Skip to content

Maint Log 20251203

Routing Policy

Enforced RPKI validation on DN42 eBGP sessions.

To enhance the overall security posture of the network and mitigate the risk of route hijacking, we have enforced RPKI validation on all DN42 eBGP sessions. A hybrid validator architecture was implemented, combining self-hosted instances with trusted external data sources to ensure high availability and data consistency; currently, the policy is strictly set to reject any routes validated as INVALID. Complementing this, a new local RPKI validator service was deployed on node sol3.kr, which now acts as a primary data source for the global BIRD configuration.

Traffic Engineering

We have introduced a fine-grained traffic engineering strategy to optimize path selection. By implementing logic based on origin and import Region Communities, the routing daemon now dynamically adjusts local_pref values to prioritize traffic flow based on geographical proximity rather than simple AS path length. Additionally, specific policy adjustments were applied to the China Network (AS4242420803); nodes in this segment are now configured to slightly prefer transit provided by our Global Network (AS4242421331), ensuring more stable international connectivity through our managed backbone.

Configuration Standards

To reduce administrative overhead and configuration drift, we have centralized the definition of BGP static route announcements, replacing the previous disparate per-node settings with a unified global template. Simultaneously, the logic governing BGP AS Path prepending via communities was refactored. This simplification eliminates redundant code blocks, making traffic manipulation via community tags more predictable and easier to debug during troubleshooting.

Internal Network & Routing

IPv6 Transition and SADR

A major architectural shift towards an IPv6-only underlay has been completed across the Global Network (AS207268 + AS4242421331). We have removed IPv4 addresses from all internal mesh tunnel interfaces and disabled the Babel IPv4 channel, shifting all IPv4 traffic to translation layers. To support this environment and handle complex multi-homing scenarios effectively, Source Address Dependent Routing (SADR) has been fully deployed. This involved adding igp.sadr table policies to all nodes and updating route filters to properly classify and propagate IPv6 SADR routes.

464XLAT Deployment

To align with the new network naming conventions, the 464xlat interfaces on apr1.hk and vul1.sg were renamed to st-xlat. Traffic routing for these translation interfaces is now explicitly handled via the newly deployed SADR policies, ensuring that translated IPv4 traffic is correctly associated with the appropriate source prefixes.

IGP Policy

To maximize network convergence and prevent disjoint routing islands, IGP (Babel) propagation policies have been relaxed, allowing all nodes to default to fully exporting and importing internal routes. On a more granular level, specific optimizations were applied to the peering relationship between China nodes wh1.cn and deepin1.cn. By fine-tuning the routing metrics, the network now forcefully prefers direct, hole-punched tunnel interfaces over indirect relay paths, significantly reducing latency and jitter between these endpoints.

System Admin

Operation System

To standardise the configuration workflow, the operating system baseline for all routing nodes is now uniformly set to Debian 13 Trixie. All update tasks have been completed. Some nodes that have not yet been installed as Debian will be gradually replaced in subsequent phases.

systemd-networkd

The node initialization workflow has been streamlined through several systemd-networkd improvements. We adopted wildcard matching (e.g., wgi-*) for tunnel interfaces and extracted common routing policies into dedicated modular files, which significantly reduces configuration boilerplate.

sysctl

A unified sysctl kernel parameter template has been deployed to all nodes to speed up provisioning and mitigate potential kernel-level networking issues by ensuring consistent stack tuning.

Cleanup

Routine housekeeping was performed to decommission legacy infrastructure: old Anycast interfaces that were no longer carrying active services were removed, and residual mesh tunnel interfaces pointing to previously decommissioned nodes were scrubbed from the active configuration to maintain hygiene.