<div dir="ltr">Another point to be considered is the computational scale in this issue of BFD and authentication.<br><br>Speaking of small to medium scenarios, up to 100-200 participants in an IXP, computational scale is not a major concern.<br><br>But in a large scenario, IXPs greater than one thousand participants, even BFD can be an issue.<br><br>There was a thread on the BIRD [1] mailing list where this was discussed, and the possibility of some hardware off-load method (eBPF/XDP) for the BFD was also considered.<br><br>My knowledge of DPDK, VPP, eBPF, XDP is close to zero...<br>But I imagine that if there is any possibility that passive BFD is implemented in Off-Load hardware, it is very likely that this imposes that there is no authentication, or if it exists that it is standard per interface.<br><br>[1] <a href="http://trubka.network.cz/pipermail/bird-users/2022-June/016195.html">http://trubka.network.cz/pipermail/bird-users/2022-June/016195.html</a><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 12 de jun. de 2023 às 22:42, Richard Laager via ixpmanager <<a href="mailto:ixpmanager@inex.ie">ixpmanager@inex.ie</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 2023-06-12 03:28, André Grüneberg
wrote:<br>
</div>
<blockquote type="cite">
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>But I would make the per-customer default on. For upgrades,
this is still safe, since it will be off globally anyway.<br>
</p>
</div>
</blockquote>
<div>I agree that this may be ok.<br>
</div>
<div>I could imagine a combined selection field per VLAN interface
"Off, No auth, Keyed SHA1, Meticulous Keyed SHA1" to save on UI
elements. In that case "Off" is the better default.
Alternatively One could also configure the global UI default in
.env -- this would allow us to default to "Meticulous Keyed
SHA1".</div>
</blockquote>
<p>In reading the BIRD docs, unfortunately authentication is going
to be a problem. It says, "Note that the algorithm is common for
all keys (on one interface)". So it doesn't seem like we could
configure this per-customer. And changing it would be a flag day
operation. That's really not great.</p>
<p>In reading further, it doesn't seem to do different
authentication per-neighbor at all.</p>
<p>So as far as BIRD goes right now, I think it's effectively
unauthenticated only.<br>
</p>
<p><br>
</p>
<blockquote type="cite">
<div>One might also ask whether to always configure "passive" BFD
or to enforce it per VLAN interface?</div>
</blockquote>
<p>What would "enforce" mean here? Non-passive (i.e. "active") or
something else? I don't think that active actually <i>requires</i>
BFD, does it? I think it just means bird would try to set it up.
But maybe I'm wrong; I haven't tested.<br>
</p>
<pre cols="72">--
Richard</pre>
</div>
_______________________________________________<br>
INEX IXP Manager mailing list<br>
<a href="mailto:ixpmanager@inex.ie" target="_blank">ixpmanager@inex.ie</a><br>
Unsubscribe or change options here: <a href="https://www.inex.ie/mailman/listinfo/ixpmanager" rel="noreferrer" target="_blank">https://www.inex.ie/mailman/listinfo/ixpmanager</a><br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr">Douglas Fernando Fischer<br>Engº de Controle e Automação<br><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:"courier new",monospace"></div></div></div>