I am trying to announce a prefix from AS7 and I like AS6 receive it and send it to AS2(as shown in the attached topology). I have OSPF running on all routers of AS6. I have assigned 10.x.x.x for each loop back interface of my routers in AS6. for example 10.6.6.6 for r6. 10.4.4.4 for r4 etc. I have stablished a peer connection between all of the routers of AS6. for example, r3 has connection with r6,r4,r9 and r5 event though we do not have physical connection between them.
My question is the ip address I should use for r6 should be a public ip, because if I use 10.6.6.6 for r6, then r7 from AS7 will not be able to communicate with it. the same reason for r5 and r9 which should be run with their public address. If I use r6's public ip and then if i connect r6 to r5 and r9, then I do not need OSPF and without OSPF also r6 will be able to talk to r9 and r5.
I confused how can I involve r6 in my full mesh topology with using its public ip address. Should I assign r6's public ip address to its loop back?
1) Within AS6 you need a full mesh of IBGP sessions: R3-R4, R3-R5, R3-R6, R3-R9, R4-R5, R4-R6, R4-R9, R5-R6, R6-R9. You need the full mesh for two reasons. One: each router needs the IBGP routes in its forwarding table, so each router needs to speak IGBP. Two: IBGP routes are normally not propagated from one IBGP session to another IBGP session, so the IBGP sessions must form a full mesh.
Note: Or, as an alternative to a full mesh of IBGP sessions you can use one or more router reflectors: RR-R3, RR-R4, RR-R5, RR-R6, RR-R9.
Note: A common design is the so-called BGP-free core. In this design you only run IBGP on the edge routers of your AS (in your example R5, R9, and R6). The other routers in the core (R3 and R4 in your example) only run the IGP (which is OSPF in your example). This means that the BGP routes are not in the core routers R3 and R4. To make forwarding work, some sort of (automated) tunneling is used from edge router to edge router (typically MPLS but sometimes GRE or VXLAN).
2) It is recommended to use the loopback addresses as the source and destination address of the IBGP session. This is to avoid tying the multi-hop IBGP session to a physical interface. For example, imagine you also had an R5-R9 link and consider the R6-R9 IBGP session. The physical path of the R6-R9 IBGP session would normally be R6-R4-R9. But if the R6-R4 interface goes down, we want the IBGP session to stay up and move over to the R6-R3-R5-R9 path.
3) Because the IBGP sessions are normally loopback to loopback and sometimes multi-hop, you need some mechanism for each BGP speaker (R3, R4, R5, R6, R9) to discover the route to the loopback. This is why every router in the AS must also run OSPF (R3, R4, R5, R6, R9).
4) The loopback addresses they are typically public IP addresses, but it they could theoretically also be private IP addresses. What really matters is that each router in AS6 has OSPF reachability to the loopback of the other routers in the same domain.
5) The EBGP sessions R2-R5, R2-R9, and R6-R7 should be bound to the interfaces. In other words, the source and destination IP addresses of those BGP sessions should be the IP addresses of the inter-AS interfaces.
Related
I need to create a TCP session "manually", without using the connect() function. I have tried to use RAW sockets. But in this case, I only get copies of the incoming IP packets. The original incoming packets slip through to the kernel and it generates an ACK response packet that damages my protocol.
Next, variant 2, I can write a virtual eth interface driver (kernel module) and route incoming traffic to it using iptables. But there is a patched non-original (non vanila) kernel on the machine. Normal linking of the module with the kernel is not possible.
Variant 3. I also tried not to assign an IP address to the NIC interface. In this case, the network TCP/IP layer module in the kernel is not activated and it is possible to generate and receive arbitrary IP packets on the link (ethernet) layer using the PF_PACKET socket domain type in the socket() function. But at this time, any other applications using the TCP/IP protocol can’t work.
How can this problem be solved in other ways?
It would be nice if it were possible to intercept packets going from the network interface to the kernel, that is, intercept the SKBuf buffer. But I don't know how to realize it.
Apparently you are trying to create a tunnel. Instead of trying to hijack an existing interface, the proper way to create a tunnel is to create a new interface, using a kernel module or TUN/TAP. However, tunnels are normally intended to receive traffic generated on the machine which runs the tunnel software, or at least routed through it. That means you will also have to set up the kernel to route the traffic to your tunnel.
You can create a new interface as a TUN/TAP interface. It is like a virtual ethernet driver except you don't need to write a new kernel module. It is designed for tunnels (hence the name).
The difference between TUN and TAP is that a TUN interface is an IP interface that receives IP packets from the kernel's IP routing system, and a TAP interface receives Ethernet packets (which may contain IP packets) so it can alternatively be part of a bridge (a virtual Ethernet switch - which only looks at the Ethernet header, not the IP header).
I think for your scenario, you will find it easiest to create a TAP interface, then create a bridge (virtual Ethernet switch) between the TAP interface, and the interface which the other host is connected to. Neither one needs an IP address - the kernel will happily pass Ethernet-layer traffic without attempting to process the IP information in the packet. Your tunnel software can then emulate a host - or tunnel to an actual host - or whatever you want it to do.
Or in visual form:
If you want the host to also be able to talk to the machine running the tunnel software - without going through the tunnel software - then you may choose to put an IP address on the bridge.
For two device both has public IP address, we can use socket IP and port to setup socket communication.
If both device do not has public IP but connect to sub-Lan then access public network through router (no port mapping in router), how can this two device setup socket connection?
For example in above diagram, how can machine A communicate with machine C?
Assuming that you have not set up a VPN tunnel between the two routers that connects both branches of the 192.168.1.0/24 network then the answer is: you can't.
If you set up a VPN tunnel then each side of the 192.168.1.0/24 network will be able to see the other side. Please note that the routers will need to be able to do ARP spoofing, i.e. the router for A & B will need to be able to spoof the MAC for C, i.e. intercept IP packages for C on their LAN and forward them through to the VPN to the other network half where they are delivered to C.
If you set up at least one port forwarding on one router, then you'll have other options, e.g. an SSH tunnel on C that connects to the port forward on either A & B. You can then use the -L option on C to setup port forwarding through the SSH tunnel to the other half of the network.
In UPnP IGD there is 2 services "WANPPPConnection" (or WanIPConnection) and WANIPv6FirewallControl that have methods that look similar:
AddPinhole
Add(Any)PortMapping
Both taking similar arguments (remote/internal host/port, protocol, lease time).
I was wondering, what is the difference between them ? FW control is apparently exclusive to IPv6 while PortMapping seems to allow both v4 and v6, so what is the real difference ? Is there a different behavior ?
A (typical) IPv4 firewall, embedded in an Internet router, has a single IPv4 address on the Internet, on its WAN interface. Devices on the LAN behind it typically use private range addresses. This means that they are not reachable from the Internet.
If a service on a device must be reachable from the Internet, the router must be instructed to forward incoming traffic from one of its ports on its WAN interface, to a port on the LAN device. This is called a "port forwarding," using the NAPT (Network Address and Port Translation) feature of the router.
On IPv6, routers are not provided with a single address on the WAN interface, but a whole prefix. Devices on the LAN all have publicly routeable addresses. There is no need for address and port translation on the router.
The firewall in the router, however, may be configured to block all incoming connections. In this case, the router's firewall must be instructed to pass through traffic to certain ports on certain protocols to certain LAN addresses. This is called a "pinhole" in the UPnP-IGD standard.
I have a Windows service running on a multi-homed Windows 7 machine communicating via UDP to a machine on the local network. This works fine, except sometimes during Windows startup the network traffic is temporarily (30 seconds) being routed to the default gateway, resulting in UDP packet loss. This packet loss is not necessarily a problem, but leads to an unnecessarily long startup time of the application.
The service binds to the socket using INADDR_ANY. Now when I change this to bind to the IP address of the control network NIC (192.168.32.1) I don't observe the problem. However I don't understand why the binding matters in this situation, and also I don't understand why the problem is there only temporarily. Do any of you have an explanation for this?
Besides my curiosity to find the root cause of this issue, I would also like to get an answer to this question so I can remove the bind to the specific IP address from my code. This decouples my application code from the network layout.
Network details:
Machine A, Windows 7, two NICs:
NIC #1 (ext network): 192.168.116.x/23 (DHCP), gateway 192.168.117.1
NIC #2 (int network): 192.168.32.1/26 (fixed)
Machine B, VxWorks, one NIC:
NIC #1 (int network): 192.168.32.16/26 (DHCP, assigned by Machine A)
When using INADDR_ANY, you bind your socket to the default IP address - the one with the lowest interface address. From the symptomps you are describing, it seems like this interface is not yet configured during startup, which makes sense.
The question is, why do you bind sending socket to any address at all. Implicit binding during send should be OK for you, I imagine?
I did not know where to ask this so here it is. This is more of a networking technology question, but any pointers will help.
Suppose, I want to connect to a machine behind multiple gateways. Say I want to connect to my home computer from my office computer. My home computer is behind my ISP's gateway and then behind my wireless router at home. Let's say I know the IP's for all of them. (global IP for my ISP's gateway, local IP for my wireless router within my ISP's n/w and my home machine's local IP within my home). How do I initiate a TCP connection with my home computer ? The standard berkeley socket program only takes one IP and so I can only connect to machines that have global IPs.
Is there a solution ? Am I correct about the berkeley sockets ?
Thanks.
It is entirely possible, with the cooperation of the ISP. The fact that the ISP is giving private addresses should urge you to move to another.
The concept you're after is called DNAT or Port Forwarding.
Let's say you decide on accessing port 1234 on a PC. The address of the PC is Local2. The address of the wireless router (in the network with the ISP) is Local1.
The wireless router must do the translation Local1:X -> Local2:1234
The ISP router must do the translation Public:1234 -> Local1:X
The X means any port can be used.
You only need to know the destination IP address to connect from an application, the gateway address is for the forwarding (routing) of packets which is handled by the OS network stack. However, if the destination is behind NAT, you'll only know the public IP address of the destination's NAT device. Even in this scenario, all you have would be an IP address and you don't really know if there is NAT going on.
If your destination is fixed, you could set up port forwarding on the NAT device (if you control it). Otherwise, you just realized that NAT is pure evil.
In your situation, it appears you want to connect to your home computer. If your wireless device has a public IP address, you can setup port forwarding on that to forward all incoming traffic on a port to a port on your home computer.