[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels for LAN-to-LAN interop issue

To: ipsec@lists.tislabs.com
Subject: Re: IPSEC tunnels for LAN-to-LAN interop issue
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Wed, 01 Sep 1999 16:04:09 +0000
CC: Dan Harkins <dharkins@network-alchemy.com>
Organization: RedCreek Communications Inc.
References: <199909010047.RAA01815@Potassium.Network-Alchemy.COM>
Sender: owner-ipsec@lists.tislabs.com

Dan Harkins wrote:
> 
> On Tue, 31 Aug 1999 23:31:17 -0000 you wrote
> >
> >       If BGP routes to a next hop which is more than one hop away, then BGP
> > requires that the IGP be able to resolve the intermetiate next hops and
> > you are back where you started.
> 
> You have this problem anyway because you need your GRE tunnel needs to
> be established. You have to have some route from SGW1 to SGW2 regardless.
> Given that requirement, is the simplest way to "discover what is out there"
> (which is the desire that started this thread-- quote from Steve Waters)
> to tunnel RIP and/or OSPF-- and all the cruft that goes along with that--
> between them or to just use BGP? BGP is a _much_ simpler protocol that OSPF
> and either is _much_ better than RIP.
> 
>   Dan.


	I still see the next hop as a problem for BGP. Let me be more specific
with a problem description and then see if Dan or some BGP folk can show
how this is workable. I do hope that BGP can be shown to work because it
would very cleanly solve the 'interface' problem by not requiring an
interface construct.



         AS1                        AS2

      1 ---- 2                  3 ----- 4
     --|    |-----(internet)-----|     |----
        ----                      ----- 
           5========tunnel=========6

	Here are two SGWs on the internet protecting endpoints at the subnets
connnected to and behind interfaces 1 and 4. An IPSec tunnel connection
exists between interfaces 2 and 3. Routers in the internet are unaware
of how to reach the protected endpoints behind interfaces 1 and 4.
	Let us suppose that each SGW protects many subnets behind interfaces 1
and 4 respectively. And we desire to use a routing protocol to "discover
what is out there". (BTW: I'll attach a little rant about this goal at
the bottom). So the SGWs become BGP peers and advertize iBGP routes to
other routers in their protected spaces / Autonomyous Systems. 
	Now here comes the rub (finally). The SGW on the left advertizes in BGP
that to reach subnets behind the SGW on the right the next hop is at
interface 4. It should not use interface 3 in its next hop
advertizements because that is a publically routed internet address
which the other routers in AS1 need to default route to. So we have just
required that interface 4 be reachable in the IGP of all the routers in
AS1. But it ain't.
	If a GRE (or other) tunnel had been used to create interfaces 5 and 6
and carry IGP routing messages this next hop issue would not be a
problem because the IGP itself would discover all the routes on both
sides and we would have only one AS. 


-- 
####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@redcreek.com
####################################

end Howdy;


PS: Rant about "discover what is out there"

	OK, "discover what is out there" is an insufficient goal. "And do what
with that info", is what I want us to get clear about. From this thread
I believe that I have sensed to possible uses for discovered routing
topology:
	1) auto create SPD entries out of discovered routes.
	2) provide VPN redundancy for sights with multiple paths between them.

	Personally, I strongly dislike option 1 and strongly like option 2. But
I am also interested in what others think.

Prev by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: IPsec-based user authentication and security policy in Mobile IP?
Prev by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Index(es):
- Main
- Thread