[mirror_frr.git] / doc / user / nhrpd.rst

.. _nhrp:

****
NHRP
****

*nhrpd* is an implementation of the :abbr:NHRP `(Next Hop Routing Protocol)`.
NHRP is described in :rfc`2332`.

NHRP is used to improve the efficiency of routing computer network traffic over
:abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
ARP-like solution that allows a system to dynamically learn the NBMA address of
the other systems that are part of that network, allowing these systems to
directly communicate without requiring traffic to use an intermediate hop.

Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd
implements this scenario.

.. _routing-design:

Routing Design
==============

nhrpd never handles routing of prefixes itself. You need to run some
real routing protocol (e.g. BGP) to advertise routes over the tunnels.
What nhrpd does it establishes 'shortcut routes' that optimizes the
routing protocol to avoid going through extra nodes in NBMA GRE mesh.

nhrpd does route NHRP domain addresses individually using per-host prefixes.
This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
a generic subnet route.

To create NBMA GRE tunnel you might use the following (Linux terminal
commands):::

   ip tunnel add gre1 mode gre key 42 ttl 64
   ip addr add 10.255.255.2/32 dev gre1
   ip link set gre1 up


Note that the IP-address is assigned as host prefix to gre1. nhrpd will
automatically create additional host routes pointing to gre1 when
a connection with these hosts is established.

The gre1 subnet prefix should be announced by routing protocol from the
hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
to decide which is the closest hub and determine the relay hub on prefix
basis when direct tunnel is not established.

nhrpd will redistribute directly connected neighbors to zebra. Within
hub nodes, these routes should be internally redistributed using some
routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.

This can be achieved in hubs with the following bgp configuration (network
command defines the GRE subnet):

.. code-block:: frr

  router bgp 65555
   address-family ipv4 unicast
     network 172.16.0.0/16
     redistribute nhrp
   exit-address-family


.. _configuring-nhrp:

Configuring NHRP
================

FIXME

.. _hub-functionality:

Hub Functionality
=================

In addition to routing nhrp redistributed host prefixes, the hub nodes
are also responsible to send NHRP Traffic Indication messages that
trigger creation of the shortcut tunnels.

nhrpd sends Traffic Indication messages based on network traffic captured
using NFLOG. Typically you want to send Traffic Indications for network
traffic that is routed from gre1 back to gre1 in rate limited manner.
This can be achieved with the following iptables rule.

.. code-block:: shell

   iptables -A FORWARD -i gre1 -o gre1 \\
       -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
       --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
       --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128


You can fine tune the src/dstmask according to the prefix lengths you
announce internal, add additional IP range matches, or rate limitation
if needed. However, the above should be good in most cases.

This kernel NFLOG target's nflog-group is configured in global nhrp config
with:

.. code-block:: frr

   nhrp nflog-group 1

To start sending these traffic notices out from hubs, use the nhrp
per-interface directive:

.. code-block:: frr

   interface gre1
    ip nhrp redirect


.. _integration-with-ike:

Integration with IKE
====================

nhrpd needs tight integration with IKE daemon for various reasons.
Currently only strongSwan is supported as IKE daemon.

nhrpd connects to strongSwan using VICI protocol based on UNIX socket
(hardcoded now as /var/run/charon.vici).

strongSwan currently needs few patches applied. Please check out the
`http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release>`_
and
`http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree>`_
git repositories for the patches.

.. _nhrp-events:

NHRP Events
===========

FIXME

Configuration Example
=====================

FIXME
Commit	Line	Data
0efdf0fe	1	.. _nhrp:
caba6093	2
42fc5d26 QY	3	****
	4	NHRP
	5	****
	6
c1a54c05 QY	7	nhrpd is an implementation of the :abbr:NHRP `(Next Hop Routing Protocol)`.
c1a54c05 QY	8	NHRP is described in :rfc`2332`.
caba6093	9
c1a54c05 QY	10	NHRP is used to improve the efficiency of routing computer network traffic over
	11	:abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
	12	ARP-like solution that allows a system to dynamically learn the NBMA address of
	13	the other systems that are part of that network, allowing these systems to
	14	directly communicate without requiring traffic to use an intermediate hop.
caba6093	15
c1a54c05 QY	16	Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and \|PACKAGE_NAME\| nhrpd
c1a54c05 QY	17	implements this scenario.
caba6093	18
0efdf0fe	19	.. _routing-design:
caba6093	20
42fc5d26 QY	21	Routing Design
42fc5d26 QY	22	==============
caba6093 TT	23
	24	nhrpd never handles routing of prefixes itself. You need to run some
	25	real routing protocol (e.g. BGP) to advertise routes over the tunnels.
	26	What nhrpd does it establishes 'shortcut routes' that optimizes the
	27	routing protocol to avoid going through extra nodes in NBMA GRE mesh.
	28
	29	nhrpd does route NHRP domain addresses individually using per-host prefixes.
	30	This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
	31	a generic subnet route.
	32
c1a54c05 QY	33	To create NBMA GRE tunnel you might use the following (Linux terminal
c1a54c05 QY	34	commands):::
42fc5d26	35
42fc5d26 QY	36	ip tunnel add gre1 mode gre key 42 ttl 64
	37	ip addr add 10.255.255.2/32 dev gre1
	38	ip link set gre1 up
a8c90e15	39
caba6093 TT	40
	41	Note that the IP-address is assigned as host prefix to gre1. nhrpd will
	42	automatically create additional host routes pointing to gre1 when
	43	a connection with these hosts is established.
	44
	45	The gre1 subnet prefix should be announced by routing protocol from the
	46	hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
	47	to decide which is the closest hub and determine the relay hub on prefix
	48	basis when direct tunnel is not established.
	49
	50	nhrpd will redistribute directly connected neighbors to zebra. Within
	51	hub nodes, these routes should be internally redistributed using some
	52	routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
	53
	54	This can be achieved in hubs with the following bgp configuration (network
9eb95b3b QY	55	command defines the GRE subnet):
	56
	57	.. code-block:: frr
42fc5d26	58
42fc5d26 QY	59	router bgp 65555
	60	address-family ipv4 unicast
	61	network 172.16.0.0/16
	62	redistribute nhrp
	63	exit-address-family
a8c90e15	64
caba6093	65
0efdf0fe	66	.. _configuring-nhrp:
caba6093	67
42fc5d26 QY	68	Configuring NHRP
42fc5d26 QY	69	================
caba6093 TT	70
	71	FIXME
	72
0efdf0fe	73	.. _hub-functionality:
42fc5d26 QY	74
	75	Hub Functionality
	76	=================
caba6093 TT	77
	78	In addition to routing nhrp redistributed host prefixes, the hub nodes
	79	are also responsible to send NHRP Traffic Indication messages that
	80	trigger creation of the shortcut tunnels.
	81
	82	nhrpd sends Traffic Indication messages based on network traffic captured
	83	using NFLOG. Typically you want to send Traffic Indications for network
	84	traffic that is routed from gre1 back to gre1 in rate limited manner.
	85	This can be achieved with the following iptables rule.
	86
9eb95b3b	87	.. code-block:: shell
42fc5d26	88
9eb95b3b QY	89	iptables -A FORWARD -i gre1 -o gre1 \\
	90	-m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
	91	--hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
	92	--hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
a8c90e15	93
caba6093 TT	94
	95	You can fine tune the src/dstmask according to the prefix lengths you
	96	announce internal, add additional IP range matches, or rate limitation
	97	if needed. However, the above should be good in most cases.
	98
	99	This kernel NFLOG target's nflog-group is configured in global nhrp config
9eb95b3b QY	100	with:
	101
	102	.. code-block:: frr
42fc5d26	103
9eb95b3b	104	nhrp nflog-group 1
a8c90e15	105
caba6093	106	To start sending these traffic notices out from hubs, use the nhrp
9eb95b3b QY	107	per-interface directive:
	108
	109	.. code-block:: frr
	110
	111	interface gre1
	112	ip nhrp redirect
42fc5d26	113
a8c90e15	114
0efdf0fe	115	.. _integration-with-ike:
caba6093	116
42fc5d26 QY	117	Integration with IKE
42fc5d26 QY	118	====================
caba6093 TT	119
	120	nhrpd needs tight integration with IKE daemon for various reasons.
	121	Currently only strongSwan is supported as IKE daemon.
	122
	123	nhrpd connects to strongSwan using VICI protocol based on UNIX socket
	124	(hardcoded now as /var/run/charon.vici).
	125
	126	strongSwan currently needs few patches applied. Please check out the
42fc5d26	127	`http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release>`_
caba6093	128	and
42fc5d26	129	`http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree>`_
caba6093 TT	130	git repositories for the patches.
caba6093 TT	131
0efdf0fe	132	.. _nhrp-events:
42fc5d26 QY	133
	134	NHRP Events
	135	===========
caba6093 TT	136
	137	FIXME
	138
42fc5d26 QY	139	Configuration Example
42fc5d26 QY	140	=====================
caba6093 TT	141
caba6093 TT	142	FIXME
42fc5d26	143