set uplink admin-up only after it has been configured#918
Draft
set uplink admin-up only after it has been configured#918
Conversation
Move InterfaceAdminUp() for the uplink interface to after DisableIP6RouterAdvertisements(). Previously, the uplink was brought admin-up immediately after creation and then configured with IPv6 enable, RA suppress, CNAT, VRF, addresses, and routes. This left a window where the interface was up with RA processing still active, allowing VPP to process Router Advertisements from the wire and potentially install unwanted SLAAC addresses or default routes before the intended configuration was in place. Signed-off-by: Aritra Basu <aritrbas@cisco.com>
aritrbas
force-pushed
the
abasu-fix-adminup
branch
from
b55c598 to
8450e31
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This fixes uplink startup sequencing in
vpp-managerso that the uplink interfaces are brought admin-up only afterDisableIP6RouterAdvertisements()is called on the interface.RCA
runVpp()previously set uplink admin-up immediately after interface creation and only then configured IPv6 RA suppression, CNAT features, VRF assignment, interface addresses and routes.This created a window where the interface could process traffic before RA suppression and full policy/routing state were applied. During this window, VPP can processes any RA arriving on the wire that can install unwanted default routes from upstream routers into the FIB, acquire SLAAC addresses that VPP should not have or pollute the FIB before the intended configuration is fully applied.
Fix
Keep uplink admin-down until
DisableIP6RouterAdvertisements()is called; only then perform uplink admin-up.CreateMainVppInterface → InterfaceAdminUp → configureVppUplinkInterfaceCreateMainVppInterface → DisableIP6RouterAdvertisements → InterfaceAdminUp → configureVppUplinkInterface