[Babel-users] [RFC] Replace WireGuard AllowedIPs with IP route attribute

Alexander Zubkov green at qrator.net
Wed Nov 22 00:17:49 CET 2023


Hi Daniel,

On Mon, Nov 20, 2023, 03:05 Daniel Gröber <dxld at darkboxed.org> wrote:

> Hi Erin, Juliusz,
>
> On Sat, Nov 18, 2023 at 11:21:57AM +0100, Erin Shepherd wrote:
> > On Sat, 18 Nov 2023, at 03:19, Daniel Gröber wrote:
> > > That would be a problem as I specifically want to tie the source
> address
> > > filtering to this too. I'll have a look at the internals (if and) when
> I
> > > get around to starting work on this.
> >
> > Is tying source address filtering to the routing table the right thing to
> > do here? It seems to me that it would cause issues similar to those we
> > see more generally with Unicast Reverse Path Filtering
>
> IMO not providing a way to do source address filtering at the routing level
> was the original sin :)
>
> There is certianly the multihoming challange to be overcome as traditional
> BCP38 style filtering doesn't cut it in the general case. I have some ideas
> on how to deal with this.
>
> I've done some experiments and found that in Linux multi-nexthop routes
> actually match reverse path lookups (using nftables "rt") for _any_ of the
> source interfaces involved. I think this can be used to build RFC 3704
> style Feasible Path Reverse Path Forwarding when the routing daemon
> involved supports ECMP.
>
> This experiment is what got me interested in having via-wgpeer in the
> routing table in the first place, once we have that we can apply the above
> idea not just at the interface level but at the wg peer level. Neat.
>
> Can you think of a use-case where fpRPF isn't enough?
>

Yes. IMHO, the problem with RPF is that routing table doesn't reflect the
network topology, but only a subset of it. I mean in topologies where
multiple pathes are possible, you can choose to use or even learn only a
subset of those pathes. And that does not mean that there are no other
legitimate pathes exist, that other actors may choose to reach you.
In that sense might be yes, the original sin is that the routing table
doesn't reflect all the topology, not only the pathes we choose for egress.
Not sure though if it is a sin, in that case routing table would be too
overcomplicated.
If I understand correctly, such fpRPF approach works only if you both learn
all possible pathes and use all of them in a multi-nexthop route. But for
example in the Internet with its advanced BGP announcement policies it is
not true at all.
So from my point of view it is good to split the topology definition
(ingress decapsulation) and the chosen pathes (egress routing). Because it
is related, but still different processes. So the system can be more
flexible. Although we need to repeat common things and keep ingress and
egress consistent/synced.
At the same time we can use single protocol/configuration as a source of
information to setup both of those processes in cases when it is ok to
sacrifice flexibility for simplicity. Or for example the ingress part can
be configured to use routing table as a source of topology information.
Actually, when we turn on the RPF, we do something like that. But my point
is that RPF (with its variations too) has its bounds and cannot be a
universal solution, there is no silver bullet here.


> It's also noteworthy that once we have this support for via-wgpeer it'd be
> possible to apply ip-rule policy to the filtering decision. Perhaps that
> gives some additional power for more fun use-cases :)
>
> On Sat, Nov 18, 2023 at 01:22:03PM +0100, Juliusz Chroboczek wrote:
> > Issues are caused by the kernel performing filtering that the routing
> > protocol is not aware of: it causes the routing daemon's routing table to
> > no longer match the effective forwarding table (the kernel's routing
> > table).  That's the reason why uRPF breaks most routing protocols, that's
> > the reason why we have trouble making Wireguard work with Babel, and also
> > the reason behind https://github.com/jech/babeld/issues/111.
>
> Right on the money as always. This idea has been on my mind too.
>
> > Contrariwise, we can teach Babel to explicitly take into account the
> > kernel features that we're interested in using.  Thus, Babel could be
> > aware of the restrictions placed on a wireguard interface, and
> collaborate
> > with Wireguard so that the routing table and the forwarding table remain
> > congruent.  I haven't looked at the issue in detail, but I believe that
> > would be an interesting (short-term) research project, one that I would
> be
> > glad to collaborate with (but not necessarily lead, at least not right
> now).
>
> Sounds interesting do you have a funding source in mind?
>
> > For the specific case of source address filtering, Babel already has an
> > (implemented) extension to deal with source addresses, and I encourage
> you
> > to consider whether it can be used to deal with the issue at hand.
> Please
> > see https://arxiv.org/pdf/1403.0445.pdf and RFC 9079.
>
> I don't think I mentioned this to you yet, but I have another one of my
> crazy ideas of doing something vaguely similar to BGP flowspec with
> babel. Restricted to IP source/destination address, so no L4 stuff. I just
> want to represent firewall policy using ipv6 subtrees and distribute it in
> realtime using babel :)
>
> Unfortunately this is currently stalled due to an apparent nft rt match
> kernel bug preventing me from representing multiple possible outcomes since
> I want to support dropping, accepting but also stateful firewalling of
> matching flows.
>
> --Daniel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20231122/71c7dd41/attachment.htm>


More information about the Bird-users mailing list