Timo Teräs | b1887c8 | 2017-01-24 16:42:19 +0200 | [diff] [blame] | 1 | @cindex NHRP |
| 2 | @node NHRP |
| 3 | @chapter NHRP |
| 4 | |
| 5 | @command{nhrpd} is a daemon to support Next Hop Routing Protocol (NHRP). |
| 6 | NHRP is described in RFC2332. |
| 7 | |
| 8 | NHRP is used to improve the efficiency of routing computer network |
| 9 | traffic over Non-Broadcast, Multiple Access (NBMA) Networks. NHRP provides |
| 10 | an ARP-like solution that allows a system to dynamically learn the NBMA |
| 11 | address of the other systems that are part of that network, allowing |
| 12 | these systems to directly communicate without requiring traffic to use |
| 13 | an intermediate hop. |
| 14 | |
| 15 | Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and Quagga nrhpd |
| 16 | implements this scenario. |
| 17 | |
| 18 | @menu |
| 19 | * Routing Design:: |
| 20 | * Configuring NHRP:: |
| 21 | * Hub Functionality:: |
| 22 | * Integration with IKE:: |
| 23 | * NHRP Events:: |
| 24 | * Configuration Example:: |
| 25 | @end menu |
| 26 | |
| 27 | @node Routing Design |
| 28 | @section Routing Design |
| 29 | |
| 30 | nhrpd never handles routing of prefixes itself. You need to run some |
| 31 | real routing protocol (e.g. BGP) to advertise routes over the tunnels. |
| 32 | What nhrpd does it establishes 'shortcut routes' that optimizes the |
| 33 | routing protocol to avoid going through extra nodes in NBMA GRE mesh. |
| 34 | |
| 35 | nhrpd does route NHRP domain addresses individually using per-host prefixes. |
| 36 | This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses |
| 37 | a generic subnet route. |
| 38 | |
| 39 | To create NBMA GRE tunnel you might use the following (linux terminal |
| 40 | commands): |
| 41 | @example |
| 42 | @group |
| 43 | ip tunnel add gre1 mode gre key 42 ttl 64 |
| 44 | ip addr add 10.255.255.2/32 dev gre1 |
| 45 | ip link set gre1 up |
| 46 | @end group |
| 47 | @end example |
| 48 | |
| 49 | Note that the IP-address is assigned as host prefix to gre1. nhrpd will |
| 50 | automatically create additional host routes pointing to gre1 when |
| 51 | a connection with these hosts is established. |
| 52 | |
| 53 | The gre1 subnet prefix should be announced by routing protocol from the |
| 54 | hub nodes (e.g. BGP 'network' announce). This allows the routing protocol |
| 55 | to decide which is the closest hub and determine the relay hub on prefix |
| 56 | basis when direct tunnel is not established. |
| 57 | |
| 58 | nhrpd will redistribute directly connected neighbors to zebra. Within |
| 59 | hub nodes, these routes should be internally redistributed using some |
| 60 | routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic. |
| 61 | |
| 62 | This can be achieved in hubs with the following bgp configuration (network |
| 63 | command defines the GRE subnet): |
| 64 | @example |
| 65 | @group |
| 66 | router bgp 65555 |
| 67 | network 172.16.0.0/16 |
| 68 | redistribute nhrp |
| 69 | @end group |
| 70 | @end example |
| 71 | |
| 72 | |
| 73 | @node Configuring NHRP |
| 74 | @section Configuring NHRP |
| 75 | |
| 76 | FIXME |
| 77 | |
| 78 | @node Hub Functionality |
| 79 | @section Hub Functionality |
| 80 | |
| 81 | In addition to routing nhrp redistributed host prefixes, the hub nodes |
| 82 | are also responsible to send NHRP Traffic Indication messages that |
| 83 | trigger creation of the shortcut tunnels. |
| 84 | |
| 85 | nhrpd sends Traffic Indication messages based on network traffic captured |
| 86 | using NFLOG. Typically you want to send Traffic Indications for network |
| 87 | traffic that is routed from gre1 back to gre1 in rate limited manner. |
| 88 | This can be achieved with the following iptables rule. |
| 89 | |
| 90 | @example |
| 91 | @group |
| 92 | iptables -A FORWARD -i gre1 -o gre1 \ |
| 93 | -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \ |
Paul Jakma | 1bfd655 | 2017-03-08 23:31:47 +0000 | [diff] [blame^] | 94 | --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 \ |
| 95 | --hashlimit-dstmask 24 --hashlimit-name loglimit-0 \ |
| 96 | -j NFLOG --nflog-group 1 --nflog-range 128 |
Timo Teräs | b1887c8 | 2017-01-24 16:42:19 +0200 | [diff] [blame] | 97 | @end group |
| 98 | @end example |
| 99 | |
| 100 | You can fine tune the src/dstmask according to the prefix lengths you |
| 101 | announce internal, add additional IP range matches, or rate limitation |
| 102 | if needed. However, the above should be good in most cases. |
| 103 | |
| 104 | This kernel NFLOG target's nflog-group is configured in global nhrp config |
| 105 | with: |
| 106 | @example |
| 107 | @group |
| 108 | nhrp nflog-group 1 |
| 109 | @end group |
| 110 | @end example |
| 111 | |
| 112 | To start sending these traffic notices out from hubs, use the nhrp |
| 113 | per-interface directive: |
| 114 | @example |
| 115 | @group |
| 116 | interface gre1 |
| 117 | ip nhrp redirect |
| 118 | @end group |
| 119 | @end example |
| 120 | |
| 121 | @node Integration with IKE |
| 122 | @section Integration with IKE |
| 123 | |
| 124 | nhrpd needs tight integration with IKE daemon for various reasons. |
| 125 | Currently only strongSwan is supported as IKE daemon. |
| 126 | |
| 127 | nhrpd connects to strongSwan using VICI protocol based on UNIX socket |
| 128 | (hardcoded now as /var/run/charon.vici). |
| 129 | |
| 130 | strongSwan currently needs few patches applied. Please check out the |
| 131 | @uref{http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release} |
| 132 | and |
| 133 | @uref{http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree} |
| 134 | git repositories for the patches. |
| 135 | |
| 136 | @node NHRP Events |
| 137 | @section NHRP Events |
| 138 | |
| 139 | FIXME |
| 140 | |
| 141 | @node Configuration Example |
| 142 | @section Configuration Example |
| 143 | |
| 144 | FIXME |