1aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\documentstyle[12pt,twoside]{article} 2aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\def\TITLE{Tunnels over IP} 3aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\input preamble 4aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{center} 5aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\Large\bf Tunnels over IP in Linux-2.2 6aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{center} 7aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 8aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 9aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{center} 10aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger{ \large Alexey~N.~Kuznetsov } \\ 11aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\em Institute for Nuclear Research, Moscow \\ 12aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|kuznet@ms2.inr.ac.ru| \\ 13aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\rm March 17, 1999 14aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{center} 15aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 16aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\vspace{5mm} 17aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 18aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\tableofcontents 19aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 20aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 21aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Instead of introduction: micro-FAQ.} 22aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 23aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{itemize} 24aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 25aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 26aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerQ: In linux-2.0.36 I used: 27aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 28aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ifconfig tunl1 10.0.0.1 pointopoint 193.233.7.65 29aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 30aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto create tunnel. It does not work in 2.2.0! 31aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 32aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerA: You are right, it does not work. The command written above is split to two commands. 33aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 34aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel add MY-TUNNEL mode ipip remote 193.233.7.65 35aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 36aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwill create tunnel device with name \verb|MY-TUNNEL|. Now you may configure 37aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerit with: 38aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 39aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ifconfig MY-TUNNEL 10.0.0.1 40aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 41aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerCertainly, if you prefer name \verb|tunl1| to \verb|MY-TUNNEL|, 42aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeryou still may use it. 43aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 44aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 45aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerQ: In linux-2.0.36 I used: 46aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 47aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ifconfig tunl0 10.0.0.1 48aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger route add -net 10.0.0.0 gw 193.233.7.65 dev tunl0 49aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 50aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto tunnel net 10.0.0.0 via router 193.233.7.65. It does not 51aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwork in 2.2.0! Moreover, \verb|route| prints a funny error sort of 52aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger``network unreachable'' and after this I found a strange direct route 53aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto 10.0.0.0 via \verb|tunl0| in routing table. 54aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 55aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerA: Yes, in 2.2 the rule that {\em normal} gateway must reside on directly 56aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerconnected network has not any exceptions. You may tell kernel, that 57aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerthis particular route is {\em abnormal}: 58aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 59aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ifconfig tunl0 10.0.0.1 netmask 255.255.255.255 60aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip route add 10.0.0.0/8 via 193.233.7.65 dev tunl0 onlink 61aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 62aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerNote keyword \verb|onlink|, it is the magic key that orders kernel 63aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingernot to check for consistency of gateway address. 64aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerProbably, after this explanation you have already guessed another method 65aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto cheat kernel: 66aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 67aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ifconfig tunl0 10.0.0.1 netmask 255.255.255.255 68aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger route add -host 193.233.7.65 dev tunl0 69aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger route add -net 10.0.0.0 netmask 255.0.0.0 gw 193.233.7.65 70aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger route del -host 193.233.7.65 dev tunl0 71aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 72aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerWell, if you like such tricks, nobody may prohibit you to use them. 73aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerOnly do not forget 74aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerthat between \verb|route add| and \verb|route del| host 193.233.7.65 is 75aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerunreachable. 76aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 77aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 78aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerQ: In 2.0.36 I used to load \verb|tunnel| device module and \verb|ipip| module. 79aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerI cannot find any \verb|tunnel| in 2.2! 80aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 81aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerA: Linux-2.2 has single module \verb|ipip| for both directions of tunneling 82aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand for all IPIP tunnel devices. 83aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 84aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 85aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerQ: \verb|traceroute| does not work over tunnel! Well, stop... It works, 86aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger only skips some number of hops. 87aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 88aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerA: Yes. By default tunnel driver copies \verb|ttl| value from 89aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerinner packet to outer one. It means that path traversed by tunneled 90aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerpackets to another endpoint is not hidden. If you dislike this, or if you 91aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerare going to use some routing protocol expecting that packets 92aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwith ttl 1 will reach peering host (f.e.\ RIP, OSPF or EBGP) 93aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand you are not afraid of 94aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnel loops, you may append option \verb|ttl 64|, when creating tunnel 95aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwith \verb|ip tunnel add|. 96aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 97aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 98aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerQ: ... Well, list of things, which 2.0 was able to do finishes. 99aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 100aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{itemize} 101aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 102aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\paragraph{Summary of differences between 2.2 and 2.0.} 103aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 104aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{itemize} 105aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 106aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item {\bf In 2.0} you could compile tunnel device into kernel 107aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger and got set of 4 devices \verb|tunl0| ... \verb|tunl3| or, 108aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger alternatively, compile it as module and load new module 109aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger for each new tunnel. Also, module \verb|ipip| was necessary 110aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger to receive tunneled packets. 111aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 112aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger {\bf 2.2} has {\em one\/} module \verb|ipip|. Loading it you get base 113aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger tunnel device \verb|tunl0| and another tunnels may be created with command 114aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger \verb|ip tunnel add|. These new devices may have arbitrary names. 115aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 116aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 117aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item {\bf In 2.0} you set remote tunnel endpoint address with 118aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger the command \verb|ifconfig| ... \verb|pointopoint A|. 119aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 120aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger {\bf In 2.2} this command has the same semantics on all 121aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger the interfaces, namely it sets not tunnel endpoint, 122aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger but address of peering host, which is directly reachable 123aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger via this tunnel, 124aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger rather than via Internet. Actual tunnel endpoint address \verb|A| 125aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger should be set with \verb|ip tunnel add ... remote A|. 126aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 127aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item {\bf In 2.0} you create tunnel routes with the command: 128aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 129aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger route add -net 10.0.0.0 gw A dev tunl0 130aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 131aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 132aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger {\bf 2.2} interprets this command equally for all device 133aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger kinds and gateway is required to be directly reachable via this tunnel, 134aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger rather than via Internet. You still may use \verb|ip route add ... onlink| 135aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger to override this behaviour. 136aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 137aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{itemize} 138aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 139aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 140aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Tunnel setup: basics} 141aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 142aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerStandard Linux-2.2 kernel supports three flavor of tunnels, 143aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerlisted in the following table: 144aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\vspace{2mm} 145aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 146aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{tabular}{lll} 147aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\vrule depth 0.8ex width 0pt\relax 148aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerMode & Description & Base device \\ 149aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeripip & IP over IP & tunl0 \\ 150aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingersit & IPv6 over IP & sit0 \\ 151aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingergre & ANY over GRE over IP & gre0 152aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{tabular} 153aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 154aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\vspace{2mm} 155aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 156aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\noindent All the kinds of tunnels are created with one command: 157aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 158aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel add <NAME> mode <MODE> [ local <S> ] [ remote <D> ] 159aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 160aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 161aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerThis command creates new tunnel device with name \verb|<NAME>|. 162aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerThe \verb|<NAME>| is an arbitrary string. Particularly, 163aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerit may be even \verb|eth0|. The rest of parameters set 164aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerdifferent tunnel characteristics. 165aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 166aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{itemize} 167aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 168aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 169aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|mode <MODE>| sets tunnel mode. Three modes are available now 170aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger \verb|ipip|, \verb|sit| and \verb|gre|. 171aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 172aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 173aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|remote <D>| sets remote endpoint of the tunnel to IP 174aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger address \verb|<D>|. 175aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item 176aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|local <S>| sets fixed local address for tunneled 177aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger packets. It must be an address on another interface of this host. 178aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 179aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{itemize} 180aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 181aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\let\thefootnote\oldthefootnote 182aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 183aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerBoth \verb|remote| and \verb|local| may be omitted. In this case we 184aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingersay that they are zero or wildcard. Two tunnels of one mode cannot 185aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerhave the same \verb|remote| and \verb|local|. Particularly it means 186aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerthat base device or fallback tunnel cannot be replicated.\footnote{ 187aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerThis restriction is relaxed for keyed GRE tunnels.} 188aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 189aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerTunnels are divided to two classes: {\bf pointopoint} tunnels, which 190aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerhave some not wildcard \verb|remote| address and deliver all the packets 191aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto this destination, and {\bf NBMA} (i.e. Non-Broadcast Multi-Access) tunnels, 192aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwhich have no \verb|remote|. Particularly, base devices (f.e.\ \verb|tunl0|) 193aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerare NBMA, because they have neither \verb|remote| nor 194aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|local| addresses. 195aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 196aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 197aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerAfter tunnel device is created you should configure it as you did 198aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerit with another devices. Certainly, the configuration of tunnels has 199aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingersome features related to the fact that they work over existing Internet 200aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerrouting infrastructure and simultaneously create new virtual links, 201aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwhich changes this infrastructure. The danger that not enough careful 202aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnel setup will result in formation of tunnel loops, 203aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingercollapse of routing or flooding network with exponentially 204aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingergrowing number of tunneled fragments is very real. 205aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 206aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 207aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerProtocol setup on pointopoint tunnels does not differ of configuration 208aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerof another devices. You should set a protocol address with \verb|ifconfig| 209aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand add routes with \verb|route| utility. 210aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 211aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerNBMA tunnels are different. To route something via NBMA tunnel 212aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeryou have to explain to driver, where it should deliver packets to. 213aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerThe only way to make it is to create special routes with gateway 214aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeraddress pointing to desired endpoint. F.e.\ 215aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 216aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip route add 10.0.0.0/24 via <A> dev tunl0 onlink 217aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 218aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIt is important to use option \verb|onlink|, otherwise 219aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerkernel will refuse request to create route via gateway not directly 220aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerreachable over device \verb|tunl0|. With IPv6 the situation is much simpler: 221aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwhen you start device \verb|sit0|, it automatically configures itself 222aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwith all IPv4 addresses mapped to IPv6 space, so that all IPv4 223aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerInternet is {\em really reachable} via \verb|sit0|! Excellent, the command 224aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 225aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip route add 3FFE::/16 via ::193.233.7.65 dev sit0 226aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 227aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwill route \verb|3FFE::/16| via \verb|sit0|, sending all the packets 228aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerdestined to this prefix to 193.233.7.65. 229aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 230aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Tunnel setup: options} 231aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 232aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerCommand \verb|ip tunnel add| has several additional options. 233aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{itemize} 234aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 235aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item \verb|ttl N| --- set fixed TTL \verb|N| on tunneled packets. 236aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger \verb|N| is number in the range 1--255. 0 is special value, 237aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger meaning that packets inherit TTL value. 238aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger Default value is: \verb|inherit|. 239aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 240aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item \verb|tos T| --- set fixed tos \verb|T| on tunneled packets. 241aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger Default value is: \verb|inherit|. 242aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 243aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item \verb|dev DEV| --- bind tunnel to device \verb|DEV|, so that 244aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger tunneled packets will be routed only via this device and will 245aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger not be able to escape to another device, when route to endpoint changes. 246aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 247aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item \verb|nopmtudisc| --- disable Path MTU Discovery on this tunnel. 248aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger It is enabled by default. Note that fixed ttl is incompatible 249aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger with this option: tunnels with fixed ttl always make pmtu discovery. 250aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 251aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{itemize} 252aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 253aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|ipip| and \verb|sit| tunnels have no more options. \verb|gre| 254aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnels are more complicated: 255aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 256aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{itemize} 257aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 258aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item \verb|key K| --- use keyed GRE with key \verb|K|. \verb|K| is 259aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger either number or IP address-like dotted quad. 260aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 261aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item \verb|csum| --- checksum tunneled packets. 262aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 263aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item \verb|seq| --- serialize packets. 264aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{NB} 265aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger I think this option does not 266aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger work. At least, I did not test it, did not debug it and 267aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger even do not understand, how it is supposed to work and for what 268aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger purpose Cisco planned to use it. 269aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{NB} 270aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 271aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{itemize} 272aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 273aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 274aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerActually, these GRE options can be set separately for input and 275aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeroutput directions by prefixing corresponding keywords with letter 276aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|i| or \verb|o|. F.e.\ \verb|icsum| orders to accept only 277aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerpackets with correct checksum and \verb|ocsum| means, that 278aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerour host will calculate and send checksum. 279aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 280aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerCommand \verb|ip tunnel add| is not the only operation, 281aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwhich can be made with tunnels. Certainly, you may get short help page 282aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwith: 283aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 284aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel help 285aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 286aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 287aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerBesides that, you may view list of installed tunnels with the help of command: 288aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 289aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel ls 290aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 291aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerAlso you may look at statistics: 292aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 293aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip -s tunnel ls Cisco 294aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 295aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwhere \verb|Cisco| is name of tunnel device. Command 296aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 297aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel del Cisco 298aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 299aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerdestroys tunnel \verb|Cisco|. And, finally, 300aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 301aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel change Cisco mode sit local ME remote HE ttl 32 302aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 303aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerchanges its parameters. 304aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 305aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Differences 2.2 and 2.0 tunnels revisited.} 306aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 307aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerNow we can discuss more subtle differences between tunneling in 2.0 308aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand 2.2. 309aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 310aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{itemize} 311aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 312aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item In 2.0 all tunneled packets were received promiscuously 313aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeras soon as you loaded module \verb|ipip|. 2.2 tries to select the best 314aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnel device and packet looks as received on this. F.e.\ if host 315aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerreceived \verb|ipip| packet from host \verb|D| destined to our 316aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerlocal address \verb|S|, kernel searches for matching tunnels 317aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerin order: 318aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 319aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{tabular}{ll} 320aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger1 & \verb|remote| is \verb|D| and \verb|local| is \verb|S| \\ 321aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger2 & \verb|remote| is \verb|D| and \verb|local| is wildcard \\ 322aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger3 & \verb|remote| is wildcard and \verb|local| is \verb|S| \\ 323aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger4 & \verb|tunl0| 324aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{tabular} 325aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 326aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIf tunnel exists, but it is not in \verb|UP| state, the tunnel is ignored. 327aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerNote, that if \verb|tunl0| is \verb|UP| it receives all the IPIP packets, 328aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingernot acknowledged by more specific tunnels. 329aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerBe careful, it means that without carefully installed firewall rules 330aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeranyone on the Internet may inject to your network any packets with 331aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingersource addresses indistinguishable from local ones. It is not so bad idea 332aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto design tunnels in the way enforcing maximal route symmetry 333aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand to enable reversed path filter (\verb|rp_filter| sysctl option) on 334aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnel devices. 335aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 336aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\item In 2.2 you can monitor and debug tunnels with \verb|tcpdump|. 337aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerF.e.\ \verb|tcpdump| \verb|-i Cisco| \verb|-nvv| will dump packets, 338aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwhich kernel output, via tunnel \verb|Cisco| and the packets received on it 339aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerfrom kernel viewpoint. 340aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 341aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{itemize} 342aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 343aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 344aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Linux and Cisco IOS tunnels.} 345aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 346aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerAmong another tunnels Cisco IOS supports IPIP and GRE. 347aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerEssentially, Cisco setup is subset of options, available for Linux. 348aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerLet us consider the simplest example: 349aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 350aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 351aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerinterface Tunnel0 352aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger tunnel mode gre ip 353aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger tunnel source 10.10.14.1 354aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger tunnel destination 10.10.13.2 355aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 356aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 357aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 358aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerThis command set translates to: 359aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 360aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 361aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel add Tunnel0 \ 362aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger mode gre \ 363aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger local 10.10.14.1 \ 364aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger remote 10.10.13.2 365aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 366aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 367aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerAny questions? No questions. 368aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 369aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Interaction IPIP tunnels and DVMRP.} 370aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 371aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerDVMRP exploits IPIP tunnels to route multicasts via Internet. 372aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\verb|mrouted| creates 373aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIPIP tunnels listed in its configuration file automatically. 374aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerFrom kernel and user viewpoints there are no differences between 375aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnels, created in this way, and tunnels created by \verb|ip tunnel|. 376aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerI.e.\ if \verb|mrouted| created some tunnel, it may be used to 377aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerroute unicast packets, provided appropriate routes are added. 378aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerAnd vice versa, if administrator has already created a tunnel, 379aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerit will be reused by \verb|mrouted|, if it requests DVMRP 380aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnel with the same local and remote addresses. 381aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 382aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerDo not wonder, if your manually configured tunnel is 383aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerdestroyed, when mrouted exits. 384aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 385aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 386aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Broadcast GRE ``tunnels''.} 387aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 388aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIt is possible to set \verb|remote| for GRE tunnel to a multicast 389aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeraddress. Such tunnel becomes {\bf broadcast} tunnel (though word 390aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertunnel is not quite appropriate in this case, it is rather virtual network). 391aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 392aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip tunnel add Universe local 193.233.7.65 \ 393aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger remote 224.66.66.66 ttl 16 394aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip addr add 10.0.0.1/16 dev Universe 395aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip link set Universe up 396aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 397aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerThis tunnel is true broadcast network and broadcast packets are 398aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingersent to multicast group 224.66.66.66. By default such tunnel starts 399aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto resolve both IP and IPv6 addresses via ARP/NDISC, so that 400aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerif multicast routing is supported in surrounding network, all GRE nodes 401aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwill find one another automatically and will form virtual Ethernet-like 402aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerbroadcast network. If multicast routing does not work, it is unpleasant 403aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerbut not fatal flaw. The tunnel becomes NBMA rather than broadcast network. 404aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerYou may disable dynamic ARPing by: 405aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 406aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger echo 0 > /proc/sys/net/ipv4/neigh/Universe/mcast_solicit 407aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 408aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand to add required information to ARP tables manually: 409aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 410aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger ip neigh add 10.0.0.2 lladdr 128.6.190.2 dev Universe nud permanent 411aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 412aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIn this case packets sent to 10.0.0.2 will be encapsulated in GRE 413aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand sent to 128.6.190.2. It is possible to facilitate address resolution 414aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerusing methods typical for another NBMA networks f.e.\ to start user 415aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerlevel \verb|arpd| daemon, which will maintain database of hosts attached 416aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto GRE virtual network or ask for information 417aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerdedicated ARP or NHRP server. 418aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 419aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 420aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerActually, such setup is the most natural for tunneling, 421aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerit is really flexible, scalable and easily managable, so that 422aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerit is strongly recommended to be used with GRE tunnels instead of ugly 423aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerhack with NBMA mode and \verb|onlink| modifier. Unfortunately, 424aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerby historical reasons broadcast mode is not supported by IPIP tunnels, 425aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerbut this probably will change in future. 426aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 427aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 428aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 429aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\section{Traffic control issues.} 430aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 431aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerTunnels are devices, hence all the power of Linux traffic control 432aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerapplies to them. The simplest (and the most useful in practice) 433aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerexample is limiting tunnel bandwidth. The following command: 434aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 435aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger tc qdisc add dev tunl0 root tbf \ 436aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger rate 128Kbit burst 4K limit 10K 437aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 438aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwill limit tunneled traffic to 128Kbit with maximal burst size of 4K 439aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand queuing not more than 10K. 440aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 441aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerHowever, you should remember, that tunnels are {\em virtual} devices 442aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerimplemented in software and true queue management is impossible for them 443aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerjust because they have no queues. Instead, it is better to create classes 444aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeron real physical interfaces and to map tunneled packets to them. 445aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIn general case of dynamic routing you should create such classes 446aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingeron all outgoing interfaces, or, alternatively, 447aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerto use option \verb|dev DEV| to bind tunnel to a fixed physical device. 448aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIn the last case packets will be routed only via specified device 449aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerand you need to setup corresponding classes only on it. 450aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerThough you have to pay for this convenience, 451aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerif routing will change, your tunnel will fail. 452aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 453aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerSuppose that CBQ class \verb|1:ABC| has been created on device \verb|eth0| 454aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerspecially for tunnel \verb|Cisco| with endpoints \verb|S| and \verb|D|. 455aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerNow you can select IPIP packets with addresses \verb|S| and \verb|D| 456aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerwith some classifier and map them to class \verb|1:ABC|. F.e.\ 457aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerit is easy to make with \verb|rsvp| classifier: 458aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\begin{verbatim} 459aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger tc filter add dev eth0 pref 100 proto ip rsvp \ 460aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger session D ipproto ipip filter S \ 461aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger classid 1:ABC 462aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{verbatim} 463aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 464aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIf you want to make more detailed classification of sub-flows 465aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingertransmitted via tunnel, you can build CBQ subtree, 466aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerrooted at \verb|1:ABC| and attach to subroot set of rules parsing 467aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIPIP packets more deeply. 468aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger 469aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger\end{document} 470