On Tue, Jun 16, 2015 at 9:40 AM, Brian Kantor Brian@ucsd.edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 16, 2015 at 09:25:01AM -0700, K7VE - John wrote:
Incidentally, we are also creating VPN tunnels to bring 'islands' into routers that have BGP capability and advertising from those routers.
So you're doing exactly what I'm proposing except that you're using modern VPN technology instead of legacy IPIP. - Brian
Precisely. One of the problems of using IPIP for this is that there is no feature in the protocol that tells us when a remote router is unreachable. There's also no authentication or message integrity. These are common features of modern VPN protocols. (Depending on the protocol, they also traverse NAT more easily.)
Knowing reachability allows us to selectively advertise BGP routes for only reachable routers. If a gateway operator maintains VPN tunnels to multiple BGP advertisement points, one of those BGP routers can go down for maintenance for a few hours without bringing down their linked repeater system, etc. During the downtime, all traffic would route over the other VPN interface.
Eventually, I'd like to support a multitude of VPN protocols, but for now we have only implemented IPsec.
Tom KD7LXL