From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A65C071DB9 for ; Fri, 9 Apr 2021 17:41:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 92791946A for ; Fri, 9 Apr 2021 17:40:50 +0200 (CEST) Received: from jack.fr.eu.org (equ57-h01-128-78-42-217.dsl.sta.abo.bbox.fr [128.78.42.217]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 161C89460 for ; Fri, 9 Apr 2021 17:40:50 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by jack.fr.eu.org (Postfix) with ESMTP id 96D3D107CB53; Fri, 9 Apr 2021 17:40:49 +0200 (CEST) Received: from jack.fr.eu.org ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43Ho2fkyZFDB; Fri, 9 Apr 2021 17:40:44 +0200 (CEST) Received-SPF: softfail (jack.fr.eu.org: Sender is not authorized by default to use 'px@jack.fr.eu.org' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=jack.fr.eu.org; identity=mailfrom; envelope-from="px@jack.fr.eu.org"; helo="[192.168.1.50]"; client-ip=192.168.1.50 Received: from [192.168.1.50] (unknown [192.168.1.50]) by jack.fr.eu.org (Postfix) with ESMTPSA id AEEBB107B91B; Fri, 9 Apr 2021 17:40:44 +0200 (CEST) To: alexandre derumier , Proxmox VE development discussion References: <20210409122137.9557-1-px@jack.fr.eu.org> From: px@jack.fr.eu.org Message-ID: <58e94720-ffc9-23a6-2168-850d18de4943@jack.fr.eu.org> Date: Fri, 9 Apr 2021 17:40:44 +0200 User-Agent: Debian/9.0 Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RDNS_DYNAMIC 0.363 Delivered to internal network by host with dynamic-looking rDNS SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [bgpplugin.pm] Subject: Re: [pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 15:41:20 -0000 Hello, In Proxmox setup, there is no known serious issue In contrary to "ttl security" (aka GTSM), multihop is not a security feature I don't think there is a drawback to the proposed patch However, disabling multihop when there is only one peer should also works, so your proposal shall work as well As you wish :) Best regards, On 4/9/21 3:50 PM, alexandre derumier wrote: > Hi, > > any impact to enable it by default ? > > if user have only 1 peer for example ? > > maybe is is better to only enable it if we have more than 1 peer in the > group ? > > and check that we use ebgp. > > something like: > > push @controller_config, "neighbor BGP ebgp-multihop 3" if $ebgp && > scalar @peers > 1; > > > On 09/04/2021 14:21, Alexandre Bruyelles wrote: >> From: Alexandre Bruyelles >> >> Multihop is required when the bgpd are running across >> a pair of MLAG routers. >> In such scenario, TCP trafic from Proxmox to router A >> may pass through router B, which will decrease the TTL. >> >> Signed-off-by: Alexandre Bruyelles >> --- >>   PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 + >>   1 file changed, 1 insertion(+) >> >> diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm >> b/PVE/Network/SDN/Controllers/BgpPlugin.pm >> index e5d8490..69436a0 100644 >> --- a/PVE/Network/SDN/Controllers/BgpPlugin.pm >> +++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm >> @@ -85,6 +85,7 @@ sub generate_controller_config { >>       push @controller_config, "neighbor BGP peer-group"; >>       push @controller_config, "neighbor BGP remote-as $remoteas"; >>       push @controller_config, "neighbor BGP bfd"; >> +    push @controller_config, "neighbor BGP ebgp-multihop 3"; >>       } >>       # BGP peers