30 Jan
2014
30 Jan
'14
3:47 a.m.
On Thu, 30 Jan 2014, Marius Petrescu wrote:
What I meant (and what seems logical to me) whas that
if you try to reach an
ampr host in the mesh network (let's call a host here M) from a bgp routed
subnet, than you have tis scenario:
- On the router of the upstram provider there shpuld be 2 routes. One to the
BGP'd subnet (let's assume it called A 44.1.1.0/24) and one to 44.0.0.0/8
which is amprgw which is the gw for any 44 traffic.
- If you try a connection from A to M, packets from A will go out "in the
wild" and will be routed to amprgw, encapsulated, and sent to M, like any
internet to ampr access. The responses will flow back the correct route
because of conntrack.
conntrack? I don't think the gateways out there are running any sort of
routing that would magically route back return packets "the same way". If
connection tracking is used, it might be applied to firewall rules, but
not routing. Besides, that "back the same way" would point to amprgw, and
again, amprgw is not able to route those return packets back to A.
M will use the routing table it has, which might be one of:
1) default route to the Internet (will get dropped at upstream ISP due
to the 44/8 source address)
2) some folks have a 44/8 route pointing to amprgw (won't work since
amprgw currently cannot send packets to the 44/8 BGP sites)
3) if the BGP site has a Gateways database entry and an IPIP receiving
endpoint, that will be used, and things work.
- Any two bgp enabled subntes will talk to each other
like any subnet ion
the internet.
Correct.
- Outgoing connections from M will not work since
amprgw does not allow
outgoing connects to 44 addresses. IMHO this rule should be refined to be
"drop outgoing connections to hosts present in the encap file" which will
solve the problem. But that's another thing.
amprgw itself does allow them, but its local upstream routers will give
all packets destined to 44/8 back to amprgw.
The reality is that all outgoing *packets* from amprgw to 44/8, _unless_
_encapsulated_, will not go anywhere, since UCSD routers route 44/8 to
amprgw and do not know about the more specific BGP routes.
That is not affected by the direction of a TCP connection, conntrack, or
anything else.
- Hessu