Adding reachability check for IPsec tunnels #3931
Conversation
|
This change is |
Codecov Report
@@ Coverage Diff @@
## master #3931 +/- ##
============================================
+ Coverage 74.86% 74.86% +<.01%
- Complexity 24089 24106 +17
============================================
Files 2027 2027
Lines 96668 96755 +87
Branches 11509 11526 +17
============================================
+ Hits 72367 72438 +71
- Misses 19044 19053 +9
- Partials 5257 5264 +7
|
There was a problem hiding this comment.
Reviewed 3 of 4 files at r1.
Reviewable status: 3 of 4 files reviewed, 7 unresolved discussions (waiting on @haverma and @progwriter)
projects/batfish/src/main/java/org/batfish/dataplane/ibdp/IncrementalBdpEngine.java, line 140 at r1 (raw file):
initialTopologyContext.getIpsecTopology(), configurations, new TracerouteEngineImpl(
time to factor out the engine into a variable? why are we re-creating it three times here?
projects/batfish/src/test/java/org/batfish/dataplane/ibdp/FixedPointTopologyTest.java, line 407 at r1 (raw file):
.build(); IncrementalBdpEngine engine = new IncrementalBdpEngine(
Using org.batfish.main.BatfishTestUtils#getBatfish and do batfish.computeDataplane() seems much easier and in line with other tests. (applies elsewhere in the file)
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 546 at r1 (raw file):
} Optional<IpsecSession> ipsecSession = ipsecTopology.getGraph().edgeValue(peerIdU, peerIdV);
I personally like to do the .orElse(null) at the end, that way your var type is not optional, you don't get to get() a bunch of times below, and you can still do if equal to null, continue.
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 555 at r1 (raw file):
} if (ipsecSession.get().isCloud()
Comment why we're doing this -- it's a workaround until we're confident ISP modeling will let us do traceroutes properly.
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 576 at r1 (raw file):
* IPsec encrypted data */ private static boolean reachableIpsecEdge(
We should think for a better name. edges aren't reachable by themselves. nor does this return an edge (as the name would imply). perhaps isIpsecPeerReachable?
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 644 at r1 (raw file):
List<Trace> traces = tracerouteEngine .computeTraces(ImmutableSet.of(flowForIpsecNegotiation), false)
should we use bidir traceroute here?
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 649 at r1 (raw file):
.noneMatch( trace -> { List<Hop> hops = trace.getHops();
factor into a small static function: boolean isSuccessfulTraceroute(trace, hostname)
There was a problem hiding this comment.
Reviewed 1 of 4 files at r1.
Reviewable status: all files reviewed, 7 unresolved discussions (waiting on @haverma)
There was a problem hiding this comment.
Reviewable status: 2 of 4 files reviewed, 2 unresolved discussions (waiting on @progwriter)
projects/batfish/src/main/java/org/batfish/dataplane/ibdp/IncrementalBdpEngine.java, line 140 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
time to factor out the engine into a variable? why are we re-creating it three times here?
makes sense, done. newBgpTopology is using the newLayer3Topology so done only for VXLAN and IPsec.
projects/batfish/src/test/java/org/batfish/dataplane/ibdp/FixedPointTopologyTest.java, line 407 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
Using
org.batfish.main.BatfishTestUtils#getBatfishand dobatfish.computeDataplane()seems much easier and in line with other tests. (applies elsewhere in the file)
If I use batfish.computeDataplane() then I would need to instantiate every required property of IPsec in the two configurations, so that the IPsec topology can be inferred. But if I call IncrementalBdpEngine.computeDataplane(), I can directly pass the (bare minimum) IPsec topology in the TopologyContext, thus making the setup network a little less verbose.
I copied the pattern used in FixedPointTopologyTest.testFixedPointVxlanTopology()
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 546 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
I personally like to do the
.orElse(null)at the end, that way your var type is not optional, you don't get toget()a bunch of times below, and you can still do if equal to null, continue.
done
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 555 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
Comment why we're doing this -- it's a workaround until we're confident ISP modeling will let us do traceroutes properly.
done
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 576 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
We should think for a better name. edges aren't reachable by themselves. nor does this return an edge (as the name would imply). perhaps
isIpsecPeerReachable?
makes sense, changed as suggested
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 644 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
should we use bidir traceroute here?
From my understanding I thought that bidirectional traceroute cannot be done for UDP (or non TCP) flow. I got this idea from VxlanTopologyUtils.reachableEdge() (and also by looking at its PR)
If it is incorrect, I can surely change it to bidirectional traceroute.
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 649 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
factor into a small static function:
boolean isSuccessfulTraceroute(trace, hostname)
done, using a static function isSuccessfulTraceroute( Flow flow, String destinationNode, TracerouteEngine tracerouteEngine)
There was a problem hiding this comment.
Reviewed 2 of 2 files at r2.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @progwriter)
There was a problem hiding this comment.
Reviewable status: 3 of 4 files reviewed, all discussions resolved (waiting on @progwriter)
projects/batfish-common-protocol/src/main/java/org/batfish/common/util/IpsecUtil.java, line 644 at r1 (raw file):
Previously, haverma (Harsh Verma) wrote…
From my understanding I thought that bidirectional traceroute cannot be done for UDP (or non TCP) flow. I got this idea from
VxlanTopologyUtils.reachableEdge()(and also by looking at its PR)
If it is incorrect, I can surely change it to bidirectional traceroute.
Using bi-directional traceroute now
There was a problem hiding this comment.
Reviewed 1 of 1 files at r3.
Reviewable status:complete! all files reviewed, all discussions resolved
projects/batfish/src/test/java/org/batfish/dataplane/ibdp/FixedPointTopologyTest.java, line 407 at r1 (raw file):
Previously, haverma (Harsh Verma) wrote…
If I use
batfish.computeDataplane()then I would need to instantiate every required property of IPsec in the two configurations, so that the IPsec topology can be inferred. But if I callIncrementalBdpEngine.computeDataplane(), I can directly pass the (bare minimum) IPsec topology in theTopologyContext, thus making the setup network a little less verbose.
I copied the pattern used inFixedPointTopologyTest.testFixedPointVxlanTopology()
I see. We need better test utils API for dataplane tests then. But that, of course, is not a blocker.
* adding and setting cloud flag in IPsec session * using bidirectional traceroute
Now checking connectivity in the underlay network to properly verify the establishment of the IPsec based tunnels. This check is employed while we compute the fixed point IPsec topology in BDP engine.
More detailed intuition behind this change can be found here.