labitat-ansible, branch 3x1g-bond Unnamed repository; edit this file 'description' to name the repository. space_server: bond all 3 gigabit ports, and enjoy 3x1G uplink 2021-09-13T15:10:49+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-09-13T14:39:08+00:00 a8fab3916c0ec8ec7307de636522f4de8849543b Before: - enp1s0: wan - enp2s0: lan (with VLANs) - enp3s0: mgt Changes in this patch: - wan is moved to VLAN id 5 - bond0 is created, replacing lan as lower device for VLANs - mgt config is removed (could be reconfigured as a VLAN, and made a available on a switch port) - all 3 ports are enslaved in bond0 From the switch towards the space server load-balance algorithm src-dst-ip* is used. From the space server towards the switch L3+L4 is used. Therefore a single IP pair will always use the same 1G from the swith to the space server, a client therefore needs to multiplex over multiple IPs in order to *) The src-dst-ip algorithm on the switch hasn't been tested with IPv6 yet. Hopefully we can find a better switch at some point, so we can include the L4 ports in the hashing on the switch. Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
Before:
- enp1s0: wan
- enp2s0: lan (with VLANs)
- enp3s0: mgt

Changes in this patch:
- wan is moved to VLAN id 5
- bond0 is created, replacing lan as lower device for VLANs
- mgt config is removed (could be reconfigured as a VLAN, and
                         made a available on a switch port)
- all 3 ports are enslaved in bond0

From the switch towards the space server load-balance algorithm
src-dst-ip* is used.

From the space server towards the switch L3+L4 is used.

Therefore a single IP pair will always use the same 1G
from the swith to the space server, a client therefore
needs to multiplex over multiple IPs in order to

*) The src-dst-ip algorithm on the switch hasn't been
   tested with IPv6 yet. Hopefully we can find a better
   switch at some point, so we can include the L4 ports in
   the hashing on the switch.

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
space_server: add new infraswitch 2021-09-13T15:10:34+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-09-13T15:01:09+00:00 30aa929a02402ba58221cbc347fb1580dd79fd32 New* switch for terminating 10 Gbps uplink, with 3x1G LACP towards the space server, and 4x1G LACP towards the space switch. D-Link DGS-1510-28 Ethernet switch - 24x 10/100/1000 Mbps RJ45 port - 2x 1 Gbps SFP ports - 2x 10 Gbps SFP+ ports *) it was new in 2015, but the firmware was unusable back then. Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
New* switch for terminating 10 Gbps uplink,
with 3x1G LACP towards the space server,
and 4x1G LACP towards the space switch.

D-Link DGS-1510-28 Ethernet switch
- 24x 10/100/1000 Mbps RJ45 port
-  2x  1 Gbps SFP  ports
-  2x 10 Gbps SFP+ ports

*) it was new in 2015, but the firmware was unusable
   back then.

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
space_server: add dedicated VLAN for Tor exit nodes 2021-09-06T19:06:02+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-09-06T18:13:20+00:00 6856b82bdcd61ea25cac8bc64a9114d908e6ea9e Move the Tor exit nodes to their own VLAN, and their own address space. Background for move ------------------- For the first Tor exit node, we where able to create inet6num object 2a01:4262:1ab:20::71/128. So we could assign a specific Tor abuse contact. When we added the second node it was no longer possible to create /128 inet6num objects, but only up to /64. We therefore need to move our Tor exit nodes to a dedicated address space. Connection tracking ------------------- Connection tracking is quite expensive, so it's better to only do it for Tor traffic, when we actually need it, which is only when internal clients need to access the servers. In the future conntrack could also be disabled for labicolo in general. Current stats ~~~~~~~~~~~~~ [root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack | grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l 4071 [root@space ~]# wc -l /proc/net/nf_conntrack 39138 /proc/net/nf_conntrack Currently 4071 out of 39138 connections are not Tor related. Also reading /proc/net/nf_conntrack is quite slow atm.: [root@space ~]# time cat /proc/net/nf_conntrack > /dev/null real 0m35.097s user 0m0.010s sys 0m28.114s Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
Move the Tor exit nodes to their own VLAN, and
their own address space.

Background for move
-------------------

For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.

When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.

Connection tracking
-------------------

Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.

In the future conntrack could also be disabled
for labicolo in general.

Current stats
~~~~~~~~~~~~~

[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
	grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071

[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack

Currently 4071 out of 39138 connections are not Tor related.

Also reading /proc/net/nf_conntrack is quite slow atm.:

[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null

real    0m35.097s
user    0m0.010s
sys     0m28.114s

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
space_server: nftables: colo: accept BGP connections 2021-06-19T09:08:51+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:55:27+00:00 b1904dcc2937c93408234311793302aedca859c4 Until now BGP connections have only been established when the space server has initiated the connection to the peer. It's best practice for both BGP speakers to be able to connect to one another, lowering recovery time. 
Until now BGP connections have only been established
when the space server has initiated the connection to
the peer.

It's best practice for both BGP speakers to be able to
connect to one another, lowering recovery time.
space_server: nftables: colo: use dynamic reverse path filter 2021-06-19T09:08:04+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:41:49+00:00 23a84a3cfeac299ef34e422cdcd9ea3499376a90 This patch changes the reverse path filtering of the labicolo VLAN to take place in the prerouting hook, using the kernel routing table, and removes the need to maintain a static prefix list. Labicolo routes are exported to the kernel routing table by BIRD, hence it should be sufficient to only have prefix lists there. This change has been tested, and it's only possible to spoof fellow labicolo members address space (same as before). Esmil: prerouting before input/forward makes more sense to me 
This patch changes the reverse path filtering of the labicolo VLAN
to take place in the prerouting hook, using the kernel routing
table, and removes the need to maintain a static prefix list.

Labicolo routes are exported to the kernel routing table by BIRD,
hence it should be sufficient to only have prefix lists there.

This change has been tested, and it's only possible to spoof
fellow labicolo members address space (same as before).

Esmil: prerouting before input/forward makes more sense to me
space_server: bird: remove old prefix lists 2021-06-19T09:06:21+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:37:36+00:00 f72c04ecb33b1319b611da9df8296c597092c376 Now that we use communities, we don't need this prefix filter anymore, only the per-customer prefix filters. 
Now that we use communities, we don't need this prefix filter
anymore, only the per-customer prefix filters.
space_server: bird: export prefixes based on communities 2021-06-19T09:05:58+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:37:08+00:00 76337d534a85659010385a71d09be488cdcfd112 We only announce a prefix, if we have recieved it from a customer connection or if we originate it our self. This way we avoid announcing prefixes matching the earlier used, prefix list if we haven't recieved it via the customer connection. This is important for multi-homed labicolo customers. Esmil: consistent brace placement 
We only announce a prefix, if we have recieved it from a customer
connection or if we originate it our self.

This way we avoid announcing prefixes matching the earlier used,
prefix list if we haven't recieved it via the customer connection.
This is important for multi-homed labicolo customers.

Esmil: consistent brace placement
space_server: bird: set communities on import 2021-06-19T09:04:59+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:35:52+00:00 ff8ef6bdd84a5edc068069b5ff382c35e2456881 Assign large communities on prefix import. Later we can then use the community, to decide if we should announce it to our peers. 
Assign large communities on prefix import.

Later we can then use the community, to decide if we should
announce it to our peers.
space_server: bird: prepare large communities 2021-06-19T09:04:21+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:34:39+00:00 2251118ea48c86e84b58725fd9651ba3fcae5026 This patch prepares us for adopting Large BGP Communities (RFC 8092). Basic format of Large BGP Communities: <uint32_t asn>:<uint32_t function>:<uint32_t value> We use function 1 for storing prefix type (or relation). We then assign a value to transit, peering, customer and originated prefixes. Large BGP Communities http://largebgpcommunities.net/ https://tools.ietf.org/html/rfc8092 https://tools.ietf.org/html/rfc8195 Esmil: consistent brace placement 
This patch prepares us for adopting Large BGP Communities (RFC 8092).

Basic format of Large BGP Communities:
  <uint32_t asn>:<uint32_t function>:<uint32_t value>

We use function 1 for storing prefix type (or relation).

We then assign a value to transit, peering, customer and originated
prefixes.

Large BGP Communities
http://largebgpcommunities.net/
https://tools.ietf.org/html/rfc8092
https://tools.ietf.org/html/rfc8195

Esmil: consistent brace placement
space_server: bird: asbjorn: enable TTL security 2021-06-18T22:30:02+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T22:28:15+00:00 0b9f7c5cfad16602bf2df5276a5bee18888fd618