15 Jul
2013
15 Jul
'13
3:27 p.m.
On Mon, 15 Jul 2013, Heikki Hannikainen wrote:
But but... I think they absolutely must stay in
encap.txt even if a
BGP announcement is place!
If they're removed, most of other traditional amprnet sites, which are
not announcing their own network using BGP, cannot send packets to the
BGP sites due to source address filtering (spoof protection). Most
gateways these days must send out all 44-to-44 traffic encapsulated
because they're only allowed to transmit out packets with their
gateway's public address as the source address of the outer IP packet.
Existance of a route in the encap file implies there is a tunnel
established at the other end willing to accept the encapsulated traffic.
The sites doing BGP may or may not be doing that. If the latter, then
you're just sending traffic to a black hole.
Most gateways don't have visibility into the core routing tables. As you
already mentioned, due to upstream service providers doing uRPF filtering,
44-to-any traffic must be tunneled through a gateway. For the non-encap
net-44 destinations that means tunnelling through the UCSD gateway. You
will need to setup a default (not just net-44) encap route pointing to
UCSD but apply it only to traffic sourced from net-44 hosts - ie. policy
routing for net-44.
Antonio Querubin
e-mail: tony(a)lavanauts.org
xmpp: antonioquerubin(a)gmail.com