Implement ECMP for unsafe_routes #1332

dioss-Machiel · 2025-02-19T16:58:13Z

This PR implements ECMP support in Nebula. The implementation uses hash-threshold mapping (like in the Linux kernel) which allows you to define weights per gateway.

This can be used for example to aggregate multiple links and provide redundancy to an external location where nebula cannot be installed.

The change is backwards compatible and should not impact normal operation.
ECMP routes can be defined in the config file (example below) and also via the use_system_route_table feature, which means that on Linux you can use a BGP daemon to add / remove multipath routes.

Example config:

tun:
  unsafe_routes:
	# Backwards compatibility
	- route: 192.168.86.0/24
	  via: 192.168.100.10
	
	# Single gateway, weight optional
	- route: 192.168.87.0/24
	  via: 
		- gateway: 10.0.0.1

	# Multipath, weight optional (defaults to 1), will balance equally
	- route: 192.168.87.0/24
	  via: 
		- gateway: 10.0.0.1
		- gateway: 10.0.0.2

	# Multipath, weight defined, will balance according to weights
	- route: 192.168.87.0/24
	  via: 
		- gateway: 10.0.0.1
		  weight: 10
		  
		- gateway: 10.0.0.2
		  weight: 5

Implementation note: if the gateway where the packet should be routed to is not reachable the first available gateway is chosen, so when one of the gateways is down the traffic is no longer properly being balanced, but there is still connectivity.

salesforce-cla · 2025-02-19T16:58:18Z

Thanks for the contribution! Before we can merge this, we need @dioss-Machiel to sign the Salesforce Inc. Contributor License Agreement.

johnmaguire · 2025-03-07T21:10:40Z

~~I think this PR achieves the goals of #353~~ It doesn't look like this PR supports failover.

johnmaguire · 2025-03-10T18:46:53Z

Hi @dioss-Machiel, this looks very interesting. One note:

This can be used for example to aggregate multiple links and provide redundancy to an external location where nebula cannot be installed.

It does look like this PR may offer effective load balancing between gateways, but I'm not sure if it provides redundancy. If a given gateway is down, will this code detect it, and route on the other gateway instead?

dioss-Machiel · 2025-03-10T19:47:56Z

This implementation does indeed provide redundancy in the following network setup:

How this technically works:
For each gateway that serves a route a bucket is calculated, according to the weight.
A packet that needs to be routed is hashed, and the gateway is determined by the bucket it falls in.
If that gateway is not reachable then the entire list of possible gateways for that route is tried until exhausted.
This means when one of the gateways is down the traffic is no longer properly being balanced if you have more than two gateways, but there is still connectivity.

For example: if you have three gateways with weight "1" then each of them handles 1/3 of the traffic.
If a gateway goes down then one will handle 2/3 and another will handle 1/3

If you only have two gateways then each of them handles 1/2 of the traffic, if one goes down the other gateway will handle all the traffic.

This is the link to the relevant code in this PR: (inside.go, line 187)
https://github.com/slackhq/nebula/pull/1332/files#diff-47da64e8ca988394a12810c9ba96e3e170b9be19e0a51049b74ed2a27d4a4addR187

A more advanced implementation could recalculate the buckets when nodes go up or down to keep balancing the traffic on the remaining gateways but that comes with more complexity and maybe a slight penalty to routing speed.

nbrownus · 2025-03-10T22:38:25Z

@dioss-Machiel we merged a pretty large change to support ipv6 on the overlay, mind rebasing to clear up the conflicts?

Still always use the first route found, this should not change any routing behaviour in nebula.

Prefer first route found, if gatway unavailable then keep trying untill all options are exhausted.

WIP Multipath is working but routing table updates are still broken

dioss-Machiel · 2025-03-11T12:39:39Z

@nbrownus Conflicts have been resolved

dioss-Machiel · 2025-03-11T14:07:40Z

I fixed the testify errors

routing/gateway.go

inside.go

…teways are reachable

nbrownus · 2025-03-13T00:57:22Z

Did a quick benchmark, xxh3 has a really nice distribution but it's quite slow compared to some other options.

BenchmarkHashTest/cespare/xxhash/v2-10         	74028885	        15.99 ns/op	       0 B/op	       0 allocs/op
BenchmarkHashTest/maphash-10                   	65325824	        18.25 ns/op	       0 B/op	       0 allocs/op
BenchmarkHashTest/zeebo/xxh3-10                	27690496	        43.31 ns/op	       0 B/op	       0 allocs/op
BenchmarkHashTest/OneOfOne/xxhash-10           	79155019	        15.29 ns/op	       0 B/op	       0 allocs/op

This benchmark includes 2 other xxhash implementations but they have slightly worse distribution while being much faster than xxh3.

I included maphash since its baked into golang, it has inherent randomness though so the result of the balance tests can change between runs.

As a reference point, the firewall takes ~40ns/op on my machine to pass a packet on a group or name match. Worst case performance in the firewall is ~95ns/op to evaluate and fail a full rule evaluation.

If we went with OneOfOne/xxhash or cespare/xxhash/v2 the current tests would fail:

--- FAIL: TestPacketsAreBalancedEqually (0.02s)
    balance_test.go:60: 
        	Error Trace:	routing/balance_test.go:60
        	Error:      	Max difference between 21845 and 21651 allowed is 100, but difference was 194
        	Test:       	TestPacketsAreBalancedEqually
        	Messages:   	Expected 21845 +/- 100, but got 21651
    balance_test.go:61: 
        	Error Trace:	routing/balance_test.go:61
        	Error:      	Max difference between 21845 and 22042 allowed is 100, but difference was -197
        	Test:       	TestPacketsAreBalancedEqually
        	Messages:   	Expected 21845 +/- 100, but got 21651

Which doesn't seem too terrible to me.

We can take this a bit further as well by removing the local and remote addr, cespare/xxhash turns into 7.5ns/op.

If we can drop down to just evaluating the local and remote ports then we can use a much faster hash described here (taken from #768) which has really nice distribution (does not require modifying your tests) and incredible speed, 0.3117 ns/op on my machine.

func hashPacket(p *firewall.Packet) int {
	x := (uint32(p.LocalPort) << 16) | uint32(p.RemotePort)
	x ^= x >> 16
	x *= 0x21f0aaad
	x ^= x >> 15
	x *= 0xd35a2d97
	x ^= x >> 15

	return int(x) & 0x7FFFFFFF
}

overlay/route.go

overlay/tun_linux.go

dioss-Machiel · 2025-03-13T10:49:36Z

I'm not married to the hashing algorithm, I did some quick research and other L4 balancing implementations also only hash by source and destination port. Using the hash-prospector implementation looks good to me.

This algorithm has better performance and we can remove some dependencies

salesforce-cla bot added the cla:missing label Feb 19, 2025

salesforce-cla bot added cla:signed and removed cla:missing labels Feb 20, 2025

johnmaguire linked an issue Mar 7, 2025 that may be closed by this pull request

Add unsafe_route metric / hop count #353

Closed

wadey added this to the v2.0.0 milestone Mar 11, 2025

dioss-Machiel added 4 commits March 11, 2025 11:52

Allow defining multiple vias for a route.

445ef40

Still always use the first route found, this should not change any routing behaviour in nebula.

Implement failover for multipath routes.

ff9fecc

Prefer first route found, if gatway unavailable then keep trying untill all options are exhausted.

Handle linux routing table updates

4d8cb52

WIP Multipath is working but routing table updates are still broken

Implement weighted ECMP with hash-threshold mapping

1eaabb6

dioss-Machiel force-pushed the feature/multipath branch from 8e46695 to d987d75 Compare March 11, 2025 12:37

Update config parser to allow setting a weight per gateway

0cc2f98

dioss-Machiel force-pushed the feature/multipath branch from d987d75 to 0cc2f98 Compare March 11, 2025 14:06