[Bridge] frame destinated to individual port MAC address

[Bridge] frame destinated to individual port MAC address

[Benoit PAPILLAULT]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

I'm working on very strange stuff using linux kernel bridge. Anyway, I
have a quick question.

Let's say I have 2 linux machines. Each has one bridge with several
interfaces. One interface of the first bridge (say eth0) is connected to
one interface of the other bridge (say eth0 again) using an Ethernet cable.

I have not configured an IP address on the bridge itself (on purpose)
but on each individual interface in the bridge. In order to be able to
communicate with those interfaces, I use ebtable broute rules in order
for the frame entering the bridge and with destination address being the
individual interface to be routed (-j DROP). Examples:

ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 4, policy: ACCEPT
- -d 0:ff:7f:dc:d3:4d -j DROP
- -d 0:ff:5e:7e:a5:ac -j DROP
- -d 0:ff:22:84:70:19 -j DROP
- -d 0:ff:2:fb:4:6d -j DROP

This is working as expected. So far, so good.

Now, using rtnetlink, I changed the port state (alternating between
learning and forwarding). In the learning state, ping is no longer
working between the 2 nodes. I would expect for the ping to be still
working (since IMHO bridge itself and its port should not be subject to
the bridge filtering rules).

Disclaimer : I'm not saying that the current linux implementation is
wrong, nor 802.1d is wrong.

Questions are :
- - according to 802.1d, what should happen to a frame with a destination
address being the MAC addr of a bridge port when it enters this bridge
port? Maybe this is outside of the scope of 802.1d since this frame is
not going to be "forwarded" in any way.

- - according to the current linux implementation, would it be a problem
to accept such frame? I tried a quick patch and it seems to be working.
However, it probably broke lots of other things.

Regards,
Benoit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoLStOR6EySwP7oIRArf/AJ9fsLgJDQIVZTxHxug7aY1tOVq1kgCcC8Df
YX6mkkkvhBx43tho8V1cWaI=
=dztT
-----END PGP SIGNATURE-----

Re: [Bridge] frame destinated to individual port MAC address

[Stephen Hemminger]

On Mon, 11 Aug 2008 23:52:45 +0200
Benoit PAPILLAULT <benoit.papillault@free.fr> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi there,
> 
> I'm working on very strange stuff using linux kernel bridge. Anyway, I
> have a quick question.
> 
> Let's say I have 2 linux machines. Each has one bridge with several
> interfaces. One interface of the first bridge (say eth0) is connected to
> one interface of the other bridge (say eth0 again) using an Ethernet cable.
> 
> I have not configured an IP address on the bridge itself (on purpose)
> but on each individual interface in the bridge. In order to be able to
> communicate with those interfaces, I use ebtable broute rules in order
> for the frame entering the bridge and with destination address being the
> individual interface to be routed (-j DROP). Examples:
> 
> ebtables -t broute -L
> Bridge table: broute
> 
> Bridge chain: BROUTING, entries: 4, policy: ACCEPT
> - -d 0:ff:7f:dc:d3:4d -j DROP
> - -d 0:ff:5e:7e:a5:ac -j DROP
> - -d 0:ff:22:84:70:19 -j DROP
> - -d 0:ff:2:fb:4:6d -j DROP
> 
> This is working as expected. So far, so good.
> 
> Now, using rtnetlink, I changed the port state (alternating between
> learning and forwarding). In the learning state, ping is no longer
> working between the 2 nodes. I would expect for the ping to be still
> working (since IMHO bridge itself and its port should not be subject to
> the bridge filtering rules).
> 
> Disclaimer : I'm not saying that the current linux implementation is
> wrong, nor 802.1d is wrong.
> 
> Questions are :
> - - according to 802.1d, what should happen to a frame with a destination
> address being the MAC addr of a bridge port when it enters this bridge
> port? Maybe this is outside of the scope of 802.1d since this frame is
> not going to be "forwarded" in any way.
> 
> - - according to the current linux implementation, would it be a problem
> to accept such frame? I tried a quick patch and it seems to be working.
> However, it probably broke lots of other things.
>

You are doing things in a very non-standard way by putting IP addresses
on each interface. This then leads to problems.  Don't do it.

If port is not forwarding, it needs to ignore the frame to prevent routing
loops. 

Rather than an ask a detailed question like "what will happen if I misconfigure
the system, then change the behaviour", instead start a discussion about
your requirements. Like "I need to forward only frames from some MAC addresses
in a firewall".  The answer might not involve bridging at all...

Re: [Bridge] frame destinated to individual port MAC address

[Benoit PAPILLAULT]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Hemminger a écrit :
| Rather than an ask a detailed question like "what will happen if I
misconfigure
| the system, then change the behaviour", instead start a discussion about
| your requirements. Like "I need to forward only frames from some MAC
addresses
| in a firewall".  The answer might not involve bridging at all...

In fact, I'm evaluating how to implement rbridge :
http://www.postel.org/rbridge/, which is a mix of bridging and routing.

The latest specifications (IETF draft) are available here:
http://tools.ietf.org/html/draft-ietf-trill-rbridge-protocol-08

I am in a very preliminary phase, trying to learn how to implement
routing and bridging under Linux. In order for the routing protocol to
have proper topology view, it somehow needs to assign a unique IP on all
interfaces and for bridging and those interfaces needs to be in the same
bridge.

Maybe I am wrong in those assumptions, but here is the explanation on my
previous questions.

Regards,
Benoit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpeHjOR6EySwP7oIRAuNHAJ47gJDlSnVl40f5cefErBFJSpdToQCg8Z//
CvTdROkWhoeQssqe85U/RRU=
=uHXt
-----END PGP SIGNATURE-----

Re: [Bridge] frame destinated to individual port MAC address

[Malcolm Scott]

At 22:06 today, Benoit PAPILLAULT wrote:

> I am in a very preliminary phase, trying to learn how to implement
> routing and bridging under Linux. In order for the routing protocol to
> have proper topology view, it somehow needs to assign a unique IP on all
> interfaces and for bridging and those interfaces needs to be in the same
> bridge.

By my understanding (and it's a while since I read that paper so I might be 
wrong) you don't need unique IP addresses on all interfaces; everything uses 
MAC addresses.  To quote section 4.2 of the draft:

    o  it runs directly over Layer 2, so therefore may be run with zero
       configuration (no IP addresses need to be assigned)

-- 
Malcolm Scott
Research Assistant
University of Cambridge Computer Laboratory

Re: [Bridge] frame destinated to individual port MAC address

[Stephen Hemminger]

On Fri, 15 Aug 2008 21:17:27 +0100 (BST)
Malcolm Scott <Malcolm.Scott@cl.cam.ac.uk> wrote:

> At 22:06 today, Benoit PAPILLAULT wrote:
> 
> > I am in a very preliminary phase, trying to learn how to implement
> > routing and bridging under Linux. In order for the routing protocol to
> > have proper topology view, it somehow needs to assign a unique IP on all
> > interfaces and for bridging and those interfaces needs to be in the same
> > bridge.
> 
> By my understanding (and it's a while since I read that paper so I might be 
> wrong) you don't need unique IP addresses on all interfaces; everything uses 
> MAC addresses.  To quote section 4.2 of the draft:
> 
>     o  it runs directly over Layer 2, so therefore may be run with zero
>        configuration (no IP addresses need to be assigned)
> 

It looks an implementation or rbridge would do:
  1. Set STP to "user mode" similar to user mode RSTP
  2. Set IP address on bridge device (same as normal)
  3. Run routing daemon with multiple sockets that use SO_BINDTODEVICE
     to receive the packets by interface
  4. Routing daemon would manage bridged interface state (blocking, forwarding, etc)

Re: [Bridge] frame destinated to individual port MAC address

[Benoit PAPILLAULT]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Malcolm Scott a écrit :
| At 22:06 today, Benoit PAPILLAULT wrote:
|
|> I am in a very preliminary phase, trying to learn how to implement
|> routing and bridging under Linux. In order for the routing protocol to
|> have proper topology view, it somehow needs to assign a unique IP on all
|> interfaces and for bridging and those interfaces needs to be in the same
|> bridge.
|
| By my understanding (and it's a while since I read that paper so I
might be
| wrong) you don't need unique IP addresses on all interfaces;
everything uses
| MAC addresses.  To quote section 4.2 of the draft:
|
|     o  it runs directly over Layer 2, so therefore may be run with zero
|        configuration (no IP addresses need to be assigned)
|

Correct since the spec is using IS-IS. However, i'd like to use OSPF
instead. I'm reading IS-IS and OSPF details to understand whever a
unique IP is needed per interface. A single IP over the whole would be
more convenient I must admit.

Regards,
Benoit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpe8SOR6EySwP7oIRAg5hAKDGrR+MTJ3PfQGwH3GZyFxBKBjSMACbBro8
6la94mShMYWybEzogEaF54A=
=IRKY
-----END PGP SIGNATURE-----

Re: [Bridge] frame destinated to individual port MAC address

[Benoit PAPILLAULT]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Hemminger a écrit :
| On Fri, 15 Aug 2008 21:17:27 +0100 (BST)
| Malcolm Scott <Malcolm.Scott@cl.cam.ac.uk> wrote:
|
|> At 22:06 today, Benoit PAPILLAULT wrote:
|>
|>> I am in a very preliminary phase, trying to learn how to implement
|>> routing and bridging under Linux. In order for the routing protocol to
|>> have proper topology view, it somehow needs to assign a unique IP on all
|>> interfaces and for bridging and those interfaces needs to be in the same
|>> bridge.
|> By my understanding (and it's a while since I read that paper so I
might be
|> wrong) you don't need unique IP addresses on all interfaces;
everything uses
|> MAC addresses.  To quote section 4.2 of the draft:
|>
|>     o  it runs directly over Layer 2, so therefore may be run with zero
|>        configuration (no IP addresses need to be assigned)
|>
|
| It looks an implementation or rbridge would do:
|   1. Set STP to "user mode" similar to user mode RSTP
|   2. Set IP address on bridge device (same as normal)
|   3. Run routing daemon with multiple sockets that use SO_BINDTODEVICE
|      to receive the packets by interface
|   4. Routing daemon would manage bridged interface state (blocking,
forwarding, etc)

I've done 1 (easy, create /sbin/bridge-up) & 4 (using rtnetlink). For IP
address, it seems i'm a beginner in this area (I'm more skilled on
software than routing protocol so far...).

The other point I did is for the bridge to accept a special MAC address
whatever the bridge state is, in order to be able to receive the
equivalent of BPDU.

Now, if my bridge is called br0 and contains eth0 + eth1 for instance,
the routing protocol will add router over br0 right? So, the system can
not know which interface (eth0 or eth1) the routing protocol would like
to us to route packets?

In most case, the next hop router will be reachable through only one
interface only. But let's say 2 adjacent routers are connected through 2
interfaces (like 2 cross over cables between 2 bridges). In this case, I
think, the system might take the wrong decision.

Things are not clear in my mind on this point.

Regards,
Benoit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpfElOR6EySwP7oIRAqyfAKCbNzoUuQAuZfEV8GrxZRY5xL16cgCeNobJ
t/fpjEOzcp2BtZqyclSNwfo=
=0PjZ
-----END PGP SIGNATURE-----

Re: [Bridge] frame destinated to individual port MAC address

[Stephen Hemminger]

On Fri, 15 Aug 2008 23:03:14 +0200
Benoit PAPILLAULT <benoit.papillault@free.fr> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Malcolm Scott a écrit :
> | At 22:06 today, Benoit PAPILLAULT wrote:
> |
> |> I am in a very preliminary phase, trying to learn how to implement
> |> routing and bridging under Linux. In order for the routing protocol to
> |> have proper topology view, it somehow needs to assign a unique IP on all
> |> interfaces and for bridging and those interfaces needs to be in the same
> |> bridge.
> |
> | By my understanding (and it's a while since I read that paper so I
> might be
> | wrong) you don't need unique IP addresses on all interfaces;
> everything uses
> | MAC addresses.  To quote section 4.2 of the draft:
> |
> |     o  it runs directly over Layer 2, so therefore may be run with zero
> |        configuration (no IP addresses need to be assigned)
> |
> 
> Correct since the spec is using IS-IS. However, i'd like to use OSPF
> instead. I'm reading IS-IS and OSPF details to understand whever a
> unique IP is needed per interface. A single IP over the whole would be
> more convenient I must admit.
> 

Linux has weak-address model so IP per interface is not going
to do what you expect. Use SO_BINDTODEVICE