19 Jul
2019
19 Jul
'19
1:13 p.m.
On Fri, 19 Jul 2019, Ruben ON3RVH wrote:
The ease of the IPIP tunnels using a modified RIP
daemon that can
easily be downloaded makes the current setup so easy to deploy and get
online. Also seeing that a lot of questions coming in are from users
complaining that they are not reachable to/from the internet (when
they haven't set up reverse DNS) shows that even reading the wiki is
too hard for some of them.
The difficulty is that one has to remind firewall vendors and
open-source developers that protocols like IPIP even exist and just how
large a community of potential users they are eliminating from using
their software by simply not making an option available on a drop-down
box (e.g. pfSense). Another way our options are limited is by not
loading a kernel module in certain environments or not distributing a
kernel module that supports the technology.
There is no way to "port forward" GRE or IPIP. It terminates on the
edge, or it doesn't. That can be complex in today's provider networks
thanks to the use of PPPoE, 802.1x, or Customer Premises Equipment (CPE)
which heavily favors TCP and UDP communications into or out of a
designated "DMZ" and throws away everything else. On the other hand,
it's still possible to setup a VPN to a remote host and interface with
the IPIP mesh there. It's not idea, but it's a solution. As long as all
the nearby sites have a route over VPN, it can work. By tuning the VPN
parameters, latency can be kept down.
This may not be the time to re-engineer everything, but start the ideas
now and something should be possible to start in six months.
--
Kris Kirby, KE4AHR
Disinformation Architect, Systems Mangler, & Network Mismanager