On Mon, Jun 17, 2013 at 7:28 AM, Bryan Fields Bryan@bryanfields.net wrote:
I've been doing some work to get the IPIP tunnel information into a router on a daily basis, has anyone else automated this?
For "real" routers, I think a few people have tried this, with some difficulties.
If I remember right, IOS/Cisco would like you to configure a separate tunnel subinterface for each destination gateway, and with a large number of gateways (huge mesh network) at least the lower-end routers didn't quite appreciate the large amount of virtual interfaces.
On Linux we just use a single tunnel interface and a larger routing table which defines the tunnel endpoints using the next-hop attribute.
IOS or JunOS won't be able to decode the RIP updates sent by amprgw, since (1) the RIP packets simply contain destination prefixes (amprnet subnets) and the respective next-hop gateways on the other side of the internet and the routers would have to figure out somehow that those should be translated to tunnel configurations instead of simple routes in the main routing table, and (2) the RIP packets come in IPIP encapsulated and the routers are unlikely to parse them at all.
So, in any case, if tunnel configs would work, you'd need a separate unix/linux box to decode/download the amprnet tunnel routing table, convert it to your router's configuration, and push it in the router.
I was wondering how the reachability of this from the global routing table of the public internet works, if at all. Everything I've been reading says this is all separate, but we do interconnect at a couple locations. I must admit I'm new to this, but is 44/8 intended to be totally separate a la the GRX network?
It's intended to be totally separate, but there's a single gateway in the US announcing all of 44/8 and relaying packets from the Internet to amprnet hosts which have an ampr.org DNS entry in place. Also, a few local subnets are announced locally by the gateways using BGP, after signing the TOS (http://www.ampr.org/tos.txt) and obtaining permission documents from ARDC.
Upstream amprnet->internet packets should be routed, if possible, from the local gateway directly to the Internet, but ISP anti-spoofing filters / uRPF typically prohibit it these days (which is a very good thing in the botnet/DDOS respect). Unless, of course, you've arranged a BGP peering and announcing the subnet yourself, in which case you can send packets out from that subnet.
- Hessu, OH7LZB