Page MenuHomePhabricator
Create Task
Maniphest T170518

Non zero rated LVS IPs
Closed, DeclinedPublic
Actions

Description

To limit the abuse of services (such as Phabricator) on zero rated ranges, one option is to move those services on different IP ranges.

I identified the following v4 /29s:

eqiad - 208.80.155.80/29
codfw - 208.80.152.216/29
esams - 91.198.174.184/29
ulsfo - 198.35.26.128/29

Their adjacent /29 is free and can be reserved in case they need to grow to a /28.

IPv6 doesn't have a shortage of IPs:

codfw - 2620:0:860:ed1a::4:0/110
eqiad - 2620:0:861:ed1a::4:0/110
esams - 2620:0:862:ed1a::4:0/110
ulsfo - 2620:0:863:ed1a::4:0/110

Details

SubjectRepoBranchLines +/-
Reserve non zero rated IPs and rangesoperations/dnsmaster+65 -1
Add LVS nonzero ranges in network::subnetsoperations/puppetproduction+12 -0
Add new git-ssh IPsoperations/puppetproduction+9 -3
Add new misc-web-lb IPsoperations/puppetproduction+12 -6
Customize query in gerrit

Event Timeline

ayounsi created this task.Jul 13 2017, 7:24 AM
Restricted Application added a project: SRE. · View Herald TranscriptJul 13 2017, 7:24 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema moved this task from Backlog to LoadBalancer on the Traffic board.Jul 13 2017, 11:07 AM
Framawiki subscribed.Jul 13 2017, 11:09 AM
zhuyifei1999 subscribed.Jul 13 2017, 12:21 PM
BethNaught subscribed.Jul 13 2017, 12:34 PM
fgiunchedi triaged this task as Medium priority.Jul 21 2017, 10:18 AM
ayounsi updated the task description. (Show Details)Aug 3 2017, 9:12 PM
gerritbot subscribed.Aug 3 2017, 9:37 PM

Change 370094 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/dns@master] Reserve non zero rated IP ranges

https://gerrit.wikimedia.org/r/370094

gerritbot added a project: Patch-For-Review.Aug 3 2017, 9:37 PM
gerritbot added a comment.Aug 4 2017, 1:51 PM

Change 370201 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Add new misc-web-lb IPs

https://gerrit.wikimedia.org/r/370201

gerritbot added a comment.Aug 4 2017, 1:51 PM

Change 370202 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Add new git-ssh IPs

https://gerrit.wikimedia.org/r/370202

Paladox subscribed.Aug 4 2017, 1:52 PM
gerritbot added a comment.Aug 4 2017, 2:38 PM

Change 370210 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Add LVS nonzero ranges in network::subnets

https://gerrit.wikimedia.org/r/370210

BBlack changed the task status from Open to Stalled.Aug 14 2017, 6:13 PM

Re-evaluating alternatives here, hold on actual implementation for now.

gerritbot added a comment.Feb 20 2018, 4:18 PM

Change 370201 abandoned by BBlack:
Add new misc-web-lb IPs

https://gerrit.wikimedia.org/r/370201

gerritbot added a comment.Feb 20 2018, 4:18 PM

Change 370202 abandoned by BBlack:
Add new git-ssh IPs

https://gerrit.wikimedia.org/r/370202

gerritbot added a comment.Feb 20 2018, 4:18 PM

Change 370210 abandoned by BBlack:
Add LVS nonzero ranges in network::subnets

https://gerrit.wikimedia.org/r/370210

gerritbot added a comment.Feb 20 2018, 4:19 PM

Change 370094 abandoned by BBlack:
Reserve non zero rated IPs and ranges

https://gerrit.wikimedia.org/r/370094

BBlack closed this task as Declined.Feb 20 2018, 4:20 PM

In light of: https://blog.wikimedia.org/2018/02/16/partnerships-new-approach/ , we're not going to restructure public subnets around this, as that has long-time-horizon implications. We'll deal with these kinds of issues ad-hoc for the remaining lifetime of Zero.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL