~aasg/haunted-blog

6668731553618a9e7c2f4f60dc0d305f9c357308 — Aluísio Augusto Silva Gonçalves a month ago f2aa140
New post: lri-log-2021w12
1 files changed, 49 insertions(+), 0 deletions(-)

A posts/lri-log-2021w12.md
A posts/lri-log-2021w12.md => posts/lri-log-2021w12.md +49 -0
@@ 0,0 1,49 @@
---
{"title": "LRI operations report, 2021-W12"
,"date": "2021-03-29 04:00"
,"lang": "en"
,"tags": ["lorkep lri", "dn42", "network", "bgp", "ipv6"]
,"toc": false}
...

Starting today I'm going to try to provide a weekly report on the state and activities of the Lorkep Long-Range Interconnect, a virtual network and autonomous system operating on [dn42].
This report concerns the week from 22 to 28 March 2021.

## Software updates
All routers were upgraded to the latest revisions of NixOS' `nixos-20.09` and `nixos-unstable-small` channels to address [OpenSSL's 25 March 2021 security advisory][openssl-20210325].
No services were expected to use the affected features (strict certificate verification with custom purpose, and TLS renegotiation), but an upgrade was effected out of precaution.

As part of these upgrades, packages on [aasg-nixexprs] were also reviewed and updated.
[esbuild]'s release frequency is a cause of concern, and it may be dropped from the repository or changed to adopt a more automated update mechanism.

## New peerings & network expansion
A new peering session was established with AS4242422464 on Behemoth, marking 9 new peers to the network over the past month alone.
To aid in this expansion, a new router is being considered for the Asia-Pacific region.
It will be hosted on Azure, and the location will be decided based on dn42's peering demand.

## BGP graceful shutdown
[RFC 8326], which provides a mechanism to signal session shutdown and enable rerouting of packets to avoid links going down, popped up during a discussion on the dn42 IRC channel about how to handle a ghost route.
It was subsequently implemented with the help of [NLNOG's guide].

## 464XLAT for application containers
Over the past two weeks, work has been done to add IPv4 connectivity to the application containers in the network, eyeing a move of the email and Matrix servers that currently run directly on top of Behemoth.
Implementation of NAT64 and DNS64 was completed last week, but leaked DNS64 responses to client nodes using Charybdis' DNS resolver.

To move that resolver into a container as well and keep a standard DNS64-enabled resolver at the node level, Charybdis was turned into a 464XLAT customer-side translator using [Jool], enabling connection to IPv4 nameservers from within specific containers.

## Task list for 2021-W13
- Grafana needs a new dashboard to survey the status of services throughout the network; ACME certificate generation in particular is known to be fickle.
- Work is underway to make the static websites served by Behemoth part of its NixOS configuration (or at the very least Nix-managed), [inspired by Christine Dodrill].
  This also enables serving sites from multiple nodes once TLS certificate distribution is sorted out.
- Configuring Knot DNS on NixOS is too brittle at the moment, and prevents abstracting some tasks like adding a new dynamically-updated record with its own key.
  [github:NixOS/nixpkgs#81460] is supposed to help with that, but may need some help getting merged.

[aasg-nixexprs]: https://sr.ht/~aasg/nixexprs/
[dn42]: https://dn42.dev
[esbuild]: https://esbuild.github.io
[github:NixOS/nixpkgs#81460]: https://github.com/NixOS/nixpkgs/pull/81460 "WIP: nixos/knot: allow full configuration by nix values"
[inspired by Christine Dodrill]: https://christine.website/blog/backslash-kubernetes-2021-01-03 "</kubernetes>"
[jool]: https://www.jool.mx
[nlnog's guide]: https://bgpfilterguide.nlnog.net/guides/graceful_shutdown/ "BGP Graceful Shutdown – BGP Filter Guide"
[openssl-20210325]: https://www.openssl.org/news/secadv/20210325.txt
[rfc 8326]: https://tools.ietf.org/html/rfc8326 "Graceful BGP Session Shutdown"