[c-nsp] IPv6 uRPF broken?

Bernhard Schmidt berni at birkenwald.de
Thu Aug 19 10:28:11 EDT 2004 

Hi,

I'm running several 7206VXR (NPE-300/NPE-400/NPE-G1) with IPv6 enabled 
12.2(18)S5 provider image and I am currently investigating enabling IPv6 
uRPF on customer-facing interfaces.

To check which customers might eventually have problems with that I 
added an ACL to the verify-statement which just allows and logs all 
packets originally dropped by uRPF.

I've found several packets logged by the ACL (thus would have been 
dropped by the check) I can't explain.



First of all, I have a uRPF enabled tunnel with BGP enabled... the ACL 
logs all traffic between the endpoints (BGP, ping tests) although they 
are in the same subnet

%IPV6-6-ACCESSLOGP: list logall/10 permitted tcp 2001:1B20:0:100::1(179) 
(Tunnel303) -> 2001:1B20:0:100::2(61880), 1 packet

interface Tunnel303
  ipv6 address 2001:1B20:0:100::2/64
  ipv6 verify unicast reverse-path logall

This would indicate that I would not be able to run BGP on a uRPF 
secured interface without an additional ACL.


The second problem (which is more a cosmetical one in my case, but 
nethertheless is ugly when you want to monitor the uRPF and log dropped 
packets) are spurious uRPF drops where the logged source address and 
interface definitely were correct.

%IPV6-6-ACCESSLOGP: list logall/10 permitted udp 
2001:1B10:1100::68(4147) (Tunnel301) -> 
2001:698:3:0:2A0:C9FF:FE92:F594(53), 1 packet
list logall/10 permitted udp 2001:1B10:1100::76(49154) (Tunnel301) -> 
2001:908:2:20::35(53), 1 packet
list logall/10 permitted udp 2001:1B10:1100::68(4147) (Tunnel301) -> 
2001:908:2:20::34(53), 5 packets

router#sh ipv6 cef tun301
2001:1B10:1100::/40
      attached to Tunnel301

interface Tunnel301
  ipv6 unnumbered Loopback10
  ipv6 verify unicast reverse-path logall


I almost got crazy until I figured out, that the destination of those 
logged packets was unreachable (no network in the BGP table, the 
tunnelrouter has a fulltable and no default route) when the logging occured.


Can anyone confirm this bug? I don't have either another platform nor 
another IOS (e.g. 12.0S or 12.3) running at the moment and no lab 
machine at hand. Is there something I'm missing (in the first example)? 
Is there already an open bugid (I could not find one)?

Thanks in advance
Bernhard

More information about the cisco-nsp mailing list