The idea here is to support IPIP and BGP concurrently while preferring IPIP. Additionally we also run BGP over other tunnel protocols ( GRE, SSTP, etc) with more specific preferences depending on the agreement between the Ops. AFAICT this setup is the only way wich allows both the IPIP-only and the BGP-only sites to reach our networks.

vy 73 de Marc, LX1DUC

I agree, that is the way it works best. We do that here as well, however now we just have a single routing table where routes of different origin are stored at a different metric, so there is no fixed priority between protocols anymore. The first decision is always made on subnet size (smaller subnet has preference), the metric only comes into play when for some reason there are routes over two different protocols for the same subnet, and then the metric decides what path to take (e.g. there is both an IPIP tunnel and a a route announced with internal BGP on HAMNET). Normally these are error conditions.

The difference between those methods becomes important when e.g. a /20 subnet is IPIP tunneled and out of that a /28 subnet is routed another way, e.g. over a GRE tunnel. This works without problem for us now.

(on systems that are both on the normal internet and on the IPIP mesh reachable from the entire internet, with source address filtering at the provider, I normally have at least two different routing tables and policy routing, but on a directly routed system this is not required)

Rob