Dear Community,
Can anybody tell me if there is a way to configure CoPP(Control Plane Policiy) on VyOS ? Like a firewall that is blocking/policing all the packets that are sent from dataplane to control plane(CPU/RE)?
I believe it should be, becuase this is available on almost all the platforms, but I am unable to find it on VyOS…
I think the concept only makes sense on a system with hardware forwarding, which Vyos is not.
On Vyos it’s just the “INPUT” firewall.
Ok, did I get it right that on VyOS we have to create an Firewall and apply it on all interfaces on INPUT ?
That’s correct. If you are concern of traffic which destination is the router itself, then you should create firewall rules, and then attach it to interfaces on input.
I imagine there are three possible concerns when talking about CoPP.
1- Protect the control-plane from situations where the data-plane and forwarding can exhaust computational resources and cause control-plane processes to die due to lack of resources (Ex.: Timeout of a BGP per busted CPU.).
2- Create a “filtering point” of the packets that come and go from the control-plane to the data-plane. Similar to what happens in the Looopback 0 filter-police of a Junos.
3- Specify, Force, Handle Source and Destination addressing for packets originating from or sent to VyOS’ own processes. For example the source IP that will be used for a Radius query, or for NTP.
Well, I’m new to VyOS.
Not that young, but I haven’t interacted with him for several years…
As far as I know, VyOS support for container technology is increasingly consolidated.
Therefore, it makes sense to think that if the VyOS control-plane processes were all linked to one (or more) container(s), it would facilitate the definition of where to apply the filter-police suggested in item 2, and would also facilitate handling through from cgroups to resource reservation from item 1.
As for item 3, I believe that it needs to make the sources explicit in the configurations of each service, also contemplating definitions by @VRF or by %interface.
And to do policing , add rate-limiting on allow firewall rules.
This is done on the data-plane.
I don’t believe CoPP will address that kind of matter.
If yes, ins on item 3.
Im not aware if VyOS can utilize a whitebox that is one where a broadcom asic (or similar) does the heavy lifting of being a dataplane.
The CoPP rules main purpose is to protect the mgmt-cpu where there is often a great difference between what the dataplane can push in number of packets (and bandwidth) and what the controlplane aka mgmtplane aka mgmt-cpu can deal with.
Not uncommon that in whiteboxes you might have a broadcom asic or similar to do the heavylifting in the dataplane while the mgmt-cpu is just an ARM based cpu (the bigger boys often use a multicore x86 cpu but by that the price will also increase on the box itself). Also the interconnection between the dataplane and the mgmtplane is often limited to something like 2x10G or smaller.
As far as I know (but I havent read up on this 100% yet) VyOS is “just” a x86 based routing solution.
This means that there is nothing to offload doing the heavylifting of moving packets since all packets being forwarded by a VyOS instance will pass the main x86 cpu VyOS is being runned at. That is even if you configurationwise have a dataplane and a mgmtplane the packets are still being handled by the same physical cpu compared to how its being done in a arista/juniper/cisco box.
With that being said something similar to CoPP ruleset would still limit the effects of someone or something trying to abuse mgmt features no matter if its pings, ttl exceeded in transit or services such as ssh, bgp etc.
Having a CoPP syntax would also make it easier for newer users to adopt to use VyOS by be able to recognise syntax and how to do things because learning iptables/nftables will be a challenge for most new users.