tests/bgp-frr-unnumbered: init

Author: felbinger

tests/README.md

@@ -3,6 +3,7 @@
 | Test Name                                 | Tested Software Components |
 |-------------------------------------------|----------------------------|
 | bgp-extended-nexthop                      | FRR, BIRD3                 |
+| bgp-frr-unnumbered                        | FRR                        | <!-- Add BIRD when unnumbered peerings are supported -->
 | bgp-md5                                   | FRR, BIRD3                 |
 | bgp-prefsource                            | FRR, BIRD3                 |
 | bgp-simple                                | FRR, BIRD3                 |

tests/bgp-frr-unnumbered/README.md

@@ -0,0 +1,18 @@
+# frr-bgp-unnumbered
+
+This configuration extends the [bgp-extended-nexthop](../bgp-extended-nexthop/) test by
+introducing BGP unnumbered support, which removes the need to explicitly specify an IPv6 link-local address.
+
+**Note:**
+BGP unnumbered is not currently standardized by any RFC, so behavior and implementation may vary across
+platforms; additionally, the BIRD routing daemon does not support BGP unnumbered interfaces at this time.
+
+In BGP unnumbered, neighbors use IPv6 link-local addresses that are automatically configured via IPv6
+Router Advertisements based on interface identifiers, eliminating the need to manually specify addresses.
+
+Because sessions rely on dynamic link-local addresses rather than explicit IPs, traditional IP-based security
+measures like access lists may not be effective, exposing the session to risks if the link is compromised.
+
+Unlike some other vendors, FRR currently does not support features like allowas-in for additional session
+filtering, so it is recommended to use extra protections such as TTL-Security and TCP MD5 or, hopefully
+in the future, TCP-AO.

tests/bgp-frr-unnumbered/default.nix

@@ -0,0 +1,72 @@
+{ ... }:
+{
+  name = "frr-bgp-unnumbered";
+
+  defaults = {
+    networking = {
+      useDHCP = false;
+      firewall.allowedTCPPorts = [ 179 ];
+    };
+    services.frr.bgpd.enable = true;
+  };
+
+  nodes = {
+    a = {
+      services.frr.config = ''
+        router bgp 65001
+          no bgp ebgp-requires-policy
+          no bgp default ipv4-unicast
+          bgp router-id 192.0.2.10
+
+          neighbor fabric peer-group
+          neighbor fabric remote-as external
+          neighbor fabric capability extended-nexthop
+          neighbor eth1 interface peer-group fabric
+
+          address-family ipv4 unicast
+            neighbor fabric activate
+          exit-address-family
+
+          address-family ipv6 unicast
+            neighbor fabric activate
+          exit-address-family
+      '';
+    };
+    b = {
+      services.frr.config = ''
+        router bgp 65002
+          no bgp ebgp-requires-policy
+          no bgp default ipv4-unicast
+          bgp router-id 192.0.2.11
+
+          neighbor fabric peer-group
+          neighbor fabric remote-as external
+          neighbor fabric capability extended-nexthop
+          neighbor eth1 interface peer-group fabric
+
+          address-family ipv4 unicast
+            neighbor fabric activate
+          exit-address-family
+
+          address-family ipv6 unicast
+            neighbor fabric activate
+          exit-address-family
+      '';
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    for m in [a, b]:
+      m.wait_for_unit("network.target")
+      m.wait_for_unit("frr.service")
+
+    a.wait_until_succeeds("vtysh -c 'show bgp ipv4 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+    b.wait_until_succeeds("vtysh -c 'show bgp ipv4 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+
+    # IPv6 DAD might need some time to complete for the local link address
+    a.wait_until_succeeds("vtysh -c 'show bgp ipv6 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+    b.wait_until_succeeds("vtysh -c 'show bgp ipv6 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+  '';
+}