Hi, could you tell me what is the best practice for sysctl.conf configuration (2 or 3 bgp peers, possible asym routing)? BR, Mike
Anno domini 2018 Mike Neo scripsit: Hi,
could you tell me what is the best practice for sysctl.conf configuration (2 or 3 bgp peers, possible asym routing)?
What exactly are you looking for? The first things that come to mind would be * forwarding enabled Old style: global option: net.ipv4.ip_forward = 1 or in the new style (per interface option): net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.all.forwarding = 1 If you do not want to enable forwarding on all interface, you could just add the interfaces you care about to that list (instead of "all" and "default"), but beware, that this will only have an effect an interfaces already created before sysctls are applied. Therefore this would be risky when we are talking about some kind of tunnels like OpenVPN / Wireguard / IPse /, etc. which might be recreated while the system is running. Also beware, that for IPv6 there only is the new style config: net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.forwarding = 1 When using the new style, you probably want to have both settings to be safe in all scenarios (interfaces which already are present when sysctl is applied + interfaces which (re)emerge later. * rp_filter disabled Similar to the forwarding setting there is reverse path filtering net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 which has to be disabled at least on the interfaces which could be involved in asymetric routing. Please make sure to provide some other means of BCP38 (like netfilter) to make sure, your routers prevent people from spoofing source IPs as early as possible. * Ignore ICMP redirects When your routers are the only ones in a potentially untrusted network, you probaly want to ignore ICMP redirects sent to your boxes, to prevent MITM attacks: net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 Hope that helps Best Max -- Fortschritt bedeutet, einen Schritt so zu machen, daß man den nächsten auch noch machen kann.
Yes, that helps - thx a lot. 2018-01-16 20:08 GMT+01:00 Maximilian Wilhelm <max@rfc2324.org>:
Anno domini 2018 Mike Neo scripsit:
Hi,
could you tell me what is the best practice for sysctl.conf configuration (2 or 3 bgp peers, possible asym routing)?
What exactly are you looking for?
The first things that come to mind would be
* forwarding enabled
Old style: global option:
net.ipv4.ip_forward = 1
or in the new style (per interface option):
net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.all.forwarding = 1
If you do not want to enable forwarding on all interface, you could just add the interfaces you care about to that list (instead of "all" and "default"), but beware, that this will only have an effect an interfaces already created before sysctls are applied. Therefore this would be risky when we are talking about some kind of tunnels like OpenVPN / Wireguard / IPse /, etc. which might be recreated while the system is running.
Also beware, that for IPv6 there only is the new style config:
net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.forwarding = 1
When using the new style, you probably want to have both settings to be safe in all scenarios (interfaces which already are present when sysctl is applied + interfaces which (re)emerge later.
* rp_filter disabled
Similar to the forwarding setting there is reverse path filtering
net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0
which has to be disabled at least on the interfaces which could be involved in asymetric routing. Please make sure to provide some other means of BCP38 (like netfilter) to make sure, your routers prevent people from spoofing source IPs as early as possible.
* Ignore ICMP redirects
When your routers are the only ones in a potentially untrusted network, you probaly want to ignore ICMP redirects sent to your boxes, to prevent MITM attacks:
net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0
Hope that helps
Best Max -- Fortschritt bedeutet, einen Schritt so zu machen, daß man den nächsten auch noch machen kann.
participants (2)
-
Maximilian Wilhelm -
Mike Neo