On Thu, Apr 10, 2014 at 6:17 PM, Bart Kus me@bartk.us wrote:
- Traffic from the Internet (non-44.0.0.0/8) to your AMPR IPs gets
encapsulated by amprgw and is delivered to your router's IPIP endpoint IP. src-IP=169.228.66.251, dst-IP=<your IPIP endpoint IP>, and is unencapsulated by your IPIP interface. The unencapsulated packets src-IP=! 44.0.0.0/8 dst-IP=<your 44net> get routed according to your main routing table.
The problem being here is that amprgw.sysnet.ucsd.edu doesn't route and would effectively mean that all traffic not going to BGP destinations would go through UCSD for which I don't think UCSD would enjoy happening as it's increased utilization of a link and would also mean packets destined to say a european 44net subnet would travel to UCSD first before reaching said european 44net network - increasing additional network traffic both ways as well as increasing latency making the trip halfway around the world should the traffic come from the same destination country.
- Traffic from your 44net to the Internet has src-IP=<your 44net>
dst-IP=<any, except valid 44nets>. It hits the ampr routing-mark mangle rule which in turn forces routing to lookup the ampr table. After missing all the valid 44nets, it hits the default route in the ampr table and is encapsulated with src-IP=<your IPIP endpoint IP>, dst-IP=169.228.66.251. This packet then hits your main routing table and uses your ISP default gateway.
Same reasons as above but in the opposite direction.
- Traffic from another AMPR GW to your AMPR GW gets IPIP encapsulated by
the remote gateway and arrives as src-IP=<any, including 44.0.0.0/8> dst-IP=<your IPIP endpoint IP>. After your IPIP interface unencapsulates the packet, the src-IP=44.0.0.0/8 dst-IP=<your 44net>, and follows your main routing table for delivery.
Would never reach my network as it would technically be routed to part 2 above and dropped on the floor as you didn't specify amprgw would be unencapsulating traffic. Same issues apply from above apply as well.
- Traffic from your 44net to another AMPR GW has src-IP=<your 44net>
dst-IP=<one of the valid 44.0.0.0/8 nets> matches the mangle rule which forces it to use the ampr table. It then finds a 44net route in the ampr table and gets encapsulated before hitting the default route. The encapsulated packet has src-IP=<your IPIP endpoint IP> and dst-IP=<any, including 44.0.0.0/8>. It hits your main routing table and uses your ISP default gateway.
That's fine... but I would never receive your ACK to my SYN due to part 4 and 2 above.