[ixpmanager] BFD on Route Servers
Richard Laager
rlaager at wiktel.com
Tue Jun 13 02:42:06 IST 2023
On 2023-06-12 03:28, André Grüneberg wrote:
>
> But I would make the per-customer default on. For upgrades, this
> is still safe, since it will be off globally anyway.
>
> I agree that this may be ok.
> I could imagine a combined selection field per VLAN interface "Off, No
> auth, Keyed SHA1, Meticulous Keyed SHA1" to save on UI elements. In
> that case "Off" is the better default. Alternatively One could also
> configure the global UI default in .env -- this would allow us to
> default to "Meticulous Keyed SHA1".
In reading the BIRD docs, unfortunately authentication is going to be a
problem. It says, "Note that the algorithm is common for all keys (on
one interface)". So it doesn't seem like we could configure this
per-customer. And changing it would be a flag day operation. That's
really not great.
In reading further, it doesn't seem to do different authentication
per-neighbor at all.
So as far as BIRD goes right now, I think it's effectively
unauthenticated only.
> One might also ask whether to always configure "passive" BFD or to
> enforce it per VLAN interface?
What would "enforce" mean here? Non-passive (i.e. "active") or something
else? I don't think that active actually /requires/ BFD, does it? I
think it just means bird would try to set it up. But maybe I'm wrong; I
haven't tested.
--
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.inex.ie/pipermail/ixpmanager/attachments/20230612/092bbb97/attachment.htm>
More information about the ixpmanager
mailing list