23 May
2014
23 May
'14
12:29 a.m.
The problem is that the route 44.140.0.0/16 via 44.140.0.1 creates a routing
loop.
The moment one sets this route ont their machine, all traffic, including the
one to the gateway will be encasulated and sent via the tunnel to the
gateway which is impossible...
So for such a setup to work there are 3 solutions:
1) classic:
44.140.0.0/16 via 192.16.126.18
2) 2 routes:
44.140.0.1/32 via 192.16.126.18
44.140.0.0/16 via 44.140.0.1
This will break most setups since usually there is no recursive next-hop
lookup on a sinlge machine GW system.
In a full routed dedicated tunnel host + router combination this would work
(I can give you the details).
3) don't broadcast anything at all
In this case, ham traffic is treated as any regular internet traffic and
nat-ed to ones public IP on their gateway (if there is no 44/8 route via
UCSD),
If the client is also bgp announcet, case in which it wil work flawless.
The problem is that in this case you can not diferentiate ham traffic from
bgp unannounced subnets from regular internet traffic on your GW side.
Talking about other solutions, I want to analyse a little the other BGP
announced setup, which is correct:
44.24.240.0/20 via 44.24.221.1
44.24.221.1 is unannounced in RIP.
In this case, on a completely correct setup (which doesn't send all unknown
44s to UCSD via tunnel) will do the following:
- encap all traffic to 44.24.240.0/20
- all encaped frames will be nat-ed to the local public GW IP and sent to
44.24.221.1
Of course, 44.24.221.1 has to maintain its own encap target list to be able
to send traffic back to the originator, and accept proto 4 from any public
IP.
So as a conclusion:
Announcing BGP enabled subnets in the encap breaks some advantages of being
bgp announced.
It allows internet hosts to circumvent the UCSD gateway, and allows direct
access to internet hosts from 44 macines without passing UCSD while
maintaining its original 44 src address.
But it still needs the tunnel system to allow access from 44 hosts behind
tunnels.
If the subnet is unannounced, only nat-ed trafic is possible from tuneled 44
systems (since UCSD routers don't forward traffic to 44 destinations).
Marius, YO2LOJ