vpp: Workaround scapy bfd issue #22644
Merged
yejianquan merged 6 commits intosonic-net:masterfrom Mar 1, 2026
Merged
Conversation
Signed-off-by: Yue Gao <[email protected]>
Signed-off-by: Yue Gao <[email protected]>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
github-actions
bot
requested review from
mramezani95,
rraghav-cisco and
xwjiang-ms
Signed-off-by: Yue Gao <[email protected]>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Yue Gao <[email protected]>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
|
/azpw run |
Collaborator
|
/AzurePipelines run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
|
/azpw run |
Collaborator
|
/AzurePipelines run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
yejianquan
approved these changes
Mar 1, 2026
Collaborator
yejianquan
left a comment
yejianquan
left a comment
There was a problem hiding this comment.
LGTM, thanks for the fix
aronovic
pushed a commit
to aronovic/sonic-mgmt
that referenced
this pull request
Mar 3, 2026
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <[email protected]> Signed-off-by: Mihut Aronovici <[email protected]>
rraghav-cisco
pushed a commit
to rraghav-cisco/sonic-mgmt
that referenced
this pull request
Mar 3, 2026
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <[email protected]> Signed-off-by: Raghavendran Ramanathan <[email protected]>
kazinator-arista
pushed a commit
to kazinator-arista/sonic-mgmt
that referenced
this pull request
Mar 4, 2026
… 6.1.123 (#23478) changed hardcoded src/sonic-linux-kernel path to /lib/modules/<kernel_version>/ path changed platform.conf to use single kernel version variable instead changing all places Release artifacts for Pensando dpu to build docker-dpu.tar.gz and libsai debs for 1.87.0-SS-15 release Why I did it Picked: sonic-net#22900 Picked: sonic-net#22644 Work item tracking Microsoft ADO (number only): How I did it git clone https://github.com/sonic-net/sonic-buildimage.git <path_to_sonic-builldimage>: make init <path_to_sonic-builldimage>: make configure PLATFORM=pensando PLATFORM_ARCH=arm64 cd <path_to_sonic-builldimage>/platform/pensando/pensando-sonic-artifacts <path_to_sonic-builldimage>/platform/pensando/pensando-sonic-artifacts: gh release download 1.87.0-SS-15-release <path_to_sonic-builldimage>: NOJESSIE=1 NOSTRETCH=1 NOBUSTER=0 NOBULLSEYE=0 make target/sonic-pensando.tar How to verify it Load the SONiC image from ONIE and make sure the interfaces are UP. All containers are up. midplane ip should work. Signed-off-by: Sahil Chaudhari <[email protected]>
aronovic
pushed a commit
to aronovic/sonic-mgmt
that referenced
this pull request
Mar 10, 2026
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <[email protected]> Signed-off-by: Mihut Aronovici <[email protected]>
selldinesh
pushed a commit
to selldinesh/sonic-mgmt
that referenced
this pull request
Mar 16, 2026
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <[email protected]> Signed-off-by: selldinesh <[email protected]>
abhishek-nexthop
pushed a commit
to nexthop-ai/sonic-mgmt
that referenced
this pull request
Mar 17, 2026
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <[email protected]> Signed-off-by: Abhishek <[email protected]>
vrajeshe
pushed a commit
to vrajeshe/sonic-mgmt
that referenced
this pull request
Mar 23, 2026
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <[email protected]> Signed-off-by: Venkata Gouri Rajesh Etla <[email protected]>
ravaliyel
pushed a commit
to ravaliyel/sonic-mgmt
that referenced
this pull request
Mar 27, 2026
Approach What is the motivation for this PR? After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed. Here is the packet from PTF: 18:16:27.682014 IP6 fddd:a100:a0::a37:10.49157 > fc00:1::32.4784: UDP, bad length 35 > 24 0x0000: 225d a77e b78e 1e44 8b06 c367 86dd 6000 0x0010: 0000 0020 11ff fddd a100 00a0 0000 0000 0x0020: 0000 0a37 0010 fc00 0001 0000 0000 0000 0x0030: 0000 0000 0032 c005 12b0 002b 9c68 2080 0x0040: 0a18 cdba 0001 c349 ff6a 000f 4240 000f 0x0050: 4240 0000 0001 010b 0170 6173 7377 6f72 0x0060: 64 Here is the issue about scapy bfd issue: secdev/scapy#4937 How did you do it? Set optional_auth to None to get around the bug How did you verify/test it? Verified with sonic-mgmt test Signed-off-by: Yue Gao <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of PR
Summary:
Fixes # (issue)
Type of change
Back port request
Approach
What is the motivation for this PR?
After upgrading scapy in ptf container, a bug is introduced. BFDResponder generates BFD packet with auth field even auth flag is not enabled. The authentication field is appended to the end of the BFD packet without adjusting UDP header length. This causes udp checksum verification failed.
Here is the packet from PTF:
Here is the issue about scapy bfd issue: secdev/scapy#4937
How did you do it?
Set optional_auth to None to get around the bug
How did you verify/test it?
Verified with sonic-mgmt test
Any platform specific information?
Supported testbed topology if it's a new test case?
Documentation