On Tue, Jul 16, 2013 at 6:00 PM, Brian Kantor Brian@ucsd.edu wrote:
On Tue, Jul 16, 2013 at 04:48:57PM +0300, Heikki Hannikainen wrote:
Also, doesn't amprgw at UCSD drop net-44 packets on the floor unless they're in encap.txt? Or is there an exception for BGP announced networks?
We would drop them since they're not in the encap database, but they don't show up here from the Internet in the first place since the narrower BGP subnets override the larger /8 network and the packets aren't routed here.
Yes, exactly. How about if someone sends an encapsulated 44-to-44 packet to amprgw, and the packet has a destination address in one of the BGP subnets, and the subnet is not in encap database? Would that get routed out from amprgw (unencapsulated), or would it be dropped?
And wouldn't it be preferred to have that go directly encapsulated to an encap gateway box at the BGP-enabled site?
If I understood him right, Bob Tenty is suggesting that BGP-enabled sites should be removed from the encap database altogether, and says that packets from tunnel-only gateways to those networks should always be sent via amprgw. My opinion is in the opposite end of the spectrum.
A solution would be to have the border router at each of the directly-connected subnets also have a full set of tunnel routes and interfaces installed, as it could then participate in the tunnel mesh and should then be in the encap file. I don't see commercial internet providers doing that.
The border router does not necessarily need a tunnel route + interface set. All that is needed is the traditional linux box sitting near it, that act as the encap gateway with rip44d or whatever. The border router can have a 44/8 route towards the local encap box for outgoing packets, so that packets going to the rest of the old 44/8 does not need to go back to amprgw.ucsd.edu.
If I were to create some fancy new bandwidth-heavy service, and host it on a BGP-enabled net-44 address here, I think my main motive would be to (1) make it available to all net-44 users in addition to the Internet, and (2) make it run fast and not go via amprgw all the time. If I only had BGP but no encap mesh routes, I suspect both (1) and (2) would not happen - I'd just be using a net-44 address on the Internet with quite broken net-44 routing.
So this means that in order for the the directly-connected subnets to also participate in the tunnel mesh, there has to be a tunnel-enabled router downstream of the connection to the commercial Internet.
Yup, my thoughts exactly. Downstream, or on its side.
My point is that the BGP sites *should* have a tunnel-enabled gateway router in their setup, and they should be in the encap routing table to keep them well-connected.
- Hessu