[ixpmanager] BFD on Route Servers
Douglas Fischer
fischerdouglas at gmail.com
Thu Jun 15 14:03:56 IST 2023
Another point to be considered is the computational scale in this issue of
BFD and authentication.
Speaking of small to medium scenarios, up to 100-200 participants in an
IXP, computational scale is not a major concern.
But in a large scenario, IXPs greater than one thousand participants, even
BFD can be an issue.
There was a thread on the BIRD [1] mailing list where this was discussed,
and the possibility of some hardware off-load method (eBPF/XDP) for the BFD
was also considered.
My knowledge of DPDK, VPP, eBPF, XDP is close to zero...
But I imagine that if there is any possibility that passive BFD is
implemented in Off-Load hardware, it is very likely that this imposes that
there is no authentication, or if it exists that it is standard per
interface.
[1] http://trubka.network.cz/pipermail/bird-users/2022-June/016195.html
Em seg., 12 de jun. de 2023 às 22:42, Richard Laager via ixpmanager <
ixpmanager at inex.ie> escreveu:
> On 2023-06-12 03:28, André Grüneberg wrote:
>
>
> But I would make the per-customer default on. For upgrades, this is still
>> safe, since it will be off globally anyway.
>>
> I agree that this may be ok.
> I could imagine a combined selection field per VLAN interface "Off, No
> auth, Keyed SHA1, Meticulous Keyed SHA1" to save on UI elements. In that
> case "Off" is the better default. Alternatively One could also configure
> the global UI default in .env -- this would allow us to default to
> "Meticulous Keyed SHA1".
>
> In reading the BIRD docs, unfortunately authentication is going to be a
> problem. It says, "Note that the algorithm is common for all keys (on one
> interface)". So it doesn't seem like we could configure this per-customer.
> And changing it would be a flag day operation. That's really not great.
>
> In reading further, it doesn't seem to do different authentication
> per-neighbor at all.
>
> So as far as BIRD goes right now, I think it's effectively unauthenticated
> only.
>
>
> One might also ask whether to always configure "passive" BFD or to enforce
> it per VLAN interface?
>
> What would "enforce" mean here? Non-passive (i.e. "active") or something
> else? I don't think that active actually *requires* BFD, does it? I think
> it just means bird would try to set it up. But maybe I'm wrong; I haven't
> tested.
>
> --
> Richard
>
> _______________________________________________
> INEX IXP Manager mailing list
> ixpmanager at inex.ie
> Unsubscribe or change options here:
> https://www.inex.ie/mailman/listinfo/ixpmanager
>
--
Douglas Fernando Fischer
Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.inex.ie/pipermail/ixpmanager/attachments/20230615/c331b538/attachment.htm>
More information about the ixpmanager
mailing list