* [pve-devel] [PATCH pve-docs] sdn: add rp_filter sysctl tuning when mulitple evpn nodes are used
@ 2023-03-21 6:53 Alexandre Derumier
2023-03-21 8:20 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Alexandre Derumier @ 2023-03-21 6:53 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
pvesdn.adoc | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/pvesdn.adoc b/pvesdn.adoc
index be62769..d1ff036 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -928,6 +928,19 @@ and 10.0.2.0/24 in this example), will be announced dynamically.
Notes
-----
+Multiple EVPN Exit Nodes
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have multiple gateway nodes, disable rp_filter as packet could incoming in a 1 node, and outgoing
+to another node.
+
+
+sysctl.conf
+-----
+net.ipv4.conf.default.rp_filter=0
+net.ipv4.conf.all.rp_filter=0
+-----
+
VXLAN IPSEC Encryption
~~~~~~~~~~~~~~~~~~~~~~
--
2.30.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH pve-docs] sdn: add rp_filter sysctl tuning when mulitple evpn nodes are used
2023-03-21 6:53 [pve-devel] [PATCH pve-docs] sdn: add rp_filter sysctl tuning when mulitple evpn nodes are used Alexandre Derumier
@ 2023-03-21 8:20 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2023-03-21 8:20 UTC (permalink / raw)
To: Proxmox VE development discussion, Alexandre Derumier
Am 21/03/2023 um 07:53 schrieb Alexandre Derumier:
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
> pvesdn.adoc | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
applied, with touching up format and language slightly in a follow up, thanks!
> diff --git a/pvesdn.adoc b/pvesdn.adoc
> index be62769..d1ff036 100644
> --- a/pvesdn.adoc
> +++ b/pvesdn.adoc
> @@ -928,6 +928,19 @@ and 10.0.2.0/24 in this example), will be announced dynamically.
> Notes
> -----
>
> +Multiple EVPN Exit Nodes
> +~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +If you have multiple gateway nodes, disable rp_filter as packet could incoming in a 1 node, and outgoing
> +to another node.
> +
> +
> +sysctl.conf
> +-----
> +net.ipv4.conf.default.rp_filter=0
> +net.ipv4.conf.all.rp_filter=0
> +-----
I'm wondering, shouldn't setting this to 2 for the loose-mode (from RFC3704) be
enough here for such asymmetric routing? The sysctl docs say the following
> rp_filter - INTEGER
> 0 - No source validation.
> 1 - Strict mode as defined in RFC3704 Strict Reverse Path
> Each incoming packet is tested against the FIB and if the interface
> is not the best reverse path the packet check will fail.
> By default failed packets are discarded.
> 2 - Loose mode as defined in RFC3704 Loose Reverse Path
> Each incoming packet's source address is also tested against the FIB
> and if the source address is not reachable via any interface
> the packet check will fail.
>
> Current recommended practice in RFC3704 is to enable strict mode
> to prevent IP spoofing from DDos attacks. If using asymmetric routing
> or other complicated routing, then loose mode is recommended.
Wouldn't the (exit) address from the other node be in the FIB? I mean `0` obviously
works here and setups doing that are normally secured/firewalled/configured such
that it probably won't matter much, so asking mostly for my understanding.
The sysctl knob docs continue with:
> The max value from conf/{all,interface}/rp_filter is used
> when doing source validation on the {interface}.
>
> Default value is 0. Note that some distributions enable it
> in startup scripts.
So as the max value is used, this can still be overridden by interface specific
settings, or? The loose `2` option would have that problem, fwiw.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-21 8:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-21 6:53 [pve-devel] [PATCH pve-docs] sdn: add rp_filter sysctl tuning when mulitple evpn nodes are used Alexandre Derumier
2023-03-21 8:20 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox