215250:101:20[02-9]1
bgp large-community-list expanded IBGP-PREPEND-3 seq 999 deny 215250:.*:.*
bgp large-community-list expanded IBGP-PREPEND-4 seq 101 deny 215250:101:2015
bgp large-community-list expanded IBGP-PREPEND-4 seq 102 deny 215250:101:20[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-4 seq 103 deny 215250:101:21[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-4 seq 104 deny 215250:101:20[02-9]1
bgp large-community-list expanded IBGP-PREPEND-4 seq 999 deny 215250:.*:.*
bgp large-community-list expanded IBGP-PREPEND-5 seq 101 deny 215250:101:2015
bgp large-community-list expanded IBGP-PREPEND-5 seq 102 deny 215250:101:20[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-5 seq 103 deny 215250:101:21[0-9][02-9]
bgp large-community-list expanded IBGP-PREPEND-5 seq 104 deny 215250:101:20[02-9]1
bgp large-community-list expanded IBGP-PREPEND-5 seq 999 deny 215250:.*:.*
bgp large-community-list expanded LOOPBACK seq 1 permit 215250:0:1
bgp large-community-list expanded LOOPBACK seq 999 deny 215250:.*:.*
bgp large-community-list expanded LOOPBACK-NOREDIST seq 1 permit 64601:0:0
bgp large-community-list expanded SELFLARGECOMMUNITY seq 1 permit 215250:0:0
bgp large-community-list expanded SELFLARGECOMMUNITY seq 2 permit 215250:1:*
bgp large-community-list expanded SELFLARGECOMMUNITY seq 3 deny 215250:0:*
bgp large-community-list expanded SELFLARGECOMMUNITY seq 4 permit 215250:.*:.*
!
route-map EBGP-AUTO-IN-v4 permit 1
 on-match next
 set large-comm-list SELFLARGECOMMUNITY delete
exit
!
route-map EBGP-AUTO-IN-v4 permit 2
 on-match next
 set comm-list SELFCOMMUNITY delete
exit
!
route-map EBGP-AUTO-IN-v4 deny 10
 match ip address prefix-list BOGONS
exit
!
route-map EBGP-AUTO-IN-v4 deny 40
 match ip address prefix-list AS215250-NETWORKS
exit
!
route-map EBGP-AUTO-IN-v4 deny 50
 match rpki invalid
exit
!
route-map EBGP-AUTO-IN-v4 permit 60
 match ip address prefix-list GRT
 set large-community 215250:101:201 215250:101:2011 additive
 set local-preference 200
exit
!
route-map EBGP-AUTO-IN-v4 deny 999
exit
!
route-map EBGP-AUTO-IN-v6 permit 1
 on-match next
 set large-comm-list SELFLARGECOMMUNITY delete
exit
!
route-map EBGP-AUTO-IN-v6 permit 2
 on-match next
 set comm-list SELFCOMMUNITY delete
exit
!
route-map EBGP-AUTO-IN-v6 deny 10
 match ipv6 address prefix-list BOGONS
exit
!
route-map EBGP-AUTO-IN-v6 permit 29
 on-match next
exit
!
route-map EBGP-AUTO-IN-v6 deny 40
 match ipv6 address prefix-list AS215250-NETWORKS
exit
!
route-map EBGP-AUTO-IN-v6 deny 50
 match rpki invalid
exit
!
route-map EBGP-AUTO-IN-v6 permit 58
 match as-path AS211286
 match ipv6 address prefix-list GRT
 set large-community 215250:101:201 215250:101:2011 additive
 set local-preference 300
exit
!
route-map EBGP-AUTO-IN-v6 deny 59
 match as-path NOTAS211286
exit
!
route-map EBGP-AUTO-IN-v6 permit 60
 match ipv6 address prefix-list GRT
 set large-community 215250:101:201 215250:101:2011 additive
 set local-preference 200
exit
!
route-map EBGP-AUTO-IN-v6 deny 999
exit
!
route-map EBGP-IN-v4 permit 1
 on-match next
 set large-comm-list SELFLARGECOMMUNITY delete
exit
!
route-map EBGP-IN-v4 permit 2
 on-match next
 set comm-list SELFCOMMUNITY delete
exit
route-map EBGP-IN-v4 deny 10
 match ip address prefix-list BOGONS
exit
!
route-map EBGP-IN-v4 deny 40
 match ip address prefix-list AS215250-NETWORKS
exit
!
route-map EBGP-IN-v4 deny 50
 match rpki invalid
exit
!
route-map EBGP-IN-v4 permit 60
 match ip address prefix-list DEFROUTE
 set large-community 215250:100:201 215250:100:2011 additive
exit
!
route-map EBGP-IN-v4 permit 61
 match ip address prefix-list GRT
 set large-community 215250:100:201 215250:100:2011 additive
 set local-preference 400
exit
!
route-map EBGP-IN-v4 deny 999
exit
!
route-map EBGP-IN-v6 permit 1
 on-match next
 set large-comm-list SELFLARGECOMMUNITY delete
exit
!
route-map EBGP-IN-v6 permit 2
 on-match next
 set comm-list SELFCOMMUNITY delete
exit
!
route-map EBGP-IN-v6 deny 10
 match ipv6 address prefix-list BOGONS
exit
!
route-map EBGP-IN-v6 permit 29
 on-match next
exit
!
route-map EBGP-IN-v6 deny 40
 match ipv6 address prefix-list AS215250-NETWORKS
exit
!
route-map EBGP-IN-v6 deny 50
 match rpki invalid
exit
!
route-map EBGP-IN-v6 permit 60
 match ipv6 address prefix-list DEFROUTE
 set large-community 215250:100:201 215250:100:2011 additive
exit
!
route-map EBGP-IN-v6 permit 61
 match ipv6 address prefix-list GRT
 set large-community 215250:100:201 215250:100:2011 additive
 set local-preference 400
exit
!
route-map EBGP-IN-v6 deny 999
exit
!
route-map EBGP-LG-IN deny 999
exit
!
route-map EBGP-LG-OUT deny 1
 match large-community COM-LST-NO-ANNOUNCE-TO-EXT
exit
!
route-map EBGP-LG-OUT permit 21
 match ip address prefix-list GRT
exit
!
route-map EBGP-LG-OUT permit 22
 match ipv6 address prefix-list GRT
exit
!
route-map EBGP-LG-OUT deny 999
exit
!
route-map EBGP-OUT-v4 deny 1
 match large-community COM-LST-NO-ANNOUNCE-TO-EXT
exit
!
route-map EBGP-OUT-v4 deny 11
 match ip address prefix-list AS215250-CONE-NETWORKS-INV
exit
!
route-map EBGP-OUT-v4 permit 21
 match large-community COM-LST-ANNOUNCE-TO-EXT
exit
!
route-map EBGP-OUT-v4 deny 999
exit
!
route-map EBGP-OUT-v6 deny 1
 match large-community COM-LST-NO-ANNOUNCE-TO-EXT
exit
!
route-map EBGP-OUT-v6 deny 11
 match ipv6 address prefix-list AS215250-CONE-NETWORKS-INV
exit
!
route-map EBGP-OUT-v6 permit 21
 match large-community COM-LST-ANNOUNCE-TO-EXT
exit
!
route-map EBGP-OUT-v6 deny 999
exit
!
route-map IBGP-DIST-IN permit 1
 match large-community IBGP-PREPEND-1
 on-match goto 20
 set as-path prepend 215250
exit
!
route-map IBGP-DIST-IN permit 2
 match large-community IBGP-PREPEND-2
 on-match goto 20
 set as-path prepend 215250 215250
exit
!
route-map IBGP-DIST-IN permit 3
 match large-community IBGP-PREPEND-3
 on-match goto 20
 set as-path prepend 215250 215250 215250
exit
!
route-map IBGP-DIST-IN permit 4
 match large-community IBGP-PREPEND-4
 on-match goto 20
 set as-path prepend 215250 215250 215250 215250
exit
!
route-map IBGP-DIST-IN permit 5
 match large-community IBGP-PREPEND-5
 on-match goto 20
 set as-path prepend 215250 215250 215250 215250 215250
exit
!
route-map IBGP-DIST-IN permit 20
 match large-community IBGP
exit
!
route-map IBGP-DIST-IN deny 999
exit
!
route-map IBGP-DIST-OUT permit 20
 match large-community IBGP
exit
!
route-map IBGP-DIST-OUT deny 999
exit
!
route-map IBGP-LL permit 20
 match large-community LOOPBACK
exit
!
route-map IBGP-LL permit 21
 match ip address prefix-list LOOPBACK
 set large-community 215250:0:1 additive
exit
!
route-map IBGP-LL permit 22
 match ipv6 address prefix-list LOOPBACK
 set large-community 215250:0:1 additive
exit
!
route-map IBGP-LL deny 999
exit
!
route-map RM-2a06-d1c3-1-2-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-3-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-9-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-10-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-11-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-12-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-13-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-c-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-d-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-e-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-f-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-1-K-64-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
route-map RM-2a06-d1c3-K-1-128-LCOM permit 1
 set large-community 215250:0:1 additive
exit
!
rpki
 rpki polling_period 300
 rpki cache 2a06:d1c0:deac:1:193:104:168:153 323 preference 3
 rpki cache 2a06:d1c0:dead:1:195:191:197:8 323 preference 2
 rpki cache 2a06:d1c0:deae:1:195:191:196:5 323 preference 1
exit
!

Do you have custom compiled version of librtr?

[email protected]:~$ sudo dpkg -l librtr0
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-===========================================
ii  librtr0:amd64  0.8.0        amd64        Small extensible RPKI-RTR-Client C library.

What do you mean dumped (logs saying that)?
The BMP receiver gets the full RIB. The logs say, on the dot for each of these events:

Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:150127): RTR Socket: Serial Notify received (69)
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:150254): RTR Socket: sending serial query, SN: 68
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:150374): RTR_MGR: Group(1) status changed to: RTR_MGR_ESTABLISHED
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:150427): RTR Socket: State: RTR_SYNC
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:161762): RTR Socket: Cache Response PDU received
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:170732): RTR Socket: EOD PDU received.
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:170811): RTR Socket: New interval values: expire_interval:7200, refresh_interval:3600, retry_interval:600
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:171252): RTR Socket: v4 prefixes added
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:171517): RTR Socket: v6 prefixes added
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:171546): RTR Socket: spki data added
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:171566): RTR Socket: Sync successful, received 20 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 69
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:171590): RTR Socket: State: RTR_ESTABLISHED
Nov 30 17:57:15 gw01 frrinit.sh[2204]: (2024/11/30 17:57:15:171623): RTR Socket: waiting 3600 sec. till next sync

@ton31337
Copy link
Member

Are you saying that once the RTR cache server refreshes the records and sends a new version (serial changes), FRR revalidates all the routes, but not the received ones?

@ichdasich
Copy link
Author

I am saying that FRR is sending the whole RIB via BMP. I have no idea why it does it, i.e., if it revalidates all routes.

@ton31337
Copy link
Member

ton31337 commented Nov 30, 2024

I tested with the master branch, and I don't see RIB being resent if the RPKI state changes. I see the same logs:

Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765025): RTR Socket: Serial Notify received (24)
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765047): RTR Socket: sending serial query, SN: 23
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765076): RTR_MGR: Group(1) status changed to: RTR_MGR_ESTABLISHED
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765084): RTR Socket: State: RTR_SYNC
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765134): RTR Socket: Cache Response PDU received
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765171): RTR Socket: EOD PDU received.
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765179): RTR Socket: New interval values: expire_interval:7200, refresh_interval:3600, retry_interval:600
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765202): RTR Socket: v4 prefixes added
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765206): RTR Socket: v6 prefixes added
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765210): RTR Socket: spki data added
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765214): RTR Socket: Sync successful, received 2 Prefix PDUs, 0 Router Key PDUs, session_id: 53474, SN: 24
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765219): RTR Socket: State: RTR_ESTABLISHED
Nov 30 23:35:47 pc.donatas.net frrinit.sh[3946]: (2024/11/30 23:35:47:765224): RTR Socket: waiting 3600 sec. till next sync

But these do not trigger sending anything to BMP receivers if only RPKI state changes. I see changes in BMP only if some attributes change.

Would be possible to get the logs debug bgp updates once the sync is happening?

Could you test with the master or 10.2 or 10.1 at least?

@ichdasich
Copy link
Author

Will see whether I can kick my automation to do that in the coming days; Will keep you updated.

@ichdasich
Copy link
Author

Ok, this will take some time, I guess; VyOS closed source-code access for the stable branches ( https://vyos.dev/T6781 ); Meaning I have to figure out a couple of other things first (rebuild automation and setup with other base-system+automation/port all my local-site additions to current/figure out how to patch the stale versions around enough so I can at least build a new image with a newer FRR);

Will take some time. -.-'

@ichdasich
Copy link
Author

Ok, after some 'discussions' with the build system, things got deployed. I am now running 10.2* and the effect did not go away:
image

The large in traffic is from when i upgraded the routers.

With FRR now no longer choking on 'permission denied' for RAs (the extended-nexthop thing fixed in 10.2), i saw something else, though; For example, for gw05.dus01.v4less.measurement.network, the full dumps occured (according to the graphs) at (approximately):

2024-12-03T23:55:00+00:00
2024-12-04T00:25:00+00:00
2024-12-04T01:25:00+00:00
2024-12-04T01:55:00+00:00
2024-12-04T04:55:00+00:00
2024-12-04T05:05:00+00:00
2024-12-04T09:55:00+00:00
2024-12-04T10:25:00+00:00

Looking at the FRR logs, I see:

...
Dec 03 22:27:09 gw05 frrinit.sh[2392]: (2024/12/03 22:27:09:325572): RTR Socket: Sync successful, received 1 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 266
Dec 03 22:57:12 gw05 frrinit.sh[2392]: (2024/12/03 22:57:12:653063): RTR Socket: Sync successful, received 11 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 267
Dec 03 23:57:10 gw05 frrinit.sh[2392]: (2024/12/03 23:57:10:079956): RTR Socket: Sync successful, received 473 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 268
Dec 04 00:17:14 gw05 frrinit.sh[2392]: (2024/12/04 00:17:14:028538): RTR Socket: Sync successful, received 515 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 269
Dec 04 00:57:12 gw05 frrinit.sh[2392]: (2024/12/04 00:57:12:807340): RTR Socket: Sync successful, received 30 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 270
Dec 04 01:27:10 gw05 frrinit.sh[2392]: (2024/12/04 01:27:10:826041): RTR Socket: Sync successful, received 687 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 271
Dec 04 01:57:14 gw05 frrinit.sh[2392]: (2024/12/04 01:57:14:071853): RTR Socket: Sync successful, received 768 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 272
Dec 04 02:07:14 gw05 frrinit.sh[2392]: (2024/12/04 02:07:14:372563): RTR Socket: Sync successful, received 2 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 273
Dec 04 02:57:13 gw05 frrinit.sh[2392]: (2024/12/04 02:57:13:634139): RTR Socket: Sync successful, received 16 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 274
Dec 04 03:07:13 gw05 frrinit.sh[2392]: (2024/12/04 03:07:13:548999): RTR Socket: Sync successful, received 3 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 275
Dec 04 03:57:10 gw05 frrinit.sh[2392]: (2024/12/04 03:57:10:164414): RTR Socket: Sync successful, received 17 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 276
Dec 04 04:07:12 gw05 frrinit.sh[2392]: (2024/12/04 04:07:12:788157): RTR Socket: Sync successful, received 90 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 277
Dec 04 04:27:08 gw05 frrinit.sh[2392]: (2024/12/04 04:27:08:619347): RTR Socket: Sync successful, received 10 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 278
Dec 04 04:57:10 gw05 frrinit.sh[2392]: (2024/12/04 04:57:10:676034): RTR Socket: Sync successful, received 461 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 279
Dec 04 05:07:18 gw05 frrinit.sh[2392]: (2024/12/04 05:07:18:552228): RTR Socket: Sync successful, received 557 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 280
Dec 04 05:57:13 gw05 frrinit.sh[2392]: (2024/12/04 05:57:13:864239): RTR Socket: Sync successful, received 47 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 281
Dec 04 06:27:10 gw05 frrinit.sh[2392]: (2024/12/04 06:27:10:002669): RTR Socket: Sync successful, received 674 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 282
Dec 04 06:57:14 gw05 frrinit.sh[2392]: (2024/12/04 06:57:14:489644): RTR Socket: Sync successful, received 727 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 283
Dec 04 07:37:10 gw05 frrinit.sh[2392]: (2024/12/04 07:37:10:094349): RTR Socket: Sync successful, received 1 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 284
Dec 04 07:47:09 gw05 frrinit.sh[2392]: (2024/12/04 07:47:09:376067): RTR Socket: Sync successful, received 3 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 285
Dec 04 07:57:12 gw05 frrinit.sh[2392]: (2024/12/04 07:57:12:243257): RTR Socket: Sync successful, received 58 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 286
Dec 04 08:47:09 gw05 frrinit.sh[2392]: (2024/12/04 08:47:09:760973): RTR Socket: Sync successful, received 22 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 287
Dec 04 08:57:11 gw05 frrinit.sh[2392]: (2024/12/04 08:57:11:791352): RTR Socket: Sync successful, received 16 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 288
Dec 04 09:07:13 gw05 frrinit.sh[2392]: (2024/12/04 09:07:13:443786): RTR Socket: Sync successful, received 57 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 289
Dec 04 09:27:08 gw05 frrinit.sh[2392]: (2024/12/04 09:27:08:791608): RTR Socket: Sync successful, received 2 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 290
Dec 04 09:57:09 gw05 frrinit.sh[2392]: (2024/12/04 09:57:09:358520): RTR Socket: Sync successful, received 463 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 291
Dec 04 10:17:15 gw05 frrinit.sh[2392]: (2024/12/04 10:17:15:249698): RTR Socket: Sync successful, received 526 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 292
Dec 04 10:57:09 gw05 frrinit.sh[2392]: (2024/12/04 10:57:09:330072): RTR Socket: Sync successful, received 14 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 293
Dec 04 11:07:30 gw05 frrinit.sh[2392]: (2024/12/04 11:07:30:206330): RTR Socket: Sync successful, received 64 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 294
Dec 04 11:17:08 gw05 frrinit.sh[2392]: (2024/12/04 11:17:08:520355): RTR Socket: Sync successful, received 1 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 295
Dec 04 11:27:07 gw05 frrinit.sh[2392]: (2024/12/04 11:27:07:390720): RTR Socket: Sync successful, received 4 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 296
Dec 04 11:37:09 gw05 frrinit.sh[2392]: (2024/12/04 11:37:09:492018): RTR Socket: Sync successful, received 2 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 297
Dec 04 12:17:12 gw05 frrinit.sh[2392]: (2024/12/04 12:17:12:281681): RTR Socket: Sync successful, received 79 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 298
...

Could it be that this only triggers if a specific amount of prefix changes is (at least) received via RTR?

Looking back in the graphs, I have only one event since yesterday where i have three digit prefixes and did not see a dump; Specifically:

Dec 03 20:17:14 gw05 frrinit.sh[2392]: (2024/12/03 20:17:14:928009): RTR Socket: Sync successful, received 212 Prefix PDUs, 0 Router Key PDUs, session_id: 7461, SN: 261

Not saying I am paranoid, but that three-digit-number-not-causing-an-event-like-the-others is suspiciously below 256; The only one below 256 of the three digit ones, and the only one after which there was no event.

If you think it helps I can poll the graphs and logs from all ~20 routers to see if we can inch closer to a 'number from which on it triggers'.

  • Side note: This version is now also built with libpcre2 and a funny patch i got slipped by @eqvinox during the last IETF which does some magic to community handling improving performance by ~2x; However, the issue did also occur without those two; So I doubt that adding these two things makes a major difference.

@ton31337
Copy link
Member

ton31337 commented Dec 4, 2024

Are you able to see the BMP logs to verify if FRR is really sending a full-feed? Also.. you should notice [bmp...]: IPv4 unicast sending table or so in the logs. Don't you?

@ichdasich
Copy link
Author

ichdasich commented Dec 4, 2024

Yes, we confirmed on the BMP side that FRR sends all routes. We also drew some (somewhat larger PCAPs); Nothing out of the ordinary there.

Interestingly, I do not see a [bmp...]: IPv4 unicast sending table.

Looking at bgp_rpki.c atm; Sadly not a coder. But ll#601 has a statement which I do not understand that returns early and triggers revalidate_all_routes(rpki_vrf);

My colleague @TheEnbyperor also just noticed that this is set in ll#789 if the kernel is blocking, i.e., after 4k for a default datagram socket buffer. By their calculation this should hit at ca. 300 updates given around 200 bytes per update. Which maps to the observations.

They probably can better chime in themselves.

@TheEnbyperor
Copy link

Tobias gave a pretty good summary, but I'll elaborate just to try and make it clearer.

There exists a function static void revalidate_all_routes(struct rpki_vrf *rpki_vrf); calling this seems likely to cause the behaviour in question. This is called from one location:

if (atomic_load_explicit(&rpki_vrf->rtr_update_overflow, memory_order_seq_cst)) {
  while (read(rpki_vrf->rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record)) != -1);

  atomic_store_explicit(&rpki_vrf->rtr_update_overflow, 0, memory_order_seq_cst);
  revalidate_all_routes(rpki_vrf);
  return;
}

Where is rtr_update_overflow set? Also in one place:

int retval = write(rpki_vrf->rpki_sync_socket_rtr, &rec, sizeof(struct pfx_record));
if (retval == -1 && (errno == EAGAIN || errno == EWOULDBLOCK))
  atomic_store_explicit(&rpki_vrf->rtr_update_overflow, 1, memory_order_seq_cst);

rpki_sync_socket_rtr is one half of a non-blocking datagram socket. Checking sysctl on a random Debian machine I have the default buffer for a datagram socket appears to be 4096.

This seems to have been introduced by 4ce8267, but I can't figure out why it'd take from 2018 until now to present itself in this way.

Perhaps the send buffer on the socket should be increased? Or is something more drastic in order?

@ton31337
Copy link
Member

ton31337 commented Dec 4, 2024

What about if we scan not the whole RIB, but only the affected (by socket overflow) prefixes? I have an idea, going to validate it and see if it would work at some level better than the current approach.

@ichdasich
Copy link
Author

I am still trying to wrap my head around the issue here; my (amateur) understanding is:

  • bgpd opens a socket
  • rtrlib occasionally gets invoked and throws a couple of PDUs into the socket
  • If this is too many PDUs, the socket blocks until it is read from;
  • rtrlib hence does not care, updates the RPKI view for the VRF but bgpd does not know which prefixes might have gotten updated
  • Hence, bgpd re-validates all prefixes; Just in case.
  • Looking at 4ce8267, there seems to be a deadlock between rtrlib and bgpd there, because rtrlib needs to (ideally) write all prefixes to the socket and then call the callback. However, if the buffer is full, it blocks there, not releasing its locks, preventing bgpd from reading from the socket which... well, deadlock.

To me it sounds like it would rather make sense to resolve the deadlock. Academic-code-quality-me would probably use a tmpfile instead (which--i know--comes with a ton of other caveats). But i think that resolving the deadlock situation is much more sensible than trying to work around the limits of buffer space.

@ton31337
Copy link
Member

ton31337 commented Dec 4, 2024

Would you be able to cherry-pick this commit opensourcerouting@c8f7984 and test?

@ichdasich
Copy link
Author

Building an image; Let's see.

@ichdasich
Copy link
Author

Pushed the image on the router at AMSIX; Let's see what this does. If it works the box should be showing less traffic than the rest of AS215250.

@ichdasich
Copy link
Author

so, with that patch applied no BGP session comes up; Currently drawing a pcap

@ichdasich
Copy link
Author

dies with a 'bad peer AS' notification, even though the peer AS is correctly configured; The notification even carries the correct ASN.

@ton31337
Copy link
Member

ton31337 commented Dec 5, 2024

Something unrelated at all.. Could you try installing .deb/.rpm from here https://ci1.netdef.org/browse/FRR-PULLREQ3-6403/artifact?

@ton31337 ton31337 removed the triage Needs further investigation label Dec 5, 2024
@ichdasich
Copy link
Author

Makes things a lot more difficult for me. But I can try; Will take some time, though, likely until after an upcoming trip, i.e., until the 17th at least.

@ichdasich
Copy link
Author

Ok, this turned out easier than anticipated. However, the .deb from the URL you provided seem to not include opensourcerouting@c8f7984 ?

@ton31337
Copy link
Member

ton31337 commented Dec 5, 2024

It should include because these artifacts are based on #17586.

@ichdasich
Copy link
Author

Hrm, it says it is, but it only lists a PIM related commit?

image

@ichdasich
Copy link
Author

hrm, ok, the source does include the changes it seems; Rebooting.

@ichdasich
Copy link
Author

Used your image; Does not change the fact that no sessions come up because of the invalid-as issue I also saw when applying the patch myself.

@ton31337
Copy link
Member

ton31337 commented Dec 5, 2024

To be sure... is it fine with the master branch if you compile it? Because I don't see any relation to session not going up and my changes.

@ichdasich
Copy link
Author

I have the same behavior for 10.2; If I do not apply your patch, sessions come up; If I do apply the patch, I get an 'invalid AS'.

@ton31337
Copy link
Member

ton31337 commented Dec 5, 2024

Can you show the configuration?

@ichdasich
Copy link
Author

One of those, they are all auto generated: #17533 (comment)

@ichdasich
Copy link
Author

Hrm, shall I try what happens if I disable RTR/RPKI?

@ichdasich
Copy link
Author

ichdasich commented Dec 5, 2024

sigh ffs... give me a second, i might have to burn some things. -.-'

Edit: For the record; This is related to the config management system, as I suspected that to be involved at this time.

@ichdasich
Copy link
Author

ok, it appears that with your patch supplied a peer config can no longer "overwrite" the remote-as set in a peer group. Even if there is no remote-as set in a peer group... o.O Is this intentional?

@ichdasich
Copy link
Author

With the patch, for some reason, FRR no longer accepts a peer group member to set the remote AS for itself; I.e., there is no remote-as configured in the peer group, only in the peer, but i still get:

sending configuration % Peer-group member cannot override remote-as of peer-group.

Leading to a partial config load.

Also tried disabling rpki/rtr to no avail.

Was such a change explicitly made some when? (That would kind of break the usefulness of the peergroup feature, though...)

What i also find odd is that just applying your patch (individual commit) has this effect. Does your patch somewhere initialize the remote as per peer, which may lead to the peer-group getting an empty remote-as initialized even if none is set, then leading to this issue?

@ton31337
Copy link
Member

ton31337 commented Dec 5, 2024

remote-as with peer-group was fixed here #17542 and backported to stable/10.2. I don't understand how you get the same issue ONLY applying my fix for this issue...

@ichdasich
Copy link
Author

Something you have to understand about me... at some point in the past i worked with a person that had... a... gift... to stumble into very weird bugs. Sadly, we noticed to late that it is contagious.... ;-)

Let me do some specific checks to make sure which versions are running when; Will come back to you in a bit.

@ichdasich
Copy link
Author

.oO( so... in general... shall i just setup 2-3 test boxes and set them up with the associated versions and you mail me an SSH key? )

@ichdasich
Copy link
Author

Ok, checked up;

  • The system experiences the peer-group issue when running 10.3-dev based on the sources you shared (verified: [email protected]:~$ vtysh -c 'show version' FRRouting 10.3-dev (gw01) on Linux(6.6.54-amd64-vyos).)
  • The system experiences the peergroup issue running on 10.2, when the only change from a system not experiencing the peergroup issue is your patch;

Then again not exactly; both have been using 10.2/stable at the time of build. The working one has been built at Dec 3 14:17 UTC, the not working one Dec 4 22:33 UTC. The backported fix for the peer-group issue was merged in 0b26493 at Dec 4 12:37 UTC.

Note, also, that the issue I am experiencing is mildly different from the one in #17541

The issue in that one was:

  • peer-group exists
  • peer is created with a remote AS
  • peer is added to peer-group

my issue is:

  • peer-group exists
  • peer is created and assigned to a peer-group
  • remote-as is set for peer (and denied because the peer-group already has a remote-as configured)

My expectation of how that bug could happen actually maps to how #17542 resolved the issue in #17541: By initializing the remote-as for a peer group; So, as that value is no longer empty, it can't be overwritten.

I would argue that the issue observed by me hence is a regression introduced by #17542 ...

Shall I file a new bug for that one?

@ichdasich
Copy link
Author

Took the liberty: #17602

@ton31337
Copy link
Member

ton31337 commented Dec 5, 2024

Thanks, will fix that and sorry for this inconvenience...

@ichdasich
Copy link
Author

Let me know when the backport is in for the fix for #17602 for the fix for #17542 so i can roll a new image with it. Will then test again.

@ton31337
Copy link
Member

ton31337 commented Dec 6, 2024

Okay... could you apply then first opensourcerouting@2797506, and then c8f7984? :)

@ichdasich
Copy link
Author

lemme bake a build before the breakfeast burrito. Will let you know in a bit.

@ichdasich
Copy link
Author

Comes up properly now. Pushing it to all other routers.

@ichdasich
Copy link
Author

So, to keep this updated: So far there were several events tat would otherwise have qualified for a route dump; But none happened.

However, we see a bit less BMP traffic than expected. Will wait for input on monday where this might be coming from.

@ichdasich
Copy link
Author

Ok, further investigation shows that the patch is effective and to the best of our knowledge does not introduce any side-effects itself. From my perspective, this is good to merge and backport.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants