11 Apr
2014
11 Apr
'14
2:46 a.m.
On Thu, Apr 10, 2014 at 6:17 PM, Bart Kus <me(a)bartk.us> wrote:
2) Traffic from the Internet (non-44.0.0.0/8) to your AMPR IPs gets
encapsulated by amprgw and is delivered to your router's IPIP endpoint IP.
src-IP=169.228.66.251, dst-IP=<your IPIP endpoint IP>, and is
unencapsulated by your IPIP interface. The unencapsulated packets src-IP=!
44.0.0.0/8 dst-IP=<your 44net> get routed according to your main routing
table.
The problem being here is that amprgw.sysnet.ucsd.edu doesn't route and
would effectively mean that all traffic not going to BGP destinations would
go through UCSD for which I don't think UCSD would enjoy happening as it's
increased utilization of a link and would also mean packets destined to say
a european 44net subnet would travel to UCSD first before reaching said
european 44net network - increasing additional network traffic both ways as
well as increasing latency making the trip halfway around the world should
the traffic come from the same destination country.
3) Traffic from your 44net to the Internet has
src-IP=<your 44net>
dst-IP=<any, except valid 44nets>. It hits the ampr routing-mark mangle
rule which in turn forces routing to lookup the ampr table. After missing
all the valid 44nets, it hits the default route in the ampr table and is
encapsulated with src-IP=<your IPIP endpoint IP>, dst-IP=169.228.66.251.
This packet then hits your main routing table and uses your ISP default
gateway.
Same reasons as above but in the opposite direction.
4) Traffic from another AMPR GW to your AMPR GW gets
IPIP encapsulated by
the remote gateway and arrives as src-IP=<any, including 44.0.0.0/8>
dst-IP=<your IPIP endpoint IP>. After your IPIP interface unencapsulates
the packet, the src-IP=44.0.0.0/8 dst-IP=<your 44net>, and follows your
main routing table for delivery.
Would never reach my network as it would technically be routed to part 2
above and dropped on the floor as you didn't specify amprgw would be
unencapsulating traffic. Same issues apply from above apply as well.
5) Traffic from your 44net to another AMPR GW has
src-IP=<your 44net>
dst-IP=<one of the valid 44.0.0.0/8 nets> matches the mangle rule which
forces it to use the ampr table. It then finds a 44net route in the ampr
table and gets encapsulated before hitting the default route. The
encapsulated packet has src-IP=<your IPIP endpoint IP> and dst-IP=<any,
including 44.0.0.0/8>. It hits your main routing table and uses your ISP
default gateway.
That's fine... but I would never receive your ACK to my SYN due to part 4
and 2 above.