1a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\documentstyle[12pt,twoside]{article} 2a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\def\TITLE{Tunnels over IP} 3a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\input preamble 4a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{center} 5a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\Large\bf Tunnels over IP in Linux-2.2 6a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{center} 7a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 8a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 9a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{center} 10a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath{ \large Alexey~N.~Kuznetsov } \\ 11a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\em Institute for Nuclear Research, Moscow \\ 12a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\verb|kuznet@ms2.inr.ac.ru| \\ 13a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\rm March 17, 1999 14a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{center} 15a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 16a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\vspace{5mm} 17a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 18a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\tableofcontents 193e387462b084cf0c62e89c21cfd071df50163e39Narayan Kamath 20a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 21a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Instead of introduction: micro-FAQ.} 22a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 23a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{itemize} 24a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 25a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 26a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathQ: In linux-2.0.36 I used: 27a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 28a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ifconfig tunl1 10.0.0.1 pointopoint 193.233.7.65 29a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 30a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto create tunnel. It does not work in 2.2.0! 31a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 32a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathA: You are right, it does not work. The command written above is split to two commands. 33a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 34a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel add MY-TUNNEL mode ipip remote 193.233.7.65 35a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 36a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwill create tunnel device with name \verb|MY-TUNNEL|. Now you may configure 37a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathit with: 38a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 39a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ifconfig MY-TUNNEL 10.0.0.1 40a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 41a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathCertainly, if you prefer name \verb|tunl1| to \verb|MY-TUNNEL|, 42a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathyou still may use it. 43a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 44a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 45a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathQ: In linux-2.0.36 I used: 46a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 47a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ifconfig tunl0 10.0.0.1 48a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath route add -net 10.0.0.0 gw 193.233.7.65 dev tunl0 49a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 50a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto tunnel net 10.0.0.0 via router 193.233.7.65. It does not 51a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwork in 2.2.0! Moreover, \verb|route| prints a funny error sort of 52a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath``network unreachable'' and after this I found a strange direct route 53a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto 10.0.0.0 via \verb|tunl0| in routing table. 54a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 55a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathA: Yes, in 2.2 the rule that {\em normal} gateway must reside on directly 56a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathconnected network has not any exceptions. You may tell kernel, that 57a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamaththis particular route is {\em abnormal}: 58a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 59a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ifconfig tunl0 10.0.0.1 netmask 255.255.255.255 60a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip route add 10.0.0.0/8 via 193.233.7.65 dev tunl0 onlink 61a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 62a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathNote keyword \verb|onlink|, it is the magic key that orders kernel 63a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathnot to check for consistency of gateway address. 64a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathProbably, after this explanation you have already guessed another method 65a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto cheat kernel: 66a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 67a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ifconfig tunl0 10.0.0.1 netmask 255.255.255.255 68a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath route add -host 193.233.7.65 dev tunl0 69a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath route add -net 10.0.0.0 netmask 255.0.0.0 gw 193.233.7.65 70a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath route del -host 193.233.7.65 dev tunl0 71a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 72a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathWell, if you like such tricks, nobody may prohibit you to use them. 73a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathOnly do not forget 74a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamaththat between \verb|route add| and \verb|route del| host 193.233.7.65 is 75a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathunreachable. 76a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 77a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 78a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathQ: In 2.0.36 I used to load \verb|tunnel| device module and \verb|ipip| module. 79a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathI cannot find any \verb|tunnel| in 2.2! 80a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 81a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathA: Linux-2.2 has single module \verb|ipip| for both directions of tunneling 82a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand for all IPIP tunnel devices. 83a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 84a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 85a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathQ: \verb|traceroute| does not work over tunnel! Well, stop... It works, 86a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath only skips some number of hops. 87a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 88a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathA: Yes. By default tunnel driver copies \verb|ttl| value from 89a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathinner packet to outer one. It means that path traversed by tunneled 90a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathpackets to another endpoint is not hidden. If you dislike this, or if you 91a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathare going to use some routing protocol expecting that packets 92a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwith ttl 1 will reach peering host (f.e.\ RIP, OSPF or EBGP) 93a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand you are not afraid of 94a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnel loops, you may append option \verb|ttl 64|, when creating tunnel 95a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwith \verb|ip tunnel add|. 96a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 97a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 98a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathQ: ... Well, list of things, which 2.0 was able to do finishes. 99a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 100a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{itemize} 101a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 102a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\paragraph{Summary of differences between 2.2 and 2.0.} 103a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 104a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{itemize} 105a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 106a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item {\bf In 2.0} you could compile tunnel device into kernel 107a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath and got set of 4 devices \verb|tunl0| ... \verb|tunl3| or, 108a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath alternatively, compile it as module and load new module 109a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath for each new tunnel. Also, module \verb|ipip| was necessary 110a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath to receive tunneled packets. 111a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 112a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath {\bf 2.2} has {\em one\/} module \verb|ipip|. Loading it you get base 113a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath tunnel device \verb|tunl0| and another tunnels may be created with command 114a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath \verb|ip tunnel add|. These new devices may have arbitrary names. 115a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 116a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 117a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item {\bf In 2.0} you set remote tunnel endpoint address with 118a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath the command \verb|ifconfig| ... \verb|pointopoint A|. 119a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 120a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath {\bf In 2.2} this command has the same semantics on all 121a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath the interfaces, namely it sets not tunnel endpoint, 122a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath but address of peering host, which is directly reachable 123a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath via this tunnel, 124a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath rather than via Internet. Actual tunnel endpoint address \verb|A| 125a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath should be set with \verb|ip tunnel add ... remote A|. 126a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 127a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item {\bf In 2.0} you create tunnel routes with the command: 128a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 129a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath route add -net 10.0.0.0 gw A dev tunl0 130a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 131a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 132a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath {\bf 2.2} interprets this command equally for all device 133a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath kinds and gateway is required to be directly reachable via this tunnel, 134a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath rather than via Internet. You still may use \verb|ip route add ... onlink| 135a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath to override this behaviour. 136a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 137a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{itemize} 138a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 139a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 140a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Tunnel setup: basics} 141a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 142a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathStandard Linux-2.2 kernel supports three flavor of tunnels, 143a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathlisted in the following table: 144a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\vspace{2mm} 145a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 146a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{tabular}{lll} 147a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\vrule depth 0.8ex width 0pt\relax 148a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathMode & Description & Base device \\ 149a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathipip & IP over IP & tunl0 \\ 150a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathsit & IPv6 over IP & sit0 \\ 151a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathgre & ANY over GRE over IP & gre0 152a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{tabular} 153a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 154a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\vspace{2mm} 155a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 156a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\noindent All the kinds of tunnels are created with one command: 157a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 158a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel add <NAME> mode <MODE> [ local <S> ] [ remote <D> ] 159a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 160a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 1613e387462b084cf0c62e89c21cfd071df50163e39Narayan KamathThis command creates new tunnel device with name \verb|<NAME>|. 162a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathThe \verb|<NAME>| is an arbitrary string. Particularly, 163a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathit may be even \verb|eth0|. The rest of parameters set 164a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathdifferent tunnel characteristics. 165a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 166a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{itemize} 167a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 168a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 169a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\verb|mode <MODE>| sets tunnel mode. Three modes are available now 170a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath \verb|ipip|, \verb|sit| and \verb|gre|. 171a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 172a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 173a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\verb|remote <D>| sets remote endpoint of the tunnel to IP 174a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath address \verb|<D>|. 175a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item 1763e387462b084cf0c62e89c21cfd071df50163e39Narayan Kamath\verb|local <S>| sets fixed local address for tunneled 177a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath packets. It must be an address on another interface of this host. 178a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 179a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{itemize} 180a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 181a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\let\thefootnote\oldthefootnote 1823e387462b084cf0c62e89c21cfd071df50163e39Narayan Kamath 1833e387462b084cf0c62e89c21cfd071df50163e39Narayan KamathBoth \verb|remote| and \verb|local| may be omitted. In this case we 1843e387462b084cf0c62e89c21cfd071df50163e39Narayan Kamathsay that they are zero or wildcard. Two tunnels of one mode cannot 1853e387462b084cf0c62e89c21cfd071df50163e39Narayan Kamathhave the same \verb|remote| and \verb|local|. Particularly it means 186a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamaththat base device or fallback tunnel cannot be replicated.\footnote{ 187a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathThis restriction is relaxed for keyed GRE tunnels.} 188a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 189a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathTunnels are divided to two classes: {\bf pointopoint} tunnels, which 190a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathhave some not wildcard \verb|remote| address and deliver all the packets 191a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto this destination, and {\bf NBMA} (i.e. Non-Broadcast Multi-Access) tunnels, 192a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwhich have no \verb|remote|. Particularly, base devices (f.e.\ \verb|tunl0|) 193a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathare NBMA, because they have neither \verb|remote| nor 194a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\verb|local| addresses. 195a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 196a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 197a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathAfter tunnel device is created you should configure it as you did 198a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathit with another devices. Certainly, the configuration of tunnels has 199a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathsome features related to the fact that they work over existing Internet 200a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathrouting infrastructure and simultaneously create new virtual links, 201a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwhich changes this infrastructure. The danger that not enough careful 202a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnel setup will result in formation of tunnel loops, 203a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathcollapse of routing or flooding network with exponentially 204a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathgrowing number of tunneled fragments is very real. 205a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 206a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 207a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathProtocol setup on pointopoint tunnels does not differ of configuration 208a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathof another devices. You should set a protocol address with \verb|ifconfig| 209a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand add routes with \verb|route| utility. 210a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 211a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathNBMA tunnels are different. To route something via NBMA tunnel 212a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathyou have to explain to driver, where it should deliver packets to. 213a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathThe only way to make it is to create special routes with gateway 214a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathaddress pointing to desired endpoint. F.e.\ 215a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 216a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip route add 10.0.0.0/24 via <A> dev tunl0 onlink 217a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 218a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIt is important to use option \verb|onlink|, otherwise 219a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathkernel will refuse request to create route via gateway not directly 220a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathreachable over device \verb|tunl0|. With IPv6 the situation is much simpler: 221a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwhen you start device \verb|sit0|, it automatically configures itself 222a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwith all IPv4 addresses mapped to IPv6 space, so that all IPv4 223a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathInternet is {\em really reachable} via \verb|sit0|! Excellent, the command 224a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 225a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip route add 3FFE::/16 via ::193.233.7.65 dev sit0 226a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 227a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwill route \verb|3FFE::/16| via \verb|sit0|, sending all the packets 228a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathdestined to this prefix to 193.233.7.65. 229a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 230a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Tunnel setup: options} 231a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 232a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathCommand \verb|ip tunnel add| has several additional options. 233a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{itemize} 234a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 235a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item \verb|ttl N| --- set fixed TTL \verb|N| on tunneled packets. 236a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath \verb|N| is number in the range 1--255. 0 is special value, 237a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath meaning that packets inherit TTL value. 238a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath Default value is: \verb|inherit|. 239a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 240a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item \verb|tos T| --- set fixed tos \verb|T| on tunneled packets. 241a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath Default value is: \verb|inherit|. 242a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 243a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item \verb|dev DEV| --- bind tunnel to device \verb|DEV|, so that 244a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath tunneled packets will be routed only via this device and will 245a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath not be able to escape to another device, when route to endpoint changes. 246a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 247a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item \verb|nopmtudisc| --- disable Path MTU Discovery on this tunnel. 248a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath It is enabled by default. Note that fixed ttl is incompatible 249a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath with this option: tunnels with fixed ttl always make pmtu discovery. 250a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 251a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{itemize} 252a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 253a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\verb|ipip| and \verb|sit| tunnels have no more options. \verb|gre| 254a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnels are more complicated: 255a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 256a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{itemize} 257a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 258a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item \verb|key K| --- use keyed GRE with key \verb|K|. \verb|K| is 259a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath either number or IP address-like dotted quad. 260a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 261a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item \verb|csum| --- checksum tunneled packets. 262a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 263a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item \verb|seq| --- serialize packets. 264a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{NB} 265a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath I think this option does not 266a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath work. At least, I did not test it, did not debug it and 267a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath even do not understand, how it is supposed to work and for what 268a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath purpose Cisco planned to use it. 269a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{NB} 270a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 271a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{itemize} 272a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 273a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 274a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathActually, these GRE options can be set separately for input and 275a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathoutput directions by prefixing corresponding keywords with letter 276a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\verb|i| or \verb|o|. F.e.\ \verb|icsum| orders to accept only 277a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathpackets with correct checksum and \verb|ocsum| means, that 278a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathour host will calculate and send checksum. 279a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 280a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathCommand \verb|ip tunnel add| is not the only operation, 281a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwhich can be made with tunnels. Certainly, you may get short help page 282a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwith: 283a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 284a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel help 285a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 286a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 287a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathBesides that, you may view list of installed tunnels with the help of command: 288a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 289a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel ls 290a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 291a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathAlso you may look at statistics: 292a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 293a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip -s tunnel ls Cisco 294a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 295a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwhere \verb|Cisco| is name of tunnel device. Command 296a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 297a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel del Cisco 298a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 299a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathdestroys tunnel \verb|Cisco|. And, finally, 300a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 301a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel change Cisco mode sit local ME remote HE ttl 32 302a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 303a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathchanges its parameters. 304a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 305a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Differences 2.2 and 2.0 tunnels revisited.} 306a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 307a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathNow we can discuss more subtle differences between tunneling in 2.0 308a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand 2.2. 309a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 310a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{itemize} 311a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 312a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item In 2.0 all tunneled packets were received promiscuously 313a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathas soon as you loaded module \verb|ipip|. 2.2 tries to select the best 314a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnel device and packet looks as received on this. F.e.\ if host 315a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathreceived \verb|ipip| packet from host \verb|D| destined to our 316a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathlocal address \verb|S|, kernel searches for matching tunnels 317a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathin order: 318a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 319a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{tabular}{ll} 320a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath1 & \verb|remote| is \verb|D| and \verb|local| is \verb|S| \\ 321a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath2 & \verb|remote| is \verb|D| and \verb|local| is wildcard \\ 322a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath3 & \verb|remote| is wildcard and \verb|local| is \verb|S| \\ 323a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath4 & \verb|tunl0| 324a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{tabular} 325a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 326a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIf tunnel exists, but it is not in \verb|UP| state, the tunnel is ignored. 327a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathNote, that if \verb|tunl0| is \verb|UP| it receives all the IPIP packets, 328a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathnot acknowledged by more specific tunnels. 329a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathBe careful, it means that without carefully installed firewall rules 330a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathanyone on the Internet may inject to your network any packets with 331a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathsource addresses indistinguishable from local ones. It is not so bad idea 332a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto design tunnels in the way enforcing maximal route symmetry 333a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand to enable reversed path filter (\verb|rp_filter| sysctl option) on 334a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnel devices. 335a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 336a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\item In 2.2 you can monitor and debug tunnels with \verb|tcpdump|. 337a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathF.e.\ \verb|tcpdump| \verb|-i Cisco| \verb|-nvv| will dump packets, 338a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwhich kernel output, via tunnel \verb|Cisco| and the packets received on it 339a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathfrom kernel viewpoint. 340a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 341a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{itemize} 342a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 343a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 344a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Linux and Cisco IOS tunnels.} 345a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 346a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathAmong another tunnels Cisco IOS supports IPIP and GRE. 347a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathEssentially, Cisco setup is subset of options, available for Linux. 348a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathLet us consider the simplest example: 349a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 350a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 351a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathinterface Tunnel0 352a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath tunnel mode gre ip 353a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath tunnel source 10.10.14.1 354a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath tunnel destination 10.10.13.2 355a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 356a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 357a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 358a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathThis command set translates to: 359a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 360a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 361a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel add Tunnel0 \ 362a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath mode gre \ 363a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath local 10.10.14.1 \ 364a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath remote 10.10.13.2 365a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 366a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 367a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathAny questions? No questions. 368a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 369a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Interaction IPIP tunnels and DVMRP.} 370a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 371a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathDVMRP exploits IPIP tunnels to route multicasts via Internet. 372a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\verb|mrouted| creates 373a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIPIP tunnels listed in its configuration file automatically. 374a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathFrom kernel and user viewpoints there are no differences between 375a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnels, created in this way, and tunnels created by \verb|ip tunnel|. 376a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathI.e.\ if \verb|mrouted| created some tunnel, it may be used to 377a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathroute unicast packets, provided appropriate routes are added. 378a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathAnd vice versa, if administrator has already created a tunnel, 379a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathit will be reused by \verb|mrouted|, if it requests DVMRP 380a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnel with the same local and remote addresses. 381a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 382a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathDo not wonder, if your manually configured tunnel is 383a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathdestroyed, when mrouted exits. 384a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 385a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 386a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Broadcast GRE ``tunnels''.} 387a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 388a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIt is possible to set \verb|remote| for GRE tunnel to a multicast 389a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathaddress. Such tunnel becomes {\bf broadcast} tunnel (though word 390a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtunnel is not quite appropriate in this case, it is rather virtual network). 391a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 392a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip tunnel add Universe local 193.233.7.65 \ 393a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath remote 224.66.66.66 ttl 16 394a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip addr add 10.0.0.1/16 dev Universe 395a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip link set Universe up 396a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 397a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathThis tunnel is true broadcast network and broadcast packets are 398a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathsent to multicast group 224.66.66.66. By default such tunnel starts 399a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto resolve both IP and IPv6 addresses via ARP/NDISC, so that 400a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathif multicast routing is supported in surrounding network, all GRE nodes 401a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwill find one another automatically and will form virtual Ethernet-like 402a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathbroadcast network. If multicast routing does not work, it is unpleasant 403a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathbut not fatal flaw. The tunnel becomes NBMA rather than broadcast network. 404a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathYou may disable dynamic ARPing by: 405a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 406a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath echo 0 > /proc/sys/net/ipv4/neigh/Universe/mcast_solicit 407a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 408a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand to add required information to ARP tables manually: 409a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 410a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath ip neigh add 10.0.0.2 lladdr 128.6.190.2 dev Universe nud permanent 411a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 412a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIn this case packets sent to 10.0.0.2 will be encapsulated in GRE 413a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand sent to 128.6.190.2. It is possible to facilitate address resolution 414a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathusing methods typical for another NBMA networks f.e.\ to start user 415a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathlevel \verb|arpd| daemon, which will maintain database of hosts attached 416a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto GRE virtual network or ask for information 417a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathdedicated ARP or NHRP server. 418a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 419a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 420a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathActually, such setup is the most natural for tunneling, 421a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathit is really flexible, scalable and easily managable, so that 422a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathit is strongly recommended to be used with GRE tunnels instead of ugly 423a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathhack with NBMA mode and \verb|onlink| modifier. Unfortunately, 424a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathby historical reasons broadcast mode is not supported by IPIP tunnels, 425a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathbut this probably will change in future. 426a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 427a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 428a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 429a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\section{Traffic control issues.} 430a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 431a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathTunnels are devices, hence all the power of Linux traffic control 432a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathapplies to them. The simplest (and the most useful in practice) 433a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathexample is limiting tunnel bandwidth. The following command: 434a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 435a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath tc qdisc add dev tunl0 root tbf \ 436a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath rate 128Kbit burst 4K limit 10K 437a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 438a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwill limit tunneled traffic to 128Kbit with maximal burst size of 4K 439a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand queuing not more than 10K. 440a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 441a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathHowever, you should remember, that tunnels are {\em virtual} devices 442a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathimplemented in software and true queue management is impossible for them 443a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathjust because they have no queues. Instead, it is better to create classes 444a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathon real physical interfaces and to map tunneled packets to them. 445a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIn general case of dynamic routing you should create such classes 446a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathon all outgoing interfaces, or, alternatively, 447a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathto use option \verb|dev DEV| to bind tunnel to a fixed physical device. 448a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIn the last case packets will be routed only via specified device 449a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathand you need to setup corresponding classes only on it. 450a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathThough you have to pay for this convenience, 451a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathif routing will change, your tunnel will fail. 452a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 453a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathSuppose that CBQ class \verb|1:ABC| has been created on device \verb|eth0| 454a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathspecially for tunnel \verb|Cisco| with endpoints \verb|S| and \verb|D|. 455a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathNow you can select IPIP packets with addresses \verb|S| and \verb|D| 456a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathwith some classifier and map them to class \verb|1:ABC|. F.e.\ 457a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathit is easy to make with \verb|rsvp| classifier: 458a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\begin{verbatim} 459a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath tc filter add dev eth0 pref 100 proto ip rsvp \ 460a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath session D ipproto ipip filter S \ 461a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath classid 1:ABC 462a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{verbatim} 463a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 464a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIf you want to make more detailed classification of sub-flows 465a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathtransmitted via tunnel, you can build CBQ subtree, 466a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamathrooted at \verb|1:ABC| and attach to subroot set of rules parsing 467a8b46a3d3b6ed1488df10740653829283572903bNarayan KamathIPIP packets more deeply. 468a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath 469a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath\end{document} 470a8b46a3d3b6ed1488df10740653829283572903bNarayan Kamath