From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AD86771FBB for ; Sat, 10 Apr 2021 12:37:24 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A49D1E0A0 for ; Sat, 10 Apr 2021 12:37:24 +0200 (CEST) Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id A1B1AE096 for ; Sat, 10 Apr 2021 12:37:23 +0200 (CEST) Received: by mail-wm1-x32b.google.com with SMTP id p19so4160606wmq.1 for ; Sat, 10 Apr 2021 03:37:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=odiso-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=CqkarVRm6njRdwKThkiSt+u/HcrYtKh/W2PcyKPyrI4=; b=ULdRHPOBJvH8bZ/Z6KIsLzDvosRCVFsMkR11fOjdwfol1mhoEf2cXq+WN4f3Vw6/lN b+o6h0KaTIDGYS/s754B8etEsKOfvT78lBolZTx2JQHamGjZd+mSWZnjDOEUD+KfnlCd nmJFTnnnf5KpYf4XH++iF37WEJgiHt9We77JDtyX6dC7Dou1Y9DOaY2JtS/uQrJMpExW eHvPNO+p66naPfxnL3CEddCJBlgdWj86mcbzxicp1on4wT7TERzhPJhvjyNUvMRQKWqS k2rWxn1tFrH5f6w3LKSLBRh3BOUMFrLTQ8uAfF7pOa351Mso0+AX6Jek0vTdn+obFKcR Iqhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=CqkarVRm6njRdwKThkiSt+u/HcrYtKh/W2PcyKPyrI4=; b=hO24H4fy0b209BUBieUsY6pnvQVutI+JA6h6geioY+Hh4qRe1aG29H6dEGB4mWjmHl FgqcvTiE/5TbNze2D5pyLdLxi3eAVkhLjmu28eZ35/VD7TeTIE9axe8HDvyGYmrxOKV0 uIZystfQHhc+E1qhAdeDbB48MeHSOkV/y/Lar01N6k07PLbJ1G+qmQfGnmkYB7Ui9VAr LfJxBJjIoeWDQUEVIGqnY/gyO6vy+KgBzQ15Tl6oi7BG5cJUrXdgjsAgG0luirZ8vTkp pCPu8/wRZD1fAacITGXIkGtmzTG2rNyeRsBY9Rso0bl08VfNXggZc2smdB05pbphXEx7 mSGA== X-Gm-Message-State: AOAM533qj2p7ioVnuA/gofJK4YKDAEBY+Uvf+sHa8RDkJJz73WuhwZA9 es01tQR6yy3X5qQsr6I+O8+m9KGu3mtVEKTNNjw= X-Google-Smtp-Source: ABdhPJxssOzZAXqE29QBFNnIVImT1AC1szkHzxKlt9QsYsIqCfhCt0LlGcdCxYvVPzi5bAfjhcRecg== X-Received: by 2002:a1c:6787:: with SMTP id b129mr12645237wmc.11.1618051037128; Sat, 10 Apr 2021 03:37:17 -0700 (PDT) Received: from ?IPv6:2a0a:1580:0:1::100c? (ovpn1.odiso.net. [2a0a:1580:2000::3f]) by smtp.gmail.com with ESMTPSA id v185sm7227427wmb.25.2021.04.10.03.37.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 10 Apr 2021 03:37:16 -0700 (PDT) To: px@jack.fr.eu.org, Proxmox VE development discussion References: <20210409122137.9557-1-px@jack.fr.eu.org> <58e94720-ffc9-23a6-2168-850d18de4943@jack.fr.eu.org> From: alexandre derumier Message-ID: <0fb8950c-458f-72f0-7d26-c8d2a5492671@odiso.com> Date: Sat, 10 Apr 2021 12:37:15 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <58e94720-ffc9-23a6-2168-850d18de4943@jack.fr.eu.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-SPAM-LEVEL: Spam detection results: 0 AWL -0.084 Adjusted score from AWL reputation of From: address DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature NICE_REPLY_A -0.001 Looks like a legit reply (A) RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Apr 2021 10:37:24 -0000 I just send a patch with an explicit option to add ebgp-multihop, as it's a tunable value, and maybe users could have differents setup with more hops. On 09/04/2021 17:40, px@jack.fr.eu.org wrote: > Hello, > > In Proxmox setup, there is no known serious issue > > In contrary to "ttl security" (aka GTSM), multihop is not a security > feature > > I don't think there is a drawback to the proposed patch > However, disabling multihop when there is only one peer should also > works, so your proposal shall work as well > > As you wish :) > > Best regards, > > On 4/9/21 3:50 PM, alexandre derumier wrote: >> Hi, >> >> any impact to enable it by default ? >> >> if user have only 1 peer for example ? >> >> maybe is is better to only enable it if we have more than 1 peer in >> the group ? >> >> and check that we use ebgp. >> >> something like: >> >> push @controller_config, "neighbor BGP ebgp-multihop 3" if $ebgp && >> scalar @peers > 1; >> >> >> On 09/04/2021 14:21, Alexandre Bruyelles wrote: >>> From: Alexandre Bruyelles >>> >>> Multihop is required when the bgpd are running across >>> a pair of MLAG routers. >>> In such scenario, TCP trafic from Proxmox to router A >>> may pass through router B, which will decrease the TTL. >>> >>> Signed-off-by: Alexandre Bruyelles >>> --- >>>   PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 + >>>   1 file changed, 1 insertion(+) >>> >>> diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm >>> b/PVE/Network/SDN/Controllers/BgpPlugin.pm >>> index e5d8490..69436a0 100644 >>> --- a/PVE/Network/SDN/Controllers/BgpPlugin.pm >>> +++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm >>> @@ -85,6 +85,7 @@ sub generate_controller_config { >>>       push @controller_config, "neighbor BGP peer-group"; >>>       push @controller_config, "neighbor BGP remote-as $remoteas"; >>>       push @controller_config, "neighbor BGP bfd"; >>> +    push @controller_config, "neighbor BGP ebgp-multihop 3"; >>>       } >>>       # BGP peers >