-
Notifications
You must be signed in to change notification settings - Fork 231
FAQ
Gatekeeper supports IPv4 and IPv6 networks.
A flow is defined as the pair of source and destination IP addresses. All policy decisions are enforced over flows.
Vantage points (VPs) are locations that support the deployment of Gatekeeper servers. Besides basic hardware demands, these locations must provide BGP speakers to announce protected network prefixes and private links between the VP and the protected destination. The private links are used to make Gatekeeper servers the entry points of traffic toward the protected destinations. These private links can be implemented using a number of technologies, including regular tunnels. Typical VPs are Internet exchanges, peering-link locations, and (some) cloud providers; not all cloud providers support BGP announcements.
If Gatekeeper servers had a single network interface, a Gatekeeper server under a DDoS attack may not receive policy decisions coming from Grantor servers due to the saturation of the interface.
This information is passed to Gatekeeper servers dynamically to quickly accommodate network changes. An example is found in file lua/examples/example_of_dynamic_config_request.lua (search for GK_FWD_GRANTOR); there's an example for IPv4 and another for IPv6. More information can be found here. One can use the shell command gkctl to send requests to Gatekeeper and Grantor servers.
The packages to install Gatekeeper servers and Grantor servers are the same. The binary gatekeeper can run as a Gatekeeper server or as a Grantor server. This choice is defined in the configuration file main_config.lua found in folder /etc/gatekeeper.
Currently, no. The milestone Minimal deployments intends to change this answer to yes, but this milestone has been dormant in favor of the other milestones.
Yes. In fact, there's no restriction on how you set Bird up. The patch we added to Bird is to switch from talking to the kernel to talk to Gatekeeper, so Gatekeeper receives the computed routing table.
Although the interfaces of Gatekeeper and Grantor servers are not available to the operating system, the Control Plane Support (CPS) block creates network interfaces in the kernel that mirror the front and back networks. Thus, you can set Bird up over these interfaces to establish BGP sessions with routers. These interfaces are called KNI interfaces.