-
Notifications
You must be signed in to change notification settings - Fork 231
Overview
This page presents an overview of the Gatekeeper architecture and system.
Gatekeeper has two main components: one or more Gatekeeper servers in a vantage point, and one or more Grantor servers in a data center close to the destination. The basic flow of data plane packets in a Gatekeeper protected system is:
- Instead of being forwarded directly to the destination specified by the destination IP address, packets are forwarded to their nearest Gatekeeper server. Gatekeeper servers announce the protected prefixes using BGP to create this anycast network.
- The Gatekeeper server forwards or drops the packets based on a policy running on the Grantor server(s). If Gatekeeper does not have a policy decision for a flow, it makes a request to Grantor. Gatekeeper servers then cache the policy decisions given by Grantor and enforce them over all packets of the affected flow. Both requests and granted packets are sent to Grantor by encapsulating them in an extra IP header.
- Grantor receives requests and granted packets from Gatekeeper and decapsulates the extra IP header. If it's a request packet, Grantor runs the request through its policy and sends back a policy decision to Gatekeeper. If it's a granted packet, Grantor forwards the packet to the ultimate destination.
Gatekeeper servers are the servers allocated at Vantage Points. They announce routes to the protected prefixes in the destination and enforce the policies specified by Grantor servers on flows. These policies may be to drop packets or rate limit flows.
Grantor servers are the servers allocated close to the protected destinations. They make policy decisions according to the Lua policy specified by the operator, and forward granted packets to their ultimate destinations.
Points at which Gatekeeper servers are deployed, such as Internet exchange points (IXPs), some cloud providers, and peering links. Vantage points give a network operator control over what happens to packets close to the source of the attack, which was previously not easy to do; typically, a destination network does not have control over the policies of the network of the attack source. Vantage points make Gatekeeper effective because they allow for inspection (and dropping) of packets early in the path to the target destination without needing the cooperation of other operators.
Gatekeeper is an open source application in the DPDK framework. It is intended to be used by network operators of institutions, service and content providers, enterprise networks, etc. It is not intended to be used by individual Internet users, since it requires the resources to deploy in vantage points and the privileges to announce Gatekeeper-protected prefixes to be sent through Gatekeeper.
Gatekeeper servers and Grantor servers are both run using the gatekeeper executable, just with different configuration options as specified below.
If you are a student, researcher, or potential user of Gatekeeper and want to test it, see the page Experimenting with Gatekeeper.
To set up a full-scale Gatekeeper deployment, you will need access and resources to deploy Gatekeeper in a vantage point. You will also need the ability to announce Gatekeeper-protected prefixes to your services or hosts using a control plane tool like BIRD.
Some other useful information when choosing how to deploy Gatekeeper and set up the system:
Main article: Configuration