Skip to content
Cody Doucette edited this page Sep 4, 2020 · 29 revisions

Table of Contents

General questions

Which IP version does Gatekeeper support?

Gatekeeper supports IPv4 and IPv6 networks.

What defines a flow in Gatekeeper?

A flow is defined as the pair of source and destination IP addresses. All policy decisions are enforced over flows.

What are vantage points?

Vantage points (VPs) are locations that support the deployment of Gatekeeper servers. Besides basic hardware demands, these locations must provide BGP speakers to announce protected network prefixes and private links between the VP and the protected destination. The private links are used to make Gatekeeper servers the entry points of traffic toward the protected destinations. These private links can be implemented using a number of technologies, including regular tunnels. Typical VPs are Internet exchanges, peering-link locations, and (some) cloud providers; not all cloud providers support BGP announcements.

Gatekeeper servers

Why do Gatekeeper servers need two network interfaces?

If Gatekeeper servers had a single network interface, a Gatekeeper server under a DDoS attack may not receive policy decisions coming from Grantor servers due to the saturation of the interface.

How do Gatekeeper servers learn the IP addresses of Grantor servers?

This information is passed to Gatekeeper servers dynamically to quickly accommodate network changes. An example is found in file lua/examples/example_of_dynamic_config_request.lua (search for GK_FWD_GRANTOR); there's an example for IPv4 and another for IPv6. More information can be found here. One can use the shell command gkctl to send requests to Gatekeeper and Grantor servers.

Grantor servers

Where do I find the packages to install Grantor servers?

The packages to install Gatekeeper servers and Grantor servers are the same. The binary gatekeeper can run as a Gatekeeper server or as a Grantor server. This choice is defined in the configuration file main_config.lua found in folder /etc/gatekeeper.

BGP sessions

Can I use Gatekeeper without BGP?

Currently, no. The milestone Minimal deployments intends to change this answer to yes, but this milestone has been dormant in favor of the other milestones.

Can I use Bird to establish BGP neighbors in spite of setting port 0x6A7E?

Yes. In fact, there's no restriction on how you set Bird up. The patch we added to Bird is to switch from talking to the kernel to talk to Gatekeeper, so Gatekeeper receives the computed routing table.

Although the interfaces of Gatekeeper and Grantor servers are not available to the operating system, the Control Plane Support (CPS) block creates network interfaces in the kernel that mirror the front and back networks. Thus, you can set Bird up over these interfaces to establish BGP sessions with routers. These interfaces are called KNI interfaces.

I am noticing odd behavior with the Linux interfaces created by Gatekeeper for the BGP speaker. Is this a bug?

If using the Control Plane Services block, Gatekeeper will create Linux interfaces (only one for Grantor) using the DPDK KNI library. These interfaces are used to relay control plane information such as BGP packets to a BGP speaker application. Gatekeeper handles the lifecycle and configuration of these interfaces, so you should not need to configure them directly using applications like `ethtool` or `iproute2`. In fact, doing so can create issues for Gatekeeper. NetworkManager is known to attempt to configure the interfaces, which can cause IP addresses to be dropped.

Clone this wiki locally