LRI operations report, 2021-W12

Starting today I’m going to try to provide a weekly report on the state and activities of the Lorkep Long-Range Interconnect, a virtual network and autonomous system operating on dn42. This report concerns the week from 22 to 28 March 2021.

Software updates

All routers were upgraded to the latest revisions of NixOS’ nixos-20.09 and nixos-unstable-small channels to address OpenSSL’s 25 March 2021 security advisory. No services were expected to use the affected features (strict certificate verification with custom purpose, and TLS renegotiation), but an upgrade was effected out of precaution.

As part of these upgrades, packages on aasg-nixexprs were also reviewed and updated. esbuild’s release frequency is a cause of concern, and it may be dropped from the repository or changed to adopt a more automated update mechanism.

New peerings & network expansion

A new peering session was established with AS4242422464 on Behemoth, marking 9 new peers to the network over the past month alone. To aid in this expansion, a new router is being considered for the Asia-Pacific region. It will be hosted on Azure, and the location will be decided based on dn42’s peering demand.

BGP graceful shutdown

RFC 8326, which provides a mechanism to signal session shutdown and enable rerouting of packets to avoid links going down, popped up during a discussion on the dn42 IRC channel about how to handle a ghost route. It was subsequently implemented with the help of NLNOG’s guide.

464XLAT for application containers

Over the past two weeks, work has been done to add IPv4 connectivity to the application containers in the network, eyeing a move of the email and Matrix servers that currently run directly on top of Behemoth. Implementation of NAT64 and DNS64 was completed last week, but leaked DNS64 responses to client nodes using Charybdis’ DNS resolver.

To move that resolver into a container as well and keep a standard DNS64-enabled resolver at the node level, Charybdis was turned into a 464XLAT customer-side translator using Jool, enabling connection to IPv4 nameservers from within specific containers.

Task list for 2021-W13

• Grafana needs a new dashboard to survey the status of services throughout the network; ACME certificate generation in particular is known to be fickle.
• Work is underway to make the static websites served by Behemoth part of its NixOS configuration (or at the very least Nix-managed), inspired by Christine Dodrill. This also enables serving sites from multiple nodes once TLS certificate distribution is sorted out.
• Configuring Knot DNS on NixOS is too brittle at the moment, and prevents abstracting some tasks like adding a new dynamically-updated record with its own key. github:NixOS/nixpkgs#81460 is supposed to help with that, but may need some help getting merged.