10 Apr
2014
10 Apr
'14
9:23 p.m.
On 04/10/2014 02:11 PM, Marc, LX1DUC wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On 10/04/2014 22:51, Bart Kus wrote:
No mistake on my end. Please read KB3VWG's email more carefully, I'm
including the relevant text here for re-examination:
===QUOTE===
- so, as you wish
a.) rip44 would add your tunneled subnet (44.24.240.0/20) to routing
table 44 with an endpoint address as 44.24.221.1
b.) a host in my subnet sends your subnet a packet and is received by my
router
c.) it looks up the endpoint destination on table 44 and finds that it's
44.24.221.1
d.) my router will look in the routing table for 44.24.221.1 finds
===/QUOTE===
At step (c) the packet matched a route that is associated with an IPIP
tunnel. The inner headers are from-44.whatever and to-44.24.240.0/20.
When that match is made, the packet is IPIP encapsulated, and given new
outer src/dst IPs. The dst-IP in this case should be 44.24.221.1, and
the src-IP should be whatever local-address was configured for the IPIP
tunnel (which should be routable over his public ISP). Then the router
has to make a 2nd routing decision about how to deliver to 44.24.221.1.
In this case, it should match default route (0.0.0.0/0).
Does this clear things up?
OK, let me stop your email right here. Why did
your router choose tunl0
as the next-hop when we don't announce any special route for
44.24.221.0/24? Your router seems to have made a routing mistake here.
It should have chosen the default route (0.0.0.0/0) to send the packet
since it has no special information about 44.24.221.0/24.
Does that realization clear things up?
No your logic made a mistake. RTFM
especially BCP 38.
Most routers are not authorized to send traffic from 44/8 via their
commercial Internet upstream. So any traffic from 44net towards the
internet has to be routed to UCSD (or somewhere where no the ISP doesn't
care potentially spoofed source addresses). If no specific full mesh
route is found, the traffic will obviously follow the default route of
the routing table handling 44net traffic. Maybe it would be better to recommend to blackhole
traffic for networks
that aren't in the encap file via
ip route add blackhole 44.0.0.0/8
That way the "default route" wouldn't catch traffic for 44nets that
don't exist in the encap file.
No no no! You will be killing all traffic to BGP-only 44nets. Let us
never utter this again. :)
--Bart