vpp: Workaround scapy bfd issue (sonic-net#22644)

yue-fred-gao · ravaliyel · commit 9efdb689db9b · 2026-03-26T20:52:45.000-07:00
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <yuega2@cisco.com>
diff --git a/ansible/roles/test/files/ptftests/py3/bfd_responder.py b/ansible/roles/test/files/ptftests/py3/bfd_responder.py
@@ -8,6 +8,8 @@
 import ptf.packet as scapy
 from ptf.base_tests import BaseTest
 from scapy.contrib.bfd import BFD
+from scapy.layers.inet import IP
+from scapy.layers.inet6 import IPv6
 from ptf.testutils import (send_packet, test_params_get)
 from ipaddress import ip_address, IPv4Address, IPv6Address
 session_timeout = 1
@@ -161,19 +163,37 @@ def craft_bfd_packet(self,
                          bfd_remote_disc,
                          bfd_state):
         ethpart = scapy.Ether(data)
-        bfdpart = BFD(bytes(ethpart.payload.payload.payload))
+
+        # Parse only the mandatory 24-byte BFD header; ignore any
+        # trailing data such as Simple Password authentication.
+        bfdpart = BFD(bytes(ethpart.payload.payload.payload)[:24])
         bfdpart.my_discriminator = my_discriminator
         bfdpart.your_discriminator = bfd_remote_disc
         bfdpart.sta = bfd_state
 
-        ethpart.payload.payload.payload = bfdpart
-        ethpart.src = mac_dst
-        ethpart.dst = mac_src
-        ethpart.payload.src = ip_dst
-        ethpart.payload.dst = ip_src
-
-        # recompute UDP checksum
-        ethpart.payload.payload.chksum = None
-        ethpart.show()
-
-        return ethpart
+        # If the A (Auth Present) flag is set, scapy auto-creates a
+        # phantom OptionalAuth with default auth_key=b'password' even
+        # when no auth bytes exist on the wire.  Clear both to prevent
+        # the 11-byte auth trailer from being serialized into the
+        # response packet.
+        bfdpart.flags = bfdpart.flags & ~0x04
+        bfdpart.optional_auth = None
+
+        udp_sport = ethpart[scapy.UDP].sport
+        udp_dport = ethpart[scapy.UDP].dport
+
+        # Build the response packet from scratch so no cached raw
+        # bytes (e.g. auth trailing data) leak from the parsed packet.
+        if ethpart.type == 0x86dd:  # IPv6
+            pkt = (scapy.Ether(src=mac_dst, dst=mac_src, type=0x86dd) /
+                   IPv6(src=ip_dst, dst=ip_src, hlim=255) /
+                   scapy.UDP(sport=udp_sport, dport=udp_dport) /
+                   bfdpart)
+        else:  # IPv4
+            pkt = (scapy.Ether(src=mac_dst, dst=mac_src, type=0x0800) /
+                   IP(src=ip_dst, dst=ip_src, ttl=255) /
+                   scapy.UDP(sport=udp_sport, dport=udp_dport) /
+                   bfdpart)
+
+        pkt.show()
+        return pkt
