What are the expected network configurations across a deployment?

[cjdoucette]

For example, is the Gatekeeper front interface expected to be in the same subnet as the back interface, a different subnet, or it does not matter?

Similarly, is the back interface expected to be in the same subnet as the Grantor interface, a different subnet, or does it not matter?

I ask because I have run into the following scenarios:

1. The Gatekeeper front interface is in subnet 1 and the back interface, Grantor interface, and destination are in subnet 2. When adding a prefix to the Gatekeeper FIB for subnet 2 (to forward packets to the destination through Grantor) in this setup, Gatekeeper cannot find a cached Ethernet header here:

https://github.com/AltraMayor/gatekeeper/blob/master/gk/main.c#L1528

2. Similar issue as above if the Gatekeeper front and back interfaces are in the same subnet.

[AltraMayor]

We have designed front and back interfaces to have physical isolation between them to ensure that, during an overwhelming attack, Gatekeeper servers can still enforce the policy decisions of Grantor servers. Thus, front and back interfaces are expected to be in different subnets.

We have billed Gatekeeper servers to be deployed in vantage points (VPs). Under the current definition of VPs, there must be a number of routers grouping the traffic from Gatekeeper servers to Grantor servers. Moreover, Grantor servers are expected to be physically close to destinations. Thus, Grantor servers and destinations are not expected to be in the same subnet of the back interface of a Gatekeeper server.

The parts that have, so far, demonstrated interested in deploying Gatekeeper meet these design assumptions. Thus, we do not need to weak these assumptions for now.

As Gatekeeper grows, there is a chance that these assumptions will become hindrances. Because of this, I'm moving this issue to the milestone "Advanced features" to wait for a real demand for this change. The new demands will guide us on how to change these assumptions.

[AltraMayor]

Pull request #419 replaces the requirement that Grantor servers had to be deployed in the same subnet that the protected destination with the requirement that either Grantor servers are deployed in the same subnet, or the last hop on the path from a Gatekeeper server to a Grantor server is a router that can forward the encapsulated packets to its destinations.

It is worth notice that, under the new requirement, multiple routers can send traffic to a Grantor server, but each router must know how to forward to the destinations of the encapsulated packets that the router sends to the Grantor server.