Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move pinhole to after the mechanism chain elements in both client and server. #265

Merged
merged 1 commit into from
Jun 14, 2021

Conversation

edwarnicke
Copy link
Member

Both client and server chain elements make decisions and set parameters (say for mechanisms)
on the downward path of the call chain, and take action on the return path of the call chain.

For this reason, pinhole should open a 'pinhole' in any ACL before on the return chain
before the mechanism takes action to create a remote mechanism.

For vxlan this doesn't matter, as it is stateless.

For wireguard, which sends an initiator message on peer creation, it matters a lot.
If pinhole is misplaced (as it was previously), wireguard's initial initiator message
that is sent on peer creation is blocked as there is no pinhole for it. Retries occur
after 5 seconds. If pinhole is properly placed in the chain (as in this PR), then the initial
initiator message goes out, and the wireguard tunnel comes up within milliseconds.

Also update to the latest github.com/edwarnicke/govpp which contains wireguard API
enhancement to allow us to 'wait' till peers are up.

Signed-off-by: Ed Warnicke hagbard@gmail.com

… server.

Both client and server chain elements make decisions and set parameters (say for mechanisms)
on the downward path of the call chain, and take action on the return path of the call chain.

For this reason, pinhole should open a 'pinhole' in any ACL *before* on the return chain
before the mechanism takes action to create a remote mechanism.

For vxlan this doesn't matter, as it is stateless.

For wireguard, which sends an initiator message on peer creation, it matters a lot.
If pinhole is misplaced (as it was previously), wireguard's initial initiator message
that is sent on peer creation is blocked as there is no pinhole for it.  Retries occur
after 5 seconds.  If pinhole is properly placed in the chain (as in this PR), then the initial
initiator message goes out, and the wireguard tunnel comes up within milliseconds.

Also update to the latest github.com/edwarnicke/govpp which contains wireguard API
enhancement to allow us to 'wait' till peers are up.

Signed-off-by: Ed Warnicke <hagbard@gmail.com>
@fkautz fkautz merged commit 33bd41d into networkservicemesh:main Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants