Got it

[Insider Sharing] BFD Echo arm function strange behavior Highlighted

Latest reply: May 13, 2018 04:11:36 1915 3 2 0 0
Hi all, 

I would like to share with you another interesting insider case. This time it's related to AR G3 router series and BFD protocol detection mechanism.  First of all, I'm not sure whether you are familiar with BFD Echo function for this detection protocol, so will add a short description below:

It checks the connectivity of the forwarding link by looping back packets. You can use the BFD Echo function when one of two directly connected devices does not support BFD. In this case, you can configure BFD Echo on the BFD-supporting device. That device sends an Echo Request packet to the remote device. The remote device then sends the Echo Request packet back along the same path to detect the connectivity of the forwarding link.

An image will help to understand the data above. 

 
Let's get back to our case, so we have AR 157 version V200R005C20SPC200 connecting with a third party equipment with no BFD capability. 
The BFD echo function configuration is quite basic, as we can see below:

 bfd atob bind peer-ip 10. 1.1.1 interface Dialer1 one-arm-echo 
 discriminator local 1 
 min-echo-rx-interval 100 
 commit 
 # 
 
Unfortunately the BFD session remains in "Down" state:
 
[AR router]dis bfd session all 
 -------------------------------------------------------------------------------- 
 Local Remote     PeerIpAddr      State     Type         InterfaceName 
 -------------------------------------------------------------------------------- 
 1             -            10.1.1.1          Down   S_IP_IF        Dialer1 
 -------------------------------------------------------------------------------- 
 Total UP/DOWN Session Number : 0/1
 
Let's try to find out why:
First thing to do is to check the AR configuration a little bit deeper, and I was able to observe that a firewall configuration was in place. Let's check whether BFD packets are properly allowed. 
 
We will check the configuration, dialer interface is the BFD enabled interface and is connected to untrust zone.
 
 interface Dialer1 
 link-protocol ppp 
 ppp chap user xxxx
 ppp chap password simple xxxxx
 ip address ppp-negotiate 
 dialer user xx
 dialer bundle x
 dialer-group x 
 nat outbound x
zone untrust 
 bfd atob bind peer-ip 10.1.1.1 interface Dialer1 one-arm-echo 
 discriminator local 1 
 min-echo-rx-interval 100 
 commit 
 # 
 
The interzone from local zone to untrust is permitted accordingly so normally BFD packets should be processed accordingly by the AR router.
 
 firewall interzone local untrust 
 firewall enable 
 packet-filter 3000 inbound 
 # 
 acl number 3000 
rule 1 permit ip source 10.1.1.1 0 
  ............
 rule 45 permit ip 
  .........
 rule 55 permit udp 
 
Since the BFD packets are allowed, I decide to perform a packet capture to see whether the remote end is returning the packets back to the AR router and indeed were returned as we can see below:


So it must be something on the AR router that makes it to not accept the BFD echo packets. 
Checking the running configuration deeper I found out there is a firewall configuration that could cause problems, let check below:
 # 
firewall defend land enable 
 firewall defend smurf enable 
 firewall defend fraggle enable 
 firewall defend winnuke enable 
 firewall defend syn-flood enable 
 firewall defend udp-flood enable 
 firewall defend icmp-flood enable 
 firewall defend ip-sweep enable 
 firewall defend port-scan enable 
 firewall defend ping-of-death enable 
 firewall defend teardrop enable 
 firewall defend large-icmp enable 
 # 
Land attack defence was enabled. Finally I decide to disable it to see what it's happening and... the BFD session came up. 
Why it come up? How to explain this strange phenomenon?
First, what is a LAND attack and what is the mechanism behind. 
A LAND (Local Area Network Denial) attack is a DoS (Denial of Service) attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up.
Mechanism - the attack involves sending a spoofed IP packet ( generally is a connection initiation TCP SYN) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously, causing damage.

So this is exactly what happened, the AR router sends and BFD echo packet, which is an UDP same source and destination IP, which is returned back to the AR router and since it has same source and destination IP it considers to be a type of LAND attack and it drops it. 

So, to conclude, firewall configuration could impact other protocol, before commisioning services or new protocols, it's best to review all the firewall configuration you have deployed on the device and be sure you know exactly what every command does on the system. 
 
I hope you enjoy reading this. Goodbye!

From group: Router This post was last edited by StarOfWest at 2018-05-08 02:42.

This article contains more resources

You need to log in to download or view. No account? Register

x
  • x
  • convention:

Busy_with_lazy_mind
Created May 9, 2018 00:47:12

[Insider Sharing] BFD Echo arm function strange behavior-2661511-1
View more
  • x
  • convention:

Luke_WiFi_Walker
Created May 9, 2018 09:04:45

[Insider Sharing] BFD Echo arm function strange behavior-2661859-1
View more
  • x
  • convention:

w1
Created May 13, 2018 04:11:36

:)
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.