* [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay
@ 2021-04-09 12:21 Alexandre Bruyelles
2021-04-09 13:50 ` alexandre derumier
0 siblings, 1 reply; 4+ messages in thread
From: Alexandre Bruyelles @ 2021-04-09 12:21 UTC (permalink / raw)
To: pve-devel; +Cc: Alexandre Bruyelles
From: Alexandre Bruyelles <git@jack.fr.eu.org>
Multihop is required when the bgpd are running across
a pair of MLAG routers.
In such scenario, TCP trafic from Proxmox to router A
may pass through router B, which will decrease the TTL.
Signed-off-by: Alexandre Bruyelles <git@jack.fr.eu.org>
---
PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm b/PVE/Network/SDN/Controllers/BgpPlugin.pm
index e5d8490..69436a0 100644
--- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
+++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
@@ -85,6 +85,7 @@ sub generate_controller_config {
push @controller_config, "neighbor BGP peer-group";
push @controller_config, "neighbor BGP remote-as $remoteas";
push @controller_config, "neighbor BGP bfd";
+ push @controller_config, "neighbor BGP ebgp-multihop 3";
}
# BGP peers
--
2.31.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay
2021-04-09 12:21 [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay Alexandre Bruyelles
@ 2021-04-09 13:50 ` alexandre derumier
2021-04-09 15:40 ` px
0 siblings, 1 reply; 4+ messages in thread
From: alexandre derumier @ 2021-04-09 13:50 UTC (permalink / raw)
To: Proxmox VE development discussion, Alexandre Bruyelles
Cc: Alexandre Bruyelles
Hi,
any impact to enable it by default ?
if user have only 1 peer for example ?
maybe is is better to only enable it if we have more than 1 peer in the
group ?
and check that we use ebgp.
something like:
push @controller_config, "neighbor BGP ebgp-multihop 3" if $ebgp && scalar @peers > 1;
On 09/04/2021 14:21, Alexandre Bruyelles wrote:
> From: Alexandre Bruyelles <git@jack.fr.eu.org>
>
> Multihop is required when the bgpd are running across
> a pair of MLAG routers.
> In such scenario, TCP trafic from Proxmox to router A
> may pass through router B, which will decrease the TTL.
>
> Signed-off-by: Alexandre Bruyelles <git@jack.fr.eu.org>
> ---
> PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm b/PVE/Network/SDN/Controllers/BgpPlugin.pm
> index e5d8490..69436a0 100644
> --- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
> +++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
> @@ -85,6 +85,7 @@ sub generate_controller_config {
> push @controller_config, "neighbor BGP peer-group";
> push @controller_config, "neighbor BGP remote-as $remoteas";
> push @controller_config, "neighbor BGP bfd";
> + push @controller_config, "neighbor BGP ebgp-multihop 3";
> }
>
> # BGP peers
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay
2021-04-09 13:50 ` alexandre derumier
@ 2021-04-09 15:40 ` px
2021-04-10 10:37 ` alexandre derumier
0 siblings, 1 reply; 4+ messages in thread
From: px @ 2021-04-09 15:40 UTC (permalink / raw)
To: alexandre derumier, Proxmox VE development discussion
Hello,
In Proxmox setup, there is no known serious issue
In contrary to "ttl security" (aka GTSM), multihop is not a security feature
I don't think there is a drawback to the proposed patch
However, disabling multihop when there is only one peer should also
works, so your proposal shall work as well
As you wish :)
Best regards,
On 4/9/21 3:50 PM, alexandre derumier wrote:
> Hi,
>
> any impact to enable it by default ?
>
> if user have only 1 peer for example ?
>
> maybe is is better to only enable it if we have more than 1 peer in the
> group ?
>
> and check that we use ebgp.
>
> something like:
>
> push @controller_config, "neighbor BGP ebgp-multihop 3" if $ebgp &&
> scalar @peers > 1;
>
>
> On 09/04/2021 14:21, Alexandre Bruyelles wrote:
>> From: Alexandre Bruyelles <git@jack.fr.eu.org>
>>
>> Multihop is required when the bgpd are running across
>> a pair of MLAG routers.
>> In such scenario, TCP trafic from Proxmox to router A
>> may pass through router B, which will decrease the TTL.
>>
>> Signed-off-by: Alexandre Bruyelles <git@jack.fr.eu.org>
>> ---
>> PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> index e5d8490..69436a0 100644
>> --- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> +++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> @@ -85,6 +85,7 @@ sub generate_controller_config {
>> push @controller_config, "neighbor BGP peer-group";
>> push @controller_config, "neighbor BGP remote-as $remoteas";
>> push @controller_config, "neighbor BGP bfd";
>> + push @controller_config, "neighbor BGP ebgp-multihop 3";
>> }
>> # BGP peers
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay
2021-04-09 15:40 ` px
@ 2021-04-10 10:37 ` alexandre derumier
0 siblings, 0 replies; 4+ messages in thread
From: alexandre derumier @ 2021-04-10 10:37 UTC (permalink / raw)
To: px, Proxmox VE development discussion
I just send a patch with an explicit option to add ebgp-multihop, as
it's a tunable value, and maybe users could have differents setup with
more hops.
On 09/04/2021 17:40, px@jack.fr.eu.org wrote:
> Hello,
>
> In Proxmox setup, there is no known serious issue
>
> In contrary to "ttl security" (aka GTSM), multihop is not a security
> feature
>
> I don't think there is a drawback to the proposed patch
> However, disabling multihop when there is only one peer should also
> works, so your proposal shall work as well
>
> As you wish :)
>
> Best regards,
>
> On 4/9/21 3:50 PM, alexandre derumier wrote:
>> Hi,
>>
>> any impact to enable it by default ?
>>
>> if user have only 1 peer for example ?
>>
>> maybe is is better to only enable it if we have more than 1 peer in
>> the group ?
>>
>> and check that we use ebgp.
>>
>> something like:
>>
>> push @controller_config, "neighbor BGP ebgp-multihop 3" if $ebgp &&
>> scalar @peers > 1;
>>
>>
>> On 09/04/2021 14:21, Alexandre Bruyelles wrote:
>>> From: Alexandre Bruyelles <git@jack.fr.eu.org>
>>>
>>> Multihop is required when the bgpd are running across
>>> a pair of MLAG routers.
>>> In such scenario, TCP trafic from Proxmox to router A
>>> may pass through router B, which will decrease the TTL.
>>>
>>> Signed-off-by: Alexandre Bruyelles <git@jack.fr.eu.org>
>>> ---
>>> PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm
>>> b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>>> index e5d8490..69436a0 100644
>>> --- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
>>> +++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>>> @@ -85,6 +85,7 @@ sub generate_controller_config {
>>> push @controller_config, "neighbor BGP peer-group";
>>> push @controller_config, "neighbor BGP remote-as $remoteas";
>>> push @controller_config, "neighbor BGP bfd";
>>> + push @controller_config, "neighbor BGP ebgp-multihop 3";
>>> }
>>> # BGP peers
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-10 10:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-09 12:21 [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay Alexandre Bruyelles
2021-04-09 13:50 ` alexandre derumier
2021-04-09 15:40 ` px
2021-04-10 10:37 ` alexandre derumier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal