[j-nsp] JUNOS violating RFC1771 on BGP collision detection

Daniel Roesen dr at cluenet.de
Tue Jun 8 16:12:31 EDT 2004


after some long BGP trace log reading I discovered that at least JUNOS
5.5 violates RFC1771 in regard to connection collision detection in a
harmful way.

RFC1771 states:

"Upon receipt of an OPEN message, the local system must examine all of
its connections that are in the OpenConfirm state."

Unfortunately, JUNOS 5.5 also considers connections in Connect state
(but not Active fortunately).

This can - and did in this case - lead to serious session establishment
delays. Here 9 minutes, but may have been much more, for the following

When JUNOS tries to open a BGP session and fails (connect() fails),
JUNOS sometimes transits from OpenFail to Active, sometimes directly
from OpenFail to Connect! As long as JUNOS is in Connect state, every
incoming OPEN from the remote peer is being rejected as collision.

In the case here, the customer had ACLs in place preventing session
establishment in the local=>remote direction. JUNOS always transited
from OpenFail to Connect, and every attempt from the customer was
rejected as collision. After about 9 minutes, JUNOS did not transit
to Connect, but to Active. Then, the next incoming OPEN succeeded.
JUNOS threw away its own attempt and completed the session setup until
Established state.

Finally I've found PR #32902 which sounds matching, but was closed
with no information in which JUNOS this is fixed. Is it fixed at all?
This is hurting and explains why I've always had the subjective
impression that it sometimes takes JUNOS long to establish sessions
(but didn't dig deeper into why).


More information about the juniper-nsp mailing list