IPv6 BGP & kernel 4.19
Vincent Bernat
bernat at luffy.cx
Mon Dec 2 22:48:30 CET 2019
❦ 2 décembre 2019 21:58 +01, Alarig Le Lay <alarig at swordarmor.fr>:
>> For IPv6, this is the size of the routing cache. If you have more than
>> 4096 active hosts, Linux will aggressively try to run garbage
>> collection, eating CPU. In this case, increase both
>> net.ipv6.route.max_size and net.ipv6.route.gc_thresh.
>
> Do you know what are the risks when we raise those parameters? A bit
> more RAM consumption?
You are mostly safe with RAM. Increasing the value to 512k would eat
256MB of RAM. However, if an attacker is still able to overflow the
cache, it is costly in term of CPU. This is a bit similar to the route
cache for IPv4, so you need to play with threshold, interval and timeout
to try to keep CPU usage down, but ultimately, a fast enough attacker
can do a lot of damage here. I don't have real-life experience with this
aspect.
Also, from 4.2, the cache entries are only created for exceptions (PMTU
notably). So, in fact, the initial value should be mostly safe. You can
monitor it with `/proc/net/rt6_stats`. This is the before last value. If
you can share what you have, I would be curious to know how low it is
(compared to the 4th entry notably).
--
Writing is turning one's worst moments into money.
-- J.P. Donleavy
More information about the Bird-users
mailing list