-
Notifications
You must be signed in to change notification settings - Fork 231
FAQ
Gatekeeper supports IPv4 and IPv6 networks.
A flow is defined as the pair of source and destination IP addresses. All policy decisions are enforced over flows.
Vantage points (VPs) are locations that support the deployment of Gatekeeper servers. Besides basic hardware demands, these locations must provide BGP speakers to announce protected network prefixes and private links between the VP and the protected destination. The private links are used to make Gatekeeper servers the entry points of traffic toward the protected destinations. These private links can be implemented using a number of technologies, including regular tunnels. Typical VPs are Internet exchanges, points of presence, peering-link locations, and (some) cloud providers; not all cloud providers support BGP announcements.
If Gatekeeper servers had a single network interface, a Gatekeeper server under a DDoS attack may not receive policy decisions coming from Grantor servers due to the saturation of the interface.
This information is passed to Gatekeeper servers dynamically to quickly accommodate network changes. An example is found in file lua/examples/example_of_dynamic_config_request.lua (search for GK_FWD_GRANTOR); there's an example for IPv4 and another for IPv6. More information can be found here. One can use the shell command gkctl to send requests to Gatekeeper and Grantor servers.
The packages to install Gatekeeper servers and Grantor servers are the same. The binary gatekeeper can run as a Gatekeeper server or as a Grantor server. This choice is defined in the configuration file main_config.lua found in folder /etc/gatekeeper.
Currently, no. The milestone Minimal deployments intends to change this answer to yes, but this milestone has been dormant in favor of the other milestones.
Yes. In fact, there's no restriction on how you set Bird up. The patch we added to Bird is to switch from talking to the kernel to talk to Gatekeeper, so Gatekeeper receives the computed routing table.
Although the interfaces of Gatekeeper and Grantor servers are not available to the operating system, the Control Plane Support (CPS) block creates network interfaces in the kernel that mirror the front and back networks. Thus, you can set Bird up over these interfaces to establish BGP sessions with routers. These interfaces are called KNI interfaces.
I am noticing odd behavior with the Linux interfaces created by Gatekeeper for the BGP speaker. Is this a bug?
If using the Control Plane Services block, Gatekeeper will create Linux interfaces (only one for Grantor) using the DPDK KNI library. These interfaces are used to relay control plane information such as BGP packets to a BGP speaker application. Gatekeeper handles the lifecycle and configuration of these interfaces, so you should not need to configure them directly using applications like ethtool or iproute2. In fact, doing so can create issues for Gatekeeper. NetworkManager is known to attempt to configure the interfaces, which can cause IP addresses to be dropped.