Interop between ExaBGP and Juniper (rfc5575)

[dontmess1]

I've configured an interop between Juniper (Junos 20.2R3-S2.5) and ExaBGP (Ubuntu 22.04 (ExaBGP : 4.2.17; Python : 3.10.12))

R1 <- bgp flowspec-> ExaBGP

ExaBGP has a configuration:

neighbor 10.10.10.2 {
    # Basic identification
    router-id 10.10.10.3;
    local-address 10.10.10.3;
    local-as 2020;
    peer-as 2020;

    # Announce a static route
    static {
        route 100.10.0.0/24 next-hop self;
    }
}

Juniper has a configuraion:

@R1# run show configuration protocols bgp group FLOWPUSHER
Dec 23 21:05:27
traceoptions {
    file FLOWSPEC size 2m files 2 world-readable;
    flag update detail;
}
local-address 10.10.10.2;
peer-as 2020;
neighbor 10.10.10.3 {
    family inet {
        unicast;
        flow {
            no-validate NO-VALIDATE;
        }
    }
}

My test is easy, like a piece of cake.

I've generated 2 flowspec' routes:

exabgpcli 'neighbor 10.10.10.2 announce flow route destination-ipv4 90.100.110.120/32 protocol =udp destination-port [ <53 >53&<443 >443&<500 >500&<3391 >3391&<4433 >4433&<4500 >4500&<5101 >5101&<5106 ] rate-limit 0'

I did't have an impact

R1# run show route table inetflow.0    
Dec 24 05:32:33

inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

90.100.110.120,*,proto=17,dstport>=0&<=52,>=54&<=442,>=444&<=499,>=501&<=3390,>=3392&<=4432,>=4434&<=4499,>=4501&<=5100,>=5102&<=5105/term:1            
                   *[BGP/170] 00:00:58, localpref 100, from 10.10.10.3
                      AS path: I, validation-state: unverified
                       Fictitious


Dec 24 05:37:59.024445 BGP RECV 10.10.10.3+38255 -> 10.10.10.2+179
Dec 24 05:37:59.024483 BGP RECV message type 2 (Update) length 110
Dec 24 05:37:59.024492 BGP RECV Update PDU length 110
Dec 24 05:37:59.024501 BGP RECV flags 0x40 code Origin(1): IGP
Dec 24 05:37:59.024539 BGP RECV flags 0x40 code ASPath(2) length 0: 
Dec 24 05:37:59.024549 BGP RECV flags 0x40 code LocalPref(5): 100
Dec 24 05:37:59.024562 BGP RECV flags 0xc0 code Extended Communities(16): 8006:0:0
Dec 24 05:37:59.024572 BGP RECV flags 0x80 code MP_reach(14): AFI/SAFI 1/133
Dec 24 05:37:59.024605 BGP RECV         90.100.110.120,*,proto=17,dstport>=0&<=52,>=54&<=442,>=444&<=499,>=501&<=3390,>=3392&<=4432,>=4434&<=4499,>=4501&<=5100,>=5102&<=5105/440
Dec 24 05:37:59.024643 bgp_rcv_nlri: Peer 10.10.10.3 (Internal AS 2020)

So, It looks OK, after that I am going to the next step. I've configured the second rule:
exabgpcli 'neighbor 10.10.10.2 announce flow route destination-ipv4 90.100.110.130/32 protocol =udp destination-port [ <53 >53&<443 >443&<500 >500&<3391 >3391&<4433 >4433&<4500 >4500&<5101 >5101&<5106 >5106&<5107 >5107 ] rate-limit 0'

After that BGP session on the peer was restarted:

Dec 24 05:37:59.024722 BGP RECV 10.10.10.3+38255 -> 10.10.10.2+179
Dec 24 05:37:59.024737 BGP RECV message type 2 (Update) length 119
Dec 24 05:37:59.024745 BGP RECV Update PDU length 119
Dec 24 05:37:59.024753 BGP RECV flags 0x40 code Origin(1): IGP
Dec 24 05:37:59.024763 BGP RECV flags 0x40 code ASPath(2) length 0: 
Dec 24 05:37:59.024771 BGP RECV flags 0x40 code LocalPref(5): 100
Dec 24 05:37:59.024781 BGP RECV flags 0xc0 code Extended Communities(16): 8006:0:0
Dec 24 05:37:59.024791 BGP RECV flags 0x80 code MP_reach(14): AFI/SAFI 1/133
Dec 24 05:37:59.024873 BGP RECV         zero-len/0
Dec 24 05:37:59.024906 bgp_rcv_nlri: Peer 10.10.10.3 (Internal AS 2020)
Dec 24 05:37:59.024935 bgp_rcv_nlri: zero-len/0
Dec 24 05:37:59.024973 bgp_rcv_nlri:11061: NOTIFICATION sent to 10.10.10.3 (Internal AS 2020): code 3 (Update Message Error) subcode 10 (bad address/prefix field), Reason: peer 10.10.10.3 (Internal AS 2020) update included invalid route zero-len/0 (0 of 63)
Dec 24 05:37:59.024985 BGP_209030.10.10.10.3: send proc: send via threaded I/O
Dec 24 05:37:59.024993 sending 21 bytes
Dec 24 05:37:59.025007
Dec 24 05:37:59.025007 BGP SEND 10.10.10.2+179 -> 10.10.10.3+38255
Dec 24 05:37:59.025019 BGP SEND message type 3 (Notification) length 21
Dec 24 05:37:59.025028 BGP SEND Notification code 3 (Update Message Error) subcode 10 (bad address/prefix field)
Dec 24 05:37:59.025070  wrote 21 bytes to I/O queue
Dec 24 05:37:59.025080 finished number of messages 1, write qidx 0 rc 1
Dec 24 05:37:59.025101
Dec 24 05:37:59.025101 BGP RECV 10.10.10.3+38255 -> 10.10.10.2+179
Dec 24 05:37:59.025125  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 77 02 00 00
Dec 24 05:37:59.025144  00 60 40 01 01 00 40 02 00 40 05 04 00 00 00 64 c0 10 08 80
Dec 24 05:37:59.025163  06 00 00 00 00 00 00 80 0e 44 00 01 85 00 00 3e 01 20 5a 64
Dec 24 05:37:59.025182  6e 82 03 81 11 05 04 35 02 35 54 01 bb 12 01 bb 54 01 f4 12
Dec 24 05:37:59.025200  01 f4 54 0d 3f 12 0d 3f 54 11 51 12 11 51 54 11 94 12 11 94
Dec 24 05:37:59.025218  54 13 ed 12 13 ed 54 13 f2 12 13 f2 54 13 f3 92 13 f3
Dec 24 05:37:59.025236 bgp_send_deactivate:2920: 10.10.10.3 (Internal AS 2020) ,flags=0x10000: removed from active list

I don't have any ideas, the behavior is unexpected for me.
Do you have any ideas?

[dontmess1]

Have you noticed the difference between the two rules?

The difference is:

flow route destination-ipv4 90.100.110.120/32 protocol =udp destination-port [ <53 >53&<443 >443&<500 >500&<3391 >3391&<4433 >4433&<4500 >4500&<5101 >5101&<5106 ] rate-limit 0 # it works
flow route destination-ipv4 90.100.110.130/32 protocol =udp destination-port [ <53 >53&<443 >443&<500 >500&<3391 >3391&<4433 >4433&<4500 >4500&<5101 >5101&<5106 >5106&<5107 >5107 ] rate-limit 0 # it doesn't work

[thomas-mangin]

If you want to check if we fixed the issue recently, can you please try 5.0 branch and main. But I will look into it.

[dontmess1]

I've downloaded the ExaBGP and running it in the Docker:

exabgp:5.0.1 version
ExaBGP : 5.0.1
Python : 3.13.9 (main, Nov 18 2025, 05:57:28) [GCC 12.2.0]
Uname  : Linux laptop-Standard-PC-Q35-ICH9-2009 6.8.0-90-generic #91~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 20 15:20:45 UTC 2 x86_64
From   : /opt/exabgp/exabgp

2009:~$ docker image ls
IMAGE                                ID             DISK USAGE   CONTENT SIZE   EXTRA
ghcr.io/exa-networks/exabgp:5.0.1    d2b0f59f7bf1        235MB         63.6MB        

I've tried to reproduce this behavior and I've got it.
I've generated the first rule:

docker exec -ti a76747da8296 exabgp-cli 'neighbor 10.10.10.2 announce flow route destination-ipv4 90.100.110.120/32 protocol =udp destination-port [ <53 >53&<443 >443&<500 >500&<3391 >3391&<4433 >4433&<4500 >4500&<5101 >5101&<5106 ] rate-limit 0'


Dec 25 14:57:57.711514 BGP RECV 10.10.10.3+33815 -> 10.10.10.2+179
Dec 25 14:57:57.711529 BGP RECV message type 2 (Update) length 110
Dec 25 14:57:57.711534 BGP RECV Update PDU length 110
Dec 25 14:57:57.711540 BGP RECV flags 0x40 code Origin(1): IGP
Dec 25 14:57:57.711546 BGP RECV flags 0x40 code ASPath(2) length 0: 
Dec 25 14:57:57.711551 BGP RECV flags 0x40 code LocalPref(5): 100
Dec 25 14:57:57.711559 BGP RECV flags 0xc0 code Extended Communities(16): 8006:0:0
Dec 25 14:57:57.711567 BGP RECV flags 0x80 code MP_reach(14): AFI/SAFI 1/133
Dec 25 14:57:57.711583 BGP RECV         90.100.110.120,*,proto=17,dstport>=0&<=52,>=54&<=442,>=444&<=499,>=501&<=3390,>=3392&<=4432,>=4434&<=4499,>=4501&<=5100,>=5102&<=5105/440
Dec 25 14:57:57.711604 bgp_rcv_nlri: Peer 10.10.10.3 (Internal AS 2020)
Dec 25 14:57:57.711615 bgp_rcv_nlri: 

I don't have any problems, after that I'm going to the second step:

docker exec -ti a76747da8296 exabgp-cli 'neighbor 10.10.10.2 announce flow route destination-ipv4 90.100.110.130/32 protocol =udp destination-port [ <53 >53&<443 >443&<500 >500&<3391 >3391&<4433 >4433&<4500 >4500&<5101 >5101&<5106 >5106&<5107 >5107 ] rate-limit 0'

Dec 25 14:57:57.813831 BGP RECV 10.10.10.3+33815 -> 10.10.10.2+179
Dec 25 14:57:57.813843 BGP RECV message type 2 (Update) length 119
Dec 25 14:57:57.813846 BGP RECV Update PDU length 119
Dec 25 14:57:57.813850 BGP RECV flags 0x40 code Origin(1): IGP
Dec 25 14:57:57.813854 BGP RECV flags 0x40 code ASPath(2) length 0: 
Dec 25 14:57:57.813857 BGP RECV flags 0x40 code LocalPref(5): 100
Dec 25 14:57:57.813862 BGP RECV flags 0xc0 code Extended Communities(16): 8006:0:0
Dec 25 14:57:57.813866 BGP RECV flags 0x80 code MP_reach(14): AFI/SAFI 1/133
Dec 25 14:57:57.814213 BGP RECV         zero-len/0
Dec 25 14:57:57.814235 bgp_rcv_nlri: Peer 10.10.10.3 (Internal AS 2020)
Dec 25 14:57:57.814479 bgp_rcv_nlri: zero-len/0
Dec 25 14:57:57.814750 bgp_rcv_nlri:11061: NOTIFICATION sent to 10.10.10.3 (Internal AS 2020): code 3 (Update Message Error) subcode 10 (bad address/prefix field), Reason: peer 10.10.10.3 (Internal AS 2020) update included invalid route zero-len/0 (0 of 63)
Dec 25 14:57:57.814770 BGP_2020.10.10.10.3: send proc: send via threaded I/O
Dec 25 14:57:57.814774 sending 21 bytes
Dec 25 14:57:57.814781
Dec 25 14:57:57.814781 BGP SEND 10.10.10.2+179 -> 10.10.10.3+33815
Dec 25 14:57:57.814786 BGP SEND message type 3 (Notification) length 21
Dec 25 14:57:57.814789 BGP SEND Notification code 3 (Update Message Error) subcode 10 (bad address/prefix field)
Dec 25 14:57:57.814866  wrote 21 bytes to I/O queue
Dec 25 14:57:57.814872 finished number of messages 1, write qidx 0 rc 1
Dec 25 14:57:57.814883
Dec 25 14:57:57.814883 BGP RECV 10.10.10.3+33815 -> 10.10.10.2+179
Dec 25 14:57:57.814892  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 77 02 00 00
Dec 25 14:57:57.814900  00 60 40 01 01 00 40 02 00 40 05 04 00 00 00 64 c0 10 08 80
Dec 25 14:57:57.814907  06 00 00 00 00 00 00 80 0e 44 00 01 85 00 00 3e 01 20 5a 64
Dec 25 14:57:57.814914  6e 82 03 81 11 05 04 35 02 35 54 01 bb 12 01 bb 54 01 f4 12
Dec 25 14:57:57.814921  01 f4 54 0d 3f 12 0d 3f 54 11 51 12 11 51 54 11 94 12 11 94
Dec 25 14:57:57.814927  54 13 ed 12 13 ed 54 13 f2 12 13 f2 54 13 f3 92 13 f3
Dec 25 14:57:57.814932 bgp_send_deactivate:2920: 10.10.10.3 (Internal AS 2020) ,flags=0x10000: removed from active list

BGP session is restarted.
Any ideas?

[thomas-mangin]

It is Christmas and I am lazy so I asked Claude to analyse the packets, here is his response, some day you have to like AI doing the legwork for you.

Investigation Summary

Thank you for the detailed report with traces and hex dumps. I've thoroughly analyzed the packet encoding.

✅ ExaBGP Encoding is Correct

The hex dump from the failing UPDATE shows properly formatted FlowSpec NLRI per RFC 5575:

  MP_REACH_NLRI (68 bytes):
    AFI: 00 01 (IPv4)
    SAFI: 85 (FlowSpec)
    NH_LEN: 00
    Reserved: 00
    NLRI Length: 3e (62 bytes)
    NLRI Content:
      01 20 5a 64 6e 82     - Destination 90.100.110.130/32 ✓
      03 81 11              - Protocol =UDP (17) ✓
      05 04 35 02 35 54...  - Port operations (18 ops) ✓
      ...92 13 f3           - >5107 with EOL ✓

All FlowSpec components are:
  - In correct ascending order (type 1 → 3 → 5)
  - Properly length-encoded
  - EOL bits correctly set on last operation of each component

🔴 This is a Juniper Bug

Juniper's error message zero-len/0 (0 of 63) indicates their FlowSpec parser failed immediately when trying to parse the NLRI - it read 0 bytes successfully out of 63 available.

The pattern that triggers the bug:
  Working:  ... >5101&<5106          (ends with AND-clause)
  Failing:  ... >5106&<5107 >5107    (ends with single-op after AND-clause)

Juniper's parser appears to mishandle FlowSpec port operations that end with a single-operation OR-clause (no AND bit) immediately following an AND-clause.

🔧 Workarounds

Until Juniper fixes their implementation, restructure port rules to end with an AND-clause:

# Instead of:
  destination-port [ <53 >53&<443 ... >5101&<5106 >5106&<5107 >5107 ]

# Use (simpler range that achieves same result):
  destination-port [ <53 >53&<443 ... >5101&<5106 >5106 ]

# Or combine the last ranges:
  destination-port [ <53 >53&<443 ... >5101&<5107 ]

📋 Recommended Actions

  1. Report to Juniper - Open a JTAC case for FlowSpec parser bug in Junos 20.2R3-S2.5
  2. Test on newer Junos - This may be fixed in later versions
  3. Use workaround - Restructure port rules as shown above

Conclusion

This is not an ExaBGP bug. The encoding strictly follows RFC 5575. Closing as "not a bug" but documenting for others who encounter Juniper FlowSpec interoperability issues.

Now this does not explain why wireshark also have an issue. So if you believe I was too lazy tell me and I will use my human brain.

[thomas-mangin]

From the second dump:

Dec 25 14:57:57.814883 BGP RECV 10.10.10.3+33815 -> 10.10.10.2+179
Dec 25 14:57:57.814892  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 77 02 00 00
Dec 25 14:57:57.814900  00 60 40 01 01 00 40 02 00 40 05 04 00 00 00 64 c0 10 08 80
Dec 25 14:57:57.814907  06 00 00 00 00 00 00 80 0e 44 00 01 85 00 00 3e 01 20 5a 64
Dec 25 14:57:57.814914  6e 82 03 81 11 05 04 35 02 35 54 01 bb 12 01 bb 54 01 f4 12
Dec 25 14:57:57.814921  01 f4 54 0d 3f 12 0d 3f 54 11 51 12 11 51 54 11 94 12 11 94
Dec 25 14:57:57.814927  54 13 ed 12 13 ed 54 13 f2 12 13 f2 54 13 f3 92 13 f3
Dec 25 14:57:57.814932 bgp_send_deactivate:2920: 10.10.10.3 (Internal AS 2020) ,flags=0x10000: removed from active list

 > ./sbin/exabgp decode "ffffffffffffffffffffffffffffffff007702000000604001010040020040050400000064c010088006000000000000800e4400018500003e01205a646e8203811105043502355401bb1201bb5401f41201f4540d3f120d3f5411511211515411941211945413ed1213ed5413f21213f25413f39213f3"
{ "exabgp": "6.0.0", "time": 1766706198.55954, "host" : "thomasmangin-J44N2XRXNR.local", "pid" : 22206, "ppid" : 22146, "counter": 1, "type": "update", "neighbor": { "address": { "local": "127.0.0.1", "peer": "127.0.0.1" }, "asn": { "local": 65533, "peer": 65533 } , "direction": "in", "message": { "update": { "attribute": { "origin": "igp", "local-preference": 100, "extended-community": [ { "value": 9225060886715039744, "string": "rate-limit:0" } ] }, "announce": { "ipv4 flow": { "no-nexthop": [ { "destination-ipv4": [ "90.100.110.130/32" ], "protocol": [ "=udp" ], "destination-port": [ "<53", ">53&<443", ">443&<500", ">500&<3391", ">3391&<4433", ">4433&<4500", ">4500&<5101", ">5101&<5106", ">5106&<5107", ">5107" ], "string": "flow destination-ipv4 90.100.110.130/32 protocol =udp destination-port [ <53 >53&<443 >443&<500 >500&<3391 >3391&<4433 >4433&<4500 >4500&<5101 >5101&<5106 >5106&<5107 >5107 ]" } ] } } } } } }

ExaBGP can decode the message, so looks like Claude may be right after all.

[dontmess1]

Thank you very much. Best wishes for a Merry Christmas and a Wonderful New Year =) I will go to the JTAC.