SRv6 Segment Routing?

PolynomialDivision · October 15, 2020, 9:30am

Setup:

+-------+      +-------+    +------+
|IPQ40XX+------+IPQ40XX+----+X86|64|
+-------+      +-------+    +------+

x86 does not work with srv6 kernel?

I compiled with the IP40XX Soc's with

diff --git a/target/linux/ipq40xx/config-5.4 b/target/linux/ipq40xx/config-5.4
index b442f73fbc..717799ad45 100644
--- a/target/linux/ipq40xx/config-5.4
+++ b/target/linux/ipq40xx/config-5.4
@@ -276,6 +276,10 @@ CONFIG_INITRAMFS_SOURCE=""
 # CONFIG_IOMMU_IO_PGTABLE_LPAE is not set
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IO_URING=y
+CONFIG_IPV6=y
+CONFIG_IPV6_SEG6_LWTUNNEL=y
+CONFIG_IP6_NF_MATCH_SRH=y
+CONFIG_IPV6_SEG6_HMAC=y
 CONFIG_IPQ_GCC_4019=y
 # CONFIG_IPQ_GCC_806X is not set
 # CONFIG_IPQ_GCC_8074 is not set

I can insert a default route with

ip -6 route add  2001:db9::1/64 dev eth0.12 encap seg6 mode encap segs 2001:db8::2

with the result:

2001:db9::/64  encap seg6 mode encap segs 1 [ 2001:db8::2 ] dev eth0.15 metric 1024 pref medium

Now I want to do the same on the x86 and I get an error

ip: either "to" is duplicate, or "encap" is garbage

Encapsulation does not work?

If I just do a ping to 2001:db9::1/64 I thought I could see that it is encapsulated by looking at the interface. But it does not seem to be encapsulated?

vgaetera · October 15, 2020, 9:36am

Compare the output from working and problematic devices:

opkg list-installed ip-\*; readlink -f $(type -p ip); ip -V

PolynomialDivision · October 15, 2020, 9:58am

Just a quick update. I just leave the x86 Router away. Created a firewall where I put both interfaces into and made Forwarding available.

root@xxx:~# tcpdump -i eth0.15
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.15, link-type EN10MB (Ethernet), capture size 262144 bytes
11:51:35.503595 IP6 2001:db8::1 > 2001:db8::2: srcrt (len=2, type=4, segleft=0[|srcrt]
11:51:36.550526 IP6 2001:db8::1 > 2001:db8::2: srcrt (len=2, type=4, segleft=0[|srcrt]
11:51:38.630733 IP6 2001:db8::1 > 2001:db8::2: srcrt (len=2, type=4, segleft=0[|srcrt]
11:51:40.550339 IP6 fe80::e4a1:e4ff:fe82:ef16 > 2001:db8::2: ICMP6, neighbor solicitation, who has 2001:db8::2, length 32
11:51:40.551484 IP6 2001:db8::2 > fe80::e4a1:e4ff:fe82:ef16: ICMP6, neighbor advertisement, tgt is 2001:db8::2, length 24
11:51:42.710579 IP6 2001:db8::1 > 2001:db8::2: srcrt (len=2, type=4, segleft=0[|srcrt]
11:51:45.554019 IP6 fe80::baec:a3ff:fed6:8bfe > fe80::e4a1:e4ff:fe82:ef16: ICMP6, neighbor solicitation, who has fe80::e4a1:e4ff:fe82:ef16, length 32
11:51:45.555567 IP6 fe80::e4a1:e4ff:fe82:ef16 > fe80::baec:a3ff:fed6:8bfe: ICMP6, neighbor advertisement, tgt is fe80::e4a1:e4ff:fe82:ef16, length 24
11:51:50.630428 IP6 fe80::e4a1:e4ff:fe82:ef16 > fe80::baec:a3ff:fed6:8bfe: ICMP6, neighbor solicitation, who has fe80::baec:a3ff:fed6:8bfe, length 32
11:51:50.631564 IP6 fe80::baec:a3ff:fed6:8bfe > fe80::e4a1:e4ff:fe82:ef16: ICMP6, neighbor advertisement, tgt is fe80::baec:a3ff:fed6:8bfe, length 24
11:51:51.110763 IP6 2001:db8::1 > 2001:db8::2: srcrt (len=2, type=4, segleft=0[|srcrt]

Looks like it receives encapsulated packages, but the route back seems not to work since the packages don't show up on the interface to the x86 router.

PolynomialDivision · October 15, 2020, 10:01am

Thank u! I need ip-full! Now it is working on x86!

PolynomialDivision · October 15, 2020, 10:21am

The IPQ40xx soc is not giving the packets to the other interface. Any idea?

Firewall (Middle Router):

config zone 'zone_testing'                                                     
        option input 'ACCEPT'                                                   
        option forward 'ACCEPT'  
        option name 'testing'                                                  
        option output 'ACCEPT'                                                  
        option network 'mesh_test_node_1 mesh_test_node_2'

Test-Node 1 is the left and Test-Node-2 is the right router.

Route (Test-Node-1):

2001:db8::/64 dev eth0.15 proto kernel metric 256 pref medium
2001:db9::/64  encap seg6 mode encap segs 1 [ 2001:db8::2 ] dev eth0.15 metric 1024 pref medium

Test-Node-2

2001:db8::/64  encap seg6 mode encap segs 1 [ 2001:db9::2 ] dev eth0.16 metric 1024 pref medium
2001:db9::/64 dev eth0.16 proto kernel metric 256 pref medium

PolynomialDivision · October 15, 2020, 1:15pm

It's working!!! Here is the solution. You have to enable seg6 on the middle router on each interface.

Per-interface configuration

Several per-interface sysctls are available to control SRv6 behavior.

net.ipv6.conf.*.seg6_enabled (integer)
Matching packets for this sysctl are those whose active segment (i.e., IPv6 DA) is local to the Linux node.

    0: Drop ingress SR-enabled packets from this interface.
    1: Accept ingress SR-enabled packets and apply basic SRH processing. 

net.ipv6.conf.*.se

https://segment-routing.org/index.php/Implementation/Configuration

system · October 25, 2020, 1:15pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.