labitat-ansible/roles, branch routing-changes Unnamed repository; edit this file 'description' to name the repository. space_server: nftables: colo: accept BGP connections 2021-06-18T22:40:15+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:55:27+00:00 2240d5ee65c26df076979353d2a1e5cc38a59d1f Until now BGP connections have only been established when the space server has initiated the connection to the peer. It's best practice for both BGP speakers to be able to connect to one another, lowering recovery time. 
Until now BGP connections have only been established
when the space server has initiated the connection to
the peer.

It's best practice for both BGP speakers to be able to
connect to one another, lowering recovery time.
space_server: nftables: colo: use dynamic reverse path filter 2021-06-18T22:40:15+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:41:49+00:00 ff7bfb2fbfa64a4763294b067c984c4b05244821 This patch changes the reverse path filtering of the labicolo VLAN to take place in the prerouting hook, using the kernel routing table, and removes the need to maintain a static prefix list. Labicolo routes are exported to the kernel routing table by BIRD, hence it should be sufficient to only have prefix lists there. This change has been tested, and it's only possible to spoof fellow labicolo members address space (same as before). 
This patch changes the reverse path filtering of the labicolo VLAN
to take place in the prerouting hook, using the kernel routing
table, and removes the need to maintain a static prefix list.

Labicolo routes are exported to the kernel routing table by BIRD,
hence it should be sufficient to only have prefix lists there.

This change has been tested, and it's only possible to spoof
fellow labicolo members address space (same as before).
space_server: bird: remove old prefix lists 2021-06-18T22:40:15+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:37:36+00:00 512f7dc6837f140f5549e58d8a5ef8014fe0b52e Now that we use communities, we don't need this prefix filter anymore, only the per-customer prefix filters. 
Now that we use communities, we don't need this prefix filter
anymore, only the per-customer prefix filters.
space_server: bird: export prefixes based on communities 2021-06-18T22:40:15+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:37:08+00:00 b4c4a41b2b9f7ac70fec575c7badef0ec937f1a3 We only announce a prefix, if we have recieved it from a customer connection or if we originate it our self. This way we avoid announcing prefixes matching the earlier used, prefix list if we haven't recieved it via the customer connection. This is important for multi-homed labicolo customers. 
We only announce a prefix, if we have recieved it from a customer
connection or if we originate it our self.

This way we avoid announcing prefixes matching the earlier used,
prefix list if we haven't recieved it via the customer connection.
This is important for multi-homed labicolo customers.
space_server: bird: set communities on import 2021-06-18T22:39:48+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:35:52+00:00 f6361901625aae13992670bd385ca2e67310f1b4 Assign large communities on prefix import. Later we can then use the community, to decide if we should announce it to our peers. 
Assign large communities on prefix import.

Later we can then use the community, to decide if we should
announce it to our peers.
space_server: bird: prepare large communities 2021-06-18T22:36:38+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T21:34:39+00:00 6456863d1350340a8d6cfad183332e80b334bd8d This patch prepares us for adopting Large BGP Communities (RFC 8092). Basic format of Large BGP Communities: <uint32_t asn>:<uint32_t function>:<uint32_t value> We use function 1 for storing prefix type (or relation). We then assign a value to transit, peering, customer and originated prefixes. Large BGP Communities http://largebgpcommunities.net/ https://tools.ietf.org/html/rfc8092 https://tools.ietf.org/html/rfc8195 
This patch prepares us for adopting Large BGP Communities (RFC 8092).

Basic format of Large BGP Communities:
  <uint32_t asn>:<uint32_t function>:<uint32_t value>

We use function 1 for storing prefix type (or relation).

We then assign a value to transit, peering, customer and originated
prefixes.

Large BGP Communities
http://largebgpcommunities.net/
https://tools.ietf.org/html/rfc8092
https://tools.ietf.org/html/rfc8195
space_server: bird: asbjorn: enable TTL security 2021-06-18T22:30:02+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2021-06-18T22:28:15+00:00 0b9f7c5cfad16602bf2df5276a5bee18888fd618 






space_server: bird: fiberby: enable TTL security
2021-06-18T22:00:32+00:00

Asbjørn Sloth Tønnesen
asbjorn@labitat.dk

2021-06-18T21:03:50+00:00

b90e3611976192db56394b57c9527db7a58af62c

This protects us amount otherthings against 3rd parties
resetting the TCP connection underneat our BGP sessions.

This has been enabled in both ends, and this
_MUST_ remain enabled, otherwise these sessions
will go down.

If this needs to be disabled for some reason
then it must be coordinated with Fiberby.

RFC 5082 - The Generalized TTL Security Mechanism
https://datatracker.ietf.org/doc/html/rfc5082





This protects us amount otherthings against 3rd parties
resetting the TCP connection underneat our BGP sessions.

This has been enabled in both ends, and this
_MUST_ remain enabled, otherwise these sessions
will go down.

If this needs to be disabled for some reason
then it must be coordinated with Fiberby.

RFC 5082 - The Generalized TTL Security Mechanism
https://datatracker.ietf.org/doc/html/rfc5082







space_server: bird: fix prefix error
2021-06-17T22:46:51+00:00

Hafnium
haf@hafnium.me

2021-06-17T22:11:09+00:00

1a0e6180c199225b1790d74614a4c727cfec1f7d

The prefix was only routeable on the intern network, not the whole
internet, as it was not added in local_prefix_v6.
The 2a0e:8f02:f034::/48 is attached to my ASN, AS211153

Commit message fixed up by Esmil





The prefix was only routeable on the intern network, not the whole
internet, as it was not added in local_prefix_v6.
The 2a0e:8f02:f034::/48 is attached to my ASN, AS211153

Commit message fixed up by Esmil







space_server: bird: add bgp peering for Hafnium/AS211153
2021-06-17T21:46:43+00:00

Hafnium
haf@hafnium.me

2021-06-17T21:25:46+00:00

597b4122c5428db223e736ad66b9bf2a7dff3fd3

Commit message and nftables rule fixed up by Esmil





Commit message and nftables rule fixed up by Esmil