16 Jun
2015
16 Jun
'15
12:07 p.m.
On Tue, Jun 16, 2015 at 9:40 AM, Brian Kantor <Brian(a)ucsd.edu> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Tue, Jun 16, 2015 at 09:25:01AM -0700, K7VE - John wrote:
Precisely. One of the problems of using IPIP for this is that there is
no feature in the protocol that tells us when a remote router is
unreachable. There's also no authentication or message integrity.
These are common features of modern VPN protocols. (Depending on the
protocol, they also traverse NAT more easily.)
Knowing reachability allows us to selectively advertise BGP routes for
only reachable routers. If a gateway operator maintains VPN tunnels to
multiple BGP advertisement points, one of those BGP routers can go
down for maintenance for a few hours without bringing down their
linked repeater system, etc. During the downtime, all traffic would
route over the other VPN interface.
Eventually, I'd like to support a multitude of VPN protocols, but for
now we have only implemented IPsec.
Tom KD7LXL
Incidentally, we are also creating VPN tunnels to
bring 'islands' into
routers that have BGP capability and advertising from those routers.
So you're doing exactly what I'm proposing except that you're using
modern VPN technology instead of legacy IPIP.
- Brian