10 Apr
2014
10 Apr
'14
9:48 p.m.
On 04/10/2014 02:33 PM, Marc, LX1DUC wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On 10/04/2014 23:23, Bart Kus wrote:
The Internet, in general, does not care about your source IP when making
routing decisions. Routing tables work on destination IP information.
I suspect you're referring to a specific case of policy-based routing
rules that have been deployed at UCSD and are causing breakage. That's
a separate problem I'll deal with later. UCSD is not necessary for the
success of the IPIP tunnel mesh communications.
Any potential traffic for 44.24.240.0/20 should never touch UCSD. It's
either sent directly via Internet, or via the IPIP tunnel mesh. Traffic
to/from UCSD itself may have a problem due to aforementioned routing
weirdness @ UCSD, which we'll look at later.
At step (c) the packet matched a route that is
associated with an IPIP
tunnel. The inner headers are from-44.whatever and to-44.24.240.0/20.
When that match is made, the packet is IPIP encapsulated, and given new
outer src/dst IPs. The dst-IP in this case should be 44.24.221.1, and
the src-IP should be whatever local-address was configured for the IPIP
tunnel (which should be routable over his public ISP). Then the router
has to make a 2nd routing decision about how to deliver to 44.24.221.1.
In this case, it should match default route (0.0.0.0/0).
The default route for
traffic with ORIGIN (read NOT necessary
DESTINATION) inside 44/8 will be routed via IPIP to UCSD. Routing via ISP without NAT won't work! Read
BCP38.
Before recommending NAT, please note we don't want NAT because we want
to keep the 44net ORIGIN intact.
I'm not sure why you're bringing up NAT. If you're terminating your
IPIP tunnels on your edge router the de/encapsulation and communication
can take place entirely without engaging NAT. Your edge router would
hold your public IP, and can associate the IPIP tunnels with it. If
you're terminating the tunnels inside your network instead, then yes,
you'll need some forwarding rules and NAT. I would suggest terminating
on your edge router for simplest config.
Read BCP38.
Really read BCP38.
Read BCP38 again.
What is it you think I'm missing here that's in BCP38?
--Bart