Configuration safety guidelines¶

MicroOVN is a very opinionated way to deploy OVN. It enforces TLS encryption and authentication on its network endpoints, and it tries to use sane defaults wherever possible. In general, it does not provide many ways to deviate from the standard configuration, but this section will highlight those places where it does and where the security can be improved by the user manually.

BGP integration¶

MicroOVN provides a way to integrate OVN natively with BGP routers on the external networks. See Configure OVN BGP integration page for more information. When the integration is enabled with the --asn option specified, MicroOVN will auto-configure a BIRD 3 BGP service to listen on connections from the physical external network. This auto-configured BGP daemon has a very lax security settings, most importantly it:

doesn’t perform peer authentication (see RFC 2385)
doesn’t employ RPKI to validate route advertisements (see RFC 6480)
doesn’t apply any route filtering on learned routes
does connect to the first peer it finds on the external link

BGP security is a very broad topic that’s out of scope for this document, but the above points should cover basics when deploying BGP daemons in an environment where the peers can’t be necessarily trusted.

If the user desires any of the above security features, they are advised to omit the --asn option when enabling the BGP integration. This will allow them to bind any external BGP daemon to the interface inside the VRF created by the MicroOVN. Then they will be able to tailor the daemon configuration to their specific security needs.