nhrpd.texi 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
  1. @cindex NHRP
  2. @node NHRP
  3. @chapter NHRP
  4. @command{nhrpd} is a daemon to support Next Hop Routing Protocol (NHRP).
  5. NHRP is described in RFC2332.
  6. NHRP is used to improve the efficiency of routing computer network
  7. traffic over Non-Broadcast, Multiple Access (NBMA) Networks. NHRP provides
  8. an ARP-like solution that allows a system to dynamically learn the NBMA
  9. address of the other systems that are part of that network, allowing
  10. these systems to directly communicate without requiring traffic to use
  11. an intermediate hop.
  12. Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and Quagga nrhpd
  13. implements this scenario.
  14. @menu
  15. * Routing Design::
  16. * Configuring NHRP::
  17. * Hub Functionality::
  18. * Integration with IKE::
  19. * NHRP Events::
  20. * Configuration Example::
  21. @end menu
  22. @node Routing Design
  23. @section Routing Design
  24. nhrpd never handles routing of prefixes itself. You need to run some
  25. real routing protocol (e.g. BGP) to advertise routes over the tunnels.
  26. What nhrpd does it establishes 'shortcut routes' that optimizes the
  27. routing protocol to avoid going through extra nodes in NBMA GRE mesh.
  28. nhrpd does route NHRP domain addresses individually using per-host prefixes.
  29. This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
  30. a generic subnet route.
  31. To create NBMA GRE tunnel you might use the following (linux terminal
  32. commands):
  33. @example
  34. @group
  35. ip tunnel add gre1 mode gre key 42 ttl 64
  36. ip addr add 10.255.255.2/32 dev gre1
  37. ip link set gre1 up
  38. @end group
  39. @end example
  40. Note that the IP-address is assigned as host prefix to gre1. nhrpd will
  41. automatically create additional host routes pointing to gre1 when
  42. a connection with these hosts is established.
  43. The gre1 subnet prefix should be announced by routing protocol from the
  44. hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
  45. to decide which is the closest hub and determine the relay hub on prefix
  46. basis when direct tunnel is not established.
  47. nhrpd will redistribute directly connected neighbors to zebra. Within
  48. hub nodes, these routes should be internally redistributed using some
  49. routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
  50. This can be achieved in hubs with the following bgp configuration (network
  51. command defines the GRE subnet):
  52. @example
  53. @group
  54. router bgp 65555
  55. network 172.16.0.0/16
  56. redistribute nhrp
  57. @end group
  58. @end example
  59. @node Configuring NHRP
  60. @section Configuring NHRP
  61. FIXME
  62. @node Hub Functionality
  63. @section Hub Functionality
  64. In addition to routing nhrp redistributed host prefixes, the hub nodes
  65. are also responsible to send NHRP Traffic Indication messages that
  66. trigger creation of the shortcut tunnels.
  67. nhrpd sends Traffic Indication messages based on network traffic captured
  68. using NFLOG. Typically you want to send Traffic Indications for network
  69. traffic that is routed from gre1 back to gre1 in rate limited manner.
  70. This can be achieved with the following iptables rule.
  71. @example
  72. @group
  73. iptables -A FORWARD -i gre1 -o gre1 \
  74. -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \
  75. --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 \
  76. --hashlimit-dstmask 24 --hashlimit-name loglimit-0 \
  77. -j NFLOG --nflog-group 1 --nflog-range 128
  78. @end group
  79. @end example
  80. You can fine tune the src/dstmask according to the prefix lengths you
  81. announce internal, add additional IP range matches, or rate limitation
  82. if needed. However, the above should be good in most cases.
  83. This kernel NFLOG target's nflog-group is configured in global nhrp config
  84. with:
  85. @example
  86. @group
  87. nhrp nflog-group 1
  88. @end group
  89. @end example
  90. To start sending these traffic notices out from hubs, use the nhrp
  91. per-interface directive:
  92. @example
  93. @group
  94. interface gre1
  95. ip nhrp redirect
  96. @end group
  97. @end example
  98. @node Integration with IKE
  99. @section Integration with IKE
  100. nhrpd needs tight integration with IKE daemon for various reasons.
  101. Currently only strongSwan is supported as IKE daemon.
  102. nhrpd connects to strongSwan using VICI protocol based on UNIX socket
  103. (hardcoded now as /var/run/charon.vici).
  104. strongSwan currently needs few patches applied. Please check out the
  105. @uref{http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release}
  106. and
  107. @uref{http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree}
  108. git repositories for the patches.
  109. @node NHRP Events
  110. @section NHRP Events
  111. FIXME
  112. @node Configuration Example
  113. @section Configuration Example
  114. FIXME