Saturday, June 1, 2013

Giving the Bird to Pfsense OpenBGD

My problems with  OpenBGP & what started out as  my upgrade to  the 2.1 release-candidate,  had  made me re-think about using  the  Bird routing daemon.

Bird is a open source  routing  engine,  that's growing in popularity. It does the same thing as Zebra/Quagga  routing daemon and seems  okay.

It's not as strongly support  as the legacy GateD routing daemon,  and like GateD, it uses a routing monitor client to view and control parts of the routing engine.

Birdc vrs GateD  gdc ( Bird vrs GateD)

you can find more information here;

http://bird.network.cz/

and

http://en.wikipedia.org/wiki/Merit_Network
http://www.merit.edu/services/


btw: GateD was great for OSPF routing and I ran a complete small ISP network off GateD back in the late 90s on a mix of Sun SparcStations and x386 platforms

( a little bit on my past history with Bird )

I've used Bird for route injection &  with over 300K /32 routes,  and it held up  with little problems, but any traffic forwarding thru the box and along with bgp+ospf instability, seem to have a direct impact  to the Bird daemon uptime. So I'm not 100%  confident in bird in a full blown  production center.  

We had numerous nights of logining into our bird route-injector and to find the daemon had died. This was under FreeBSD & with a  dedicate  HP hardware btw. We also  used Bird for locally  redundant  Bgp-RouteRefelector Servers. 

The  price of  2each simple Dell R610 servers ( freebsd+Bird), was much cheaper than a single cisco ISR2900 :)



Now let's look at Bird;

It support  rip, ospf, & the bgp routing protocols and with the means to control route export & importation. To install it under pfsense, I had to resort to a manual pkg_add since the pfSense distribution doesn't have a pkg source available.


Next,

After you've installed  the Bird pkg, you will need to craft your configuration file. Based on what your doing, that could be a few lines,  or a few hundred lines.

Here's a preview of  my configuration approach,  which is for the very basic route importation for Bgp.

( which is the default for BGP )

Okay simple! 

We've define a few global configuration items, and then we move into the "protocol bgp" section to  define our neighbor.

Once you have the cfg setup, you could then use a simple cmd to check the cfg via the following;


Here my cfg file sits in /etc and is named bird6.conf


Okay,

 So after you have the bird-cfg checked out, we can start the  process via; 

bird6 -c /etc/bird6.conf -s 1001

This will start the process and set the control channel for socket 1001.

You can now confirm it's started via the system log and or the following;



Okay after it's started;
We can jump into the client monitor via the Bird client ( birdc6 -s 1001 )





If all was good and we had a bgp session up.  You could verify  with any of the following;

show protocol all
show protocol bgp1

But in my case I was displayed an error;


I did have it started a few times,   and we pulled in 12k+ ipv6 routes before it closed the session & with the same "malform attribute error", that was seen under OpenBGP.

I believe this is a problem in the  BGP- UPDATEs from my arpnetwork peer. I'm still investigating this matter , but since the same 2 errors came in and with 2 different routing daemons, I think it's an update issue and from my upstream OpenBGP peer.

NOTE:  Btw, on this pfsense host, I'm running a OpenBGP instance for ipv4 and Birdv6 for ipv6. 

Here's some a screen shots on when it working & correctly;





And the system log file when it fails and our BGP session is torn down ;
  ( snip)

I do  have a running pcap on my host, and later I'm going to diagnose it with wireshark/tshark and inspect the last bgp UPDATES & right before the tear down.



I believe my upstream peer  has something hosed up. And as a side task, I'm in the process of crafting a  GRE tunnel between my pfSense host, and to one of my Juniper J router.

We will establish a  bgp-v6 peer between the these two devices,  and validate that we do have stable bgp establishment for ipv6 peers & with Bird6. This could be a OS stack issues within pfSense 2.1rc. I'm only guessing as to what could be the issue(s) as of this time.

fwiw:

If anybody wants to establish a bgp peering session over a GRE tunnel for testing, please contact  me at the below email.

This host is dual homed on  a ipv4/6 backbone. And the problem with bgp establishments, seems to be  ipv6 related. So I would like to  test ipv6 connectivity to various other bgp peers, & using  Bird6.


Ken Felix
Freelance Network/Security Engineer
kfelix --at-- hyperfeed --dot-- com

Stay tuned !

     ^        ^
= ( @   @ ) =
          o
        /    \

No comments:

Post a Comment