[pve-devel] [PATCH pve-docs] sdn: add rp_filter sysctl tuning when mulitple evpn nodes are used

[pve-devel] [PATCH pve-docs] sdn: add rp_filter sysctl tuning when mulitple evpn nodes are used

[Alexandre Derumier]

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 pvesdn.adoc | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index be62769..d1ff036 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -928,6 +928,19 @@ and 10.0.2.0/24 in this example), will be announced dynamically.
 Notes
 -----
 
+Multiple EVPN Exit Nodes
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have multiple gateway nodes, disable rp_filter as packet could incoming in a 1 node, and outgoing
+to another node.
+
+
+sysctl.conf
+-----
+net.ipv4.conf.default.rp_filter=0
+net.ipv4.conf.all.rp_filter=0
+-----
+
 VXLAN IPSEC Encryption
 ~~~~~~~~~~~~~~~~~~~~~~
 
-- 
2.30.2

[pve-devel] applied: [PATCH pve-docs] sdn: add rp_filter sysctl tuning when mulitple evpn nodes are used

[Thomas Lamprecht]

Am 21/03/2023 um 07:53 schrieb Alexandre Derumier:
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
>  pvesdn.adoc | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 

applied, with touching up format and language slightly in a follow up, thanks!

> diff --git a/pvesdn.adoc b/pvesdn.adoc
> index be62769..d1ff036 100644
> --- a/pvesdn.adoc
> +++ b/pvesdn.adoc
> @@ -928,6 +928,19 @@ and 10.0.2.0/24 in this example), will be announced dynamically.
>  Notes
>  -----
>  
> +Multiple EVPN Exit Nodes
> +~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +If you have multiple gateway nodes, disable rp_filter as packet could incoming in a 1 node, and outgoing
> +to another node.
> +
> +
> +sysctl.conf
> +-----
> +net.ipv4.conf.default.rp_filter=0
> +net.ipv4.conf.all.rp_filter=0
> +-----

I'm wondering, shouldn't setting this to 2 for the loose-mode (from RFC3704) be
enough here for such asymmetric routing? The sysctl docs say the following

> rp_filter - INTEGER
> 	0 - No source validation.
> 	1 - Strict mode as defined in RFC3704 Strict Reverse Path
> 	    Each incoming packet is tested against the FIB and if the interface
> 	    is not the best reverse path the packet check will fail.
> 	    By default failed packets are discarded.
> 	2 - Loose mode as defined in RFC3704 Loose Reverse Path
> 	    Each incoming packet's source address is also tested against the FIB
> 	    and if the source address is not reachable via any interface
> 	    the packet check will fail.
> 
> 	Current recommended practice in RFC3704 is to enable strict mode
> 	to prevent IP spoofing from DDos attacks. If using asymmetric routing
> 	or other complicated routing, then loose mode is recommended.

Wouldn't the (exit) address from the other node be in the FIB? I mean `0` obviously
works here and setups doing that are normally secured/firewalled/configured such
that it probably won't matter much, so asking mostly for my understanding.

The sysctl knob docs continue with:
 
> 	The max value from conf/{all,interface}/rp_filter is used
> 	when doing source validation on the {interface}.
> 
> 	Default value is 0. Note that some distributions enable it
> 	in startup scripts.

So as the max value is used, this can still be overridden by interface specific
settings, or? The loose `2` option would have that problem, fwiw.