doc/user/nhrpd.rst

   1 .. _nhrp:
   2
   3 ****
   4 NHRP
   5 ****
   6
   7 *nhrpd* is an implementation of the :abbr:`NHRP (Next Hop Routing Protocol)`.
   8 NHRP is described in :rfc:`2332`.
   9
  10 NHRP is used to improve the efficiency of routing computer network traffic over
  11 :abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
  12 ARP-like solution that allows a system to dynamically learn the NBMA address of
  13 the other systems that are part of that network, allowing these systems to
  14 directly communicate without requiring traffic to use an intermediate hop.
  15
  16 NHRP is a client-server protocol. The server side is called the :abbr:`NHS
  17 (Next Hop Server)` or the hub, while a client is referred to as the :abbr:`NHC
  18 (Next Hop Client)` or the spoke. When a node is configured as an NHC, it
  19 registers its address with the NHS which keeps track of all registered spokes.
  20 An NHC client can then query the addresses of other clients from NHS allowing
  21 all spokes to communicate directly with each other.
  22
  23 Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd
  24 implements this scenario.
  25
  26 .. _routing-design:
  27
  28 Routing Design
  29 ==============
  30
  31 nhrpd never handles routing of prefixes itself. You need to run some
  32 real routing protocol (e.g. BGP) to advertise routes over the tunnels.
  33 What nhrpd does it establishes 'shortcut routes' that optimizes the
  34 routing protocol to avoid going through extra nodes in NBMA GRE mesh.
  35
  36 nhrpd does route NHRP domain addresses individually using per-host prefixes.
  37 This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
  38 a generic subnet route.
  39
  40 To create NBMA GRE tunnel you might use the following (Linux terminal
  41 commands):
  42
  43 .. code-block:: console
  44
  45    ip tunnel add gre1 mode gre key 42 ttl 64
  46    ip addr add 10.255.255.2/32 dev gre1
  47    ip link set gre1 up
  48
  49
  50 Note that the IP-address is assigned as host prefix to gre1. nhrpd will
  51 automatically create additional host routes pointing to gre1 when
  52 a connection with these hosts is established.
  53
  54 The gre1 subnet prefix should be announced by routing protocol from the
  55 hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
  56 to decide which is the closest hub and determine the relay hub on prefix
  57 basis when direct tunnel is not established.
  58
  59 nhrpd will redistribute directly connected neighbors to zebra. Within
  60 hub nodes, these routes should be internally redistributed using some
  61 routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
  62
  63 This can be achieved in hubs with the following bgp configuration (network
  64 command defines the GRE subnet):
  65
  66 .. code-block:: frr
  67
  68   router bgp 65555
  69    address-family ipv4 unicast
  70      network 172.16.0.0/16
  71      redistribute nhrp
  72    exit-address-family
  73
  74
  75 .. _configuring-nhrp:
  76
  77 Configuring NHRP
  78 ================
  79
  80 .. index::  ip nhrp holdtime (1-65000)
  81 .. clicmd:: ip nhrp holdtime (1-65000)
  82
  83    Holdtime is the number of seconds that have to pass before stopping to
  84    advertise an NHRP NBMA address as valid. It also controls how often NHRP
  85    registration requests are sent. By default registrations are sent every one
  86    third of the holdtime.
  87
  88 .. index::  ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
  89 .. clicmd:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
  90
  91    Map an IP address of a station to the station's NBMA address.
  92
  93 .. index::  ip nhrp network-id (1-4294967295)
  94 .. clicmd:: ip nhrp network-id (1-4294967295)
  95
  96    Enable NHRP on this interface and set the interface's network ID.  The
  97    network ID is used to allow creating multiple nhrp domains on a router when
  98    multiple interfaces are configured on the router.  Interfaces configured
  99    with the same ID are part of the same logical NBMA network. The ID is a
 100    local only parameter and is not sent to other NHRP nodes and so IDs on
 101    different nodes do not need to match. When NHRP packets are received on an
 102    interface they are assigned to the local NHRP domain for that interface.
 103
 104 .. index::  ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN
 105 .. clicmd:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN
 106
 107    Configure the Next Hop Server address and its NBMA address.
 108
 109 .. index::  ip nhrp nhs dynamic nbma A.B.C.D
 110 .. clicmd:: ip nhrp nhs dynamic nbma A.B.C.D
 111
 112    Configure the Next Hop Server to have a dynamic address and set its NBMA
 113    address.
 114
 115 .. index::  ip nhrp registration no-unique
 116 .. clicmd:: ip nhrp registration no-unique
 117
 118    Allow the client to not set the unique flag in the NHRP packets. This is
 119    useful when a station has a dynamic IP address that could change over time.
 120
 121 .. index::  ip nhrp shortcut
 122 .. clicmd:: ip nhrp shortcut
 123
 124    Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others
 125    directly after establishing a connection without going through the hub.
 126
 127 .. index::  ip nhrp mtu
 128 .. clicmd:: ip nhrp mtu
 129
 130    Configure NHRP advertised MTU.
 131
 132
 133 .. _hub-functionality:
 134
 135 Hub Functionality
 136 =================
 137
 138 In addition to routing nhrp redistributed host prefixes, the hub nodes
 139 are also responsible to send NHRP Traffic Indication messages that
 140 trigger creation of the shortcut tunnels.
 141
 142 nhrpd sends Traffic Indication messages based on network traffic captured
 143 using NFLOG. Typically you want to send Traffic Indications for network
 144 traffic that is routed from gre1 back to gre1 in rate limited manner.
 145 This can be achieved with the following iptables rule.
 146
 147 .. code-block:: shell
 148
 149    iptables -A FORWARD -i gre1 -o gre1 \\
 150        -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
 151        --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
 152        --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
 153
 154
 155 You can fine tune the src/dstmask according to the prefix lengths you announce
 156 internal, add additional IP range matches, or rate limitation if needed.
 157 However, the above should be good in most cases.
 158
 159 This kernel NFLOG target's nflog-group is configured in global nhrp config
 160 with:
 161
 162 .. index::  nhrp nflog-group (1-65535)
 163 .. clicmd:: nhrp nflog-group (1-65535)
 164
 165 To start sending these traffic notices out from hubs, use the nhrp
 166 per-interface directive:
 167
 168 .. index::  ip nhrp redirect
 169 .. clicmd:: ip nhrp redirect
 170
 171 This enable redirect replies on the NHS similar to ICMP redirects except this
 172 is managed by the nhrp protocol. This setting allows spokes to communicate with
 173 each others directly.
 174
 175 .. _integration-with-ike:
 176
 177 Integration with IKE
 178 ====================
 179
 180 nhrpd needs tight integration with IKE daemon for various reasons.
 181 Currently only strongSwan is supported as IKE daemon.
 182
 183 nhrpd connects to strongSwan using VICI protocol based on UNIX socket
 184 (hardcoded now as /var/run/charon.vici).
 185
 186 strongSwan currently needs few patches applied. Please check out the
 187 https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras-release
 188 and
 189 https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras
 190 git repositories for the patches.
 191
 192 .. _nhrp-events:
 193
 194 NHRP Events
 195 ===========
 196
 197 .. index::  nhrp event socket SOCKET
 198 .. clicmd:: nhrp event socket SOCKET
 199
 200    Configure the Unix path for the event socket.
 201
 202 .. _show-nhrp:
 203
 204 Show  NHRP
 205 ==========
 206
 207 .. index::  show [ip|ipv6] nhrp cache [json]
 208 .. clicmd:: show [ip|ipv6] nhrp cache [json]
 209
 210    Dump the cache entries.
 211
 212 .. index::  show [ip|ipv6] nhrp opennhrp [json]
 213 .. clicmd:: show [ip|ipv6] nhrp opennhrp [json]
 214
 215    Dump the cache entries with opennhrp format.
 216
 217 .. index::  show [ip|ipv6] nhrp nhs [json]
 218 .. clicmd:: show [ip|ipv6] nhrp nhs [json]
 219
 220    Dump the hub context.
 221
 222 .. index::  show dmvpn [json]
 223 .. clicmd:: show dmvpn [json]
 224
 225    Dump the security contexts.
 226
 227 Configuration Example
 228 =====================
 229
 230 .. figure:: ../figures/fig_dmvpn_topologies.png
 231    :alt: image
 232
 233    image
 234
 235 IPSec configurration example
 236 ----------------------------
 237
 238 This changes required on all nodes as HUB and Spokes.
 239
 240 ipsec.conf file
 241
 242 .. code-block:: shell
 243
 244   config setup
 245   conn dmvpn
 246       authby=secret
 247       auto=add
 248       keyexchange=ikev2
 249       ike=aes256-aes256-sha256-modp2048
 250       esp=aes256-aes256-sha256-modp2048
 251       dpdaction=clear
 252       dpddelay=300s
 253       left=%any
 254       leftid=%any
 255       right=%any
 256       rightid=%any
 257       leftprotoport=gre
 258       rightprotoport=gre
 259       type=transport
 260       keyingtries=%forever
 261
 262 ipsec.secrets file
 263
 264 .. code-block:: shell
 265
 266   %any : PSK "some_s3cret!"
 267
 268
 269 HUB configuration example
 270 -------------------------
 271
 272 Creating gre interface
 273
 274 .. code-block:: console
 275
 276    ip tunnel add gre1 mode gre key 42 ttl 64
 277    ip addr add 10.0.0.254/32 dev gre1
 278    ip link set gre1 up
 279
 280 Adding iptables rules to provide possibility shortcut tunnels and connect spokes directly
 281
 282 .. code-block:: shell
 283
 284    iptables -A FORWARD -i gre1 -o gre1 \\
 285        -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
 286        --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
 287        --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
 288
 289 FRR config on HUB
 290
 291 .. code-block:: frr
 292
 293   nhrp nflog-group 1
 294   !
 295   interface gre1
 296    description DMVPN Tunnel Interface
 297    ip address 10.0.0.254/32
 298    ip nhrp network-id 1
 299    ip nhrp redirect
 300    ip nhrp registration no-unique
 301    ip nhrp shortcut
 302    tunnel protection vici profile dmvpn
 303    tunnel source eth0
 304    !
 305    router bgp 65000
 306     bgp router-id 10.0.0.254
 307     no bgp ebgp-requires-policy
 308     neighbor SPOKES peer-group
 309     neighbor SPOKES disable-connected-check
 310     neighbor 10.0.0.1 remote-as 65001
 311     neighbor 10.0.0.1 peer-group SPOKES
 312     neighbor 10.0.0.2 remote-as 65002
 313     neighbor 10.0.0.2 peer-group SPOKES
 314     neighbor 10.0.0.3 remote-as 65003
 315     neighbor 10.0.0.3 peer-group SPOKES
 316     !
 317     address-family ipv4 unicast
 318      network 172.16.0.0/24
 319      redistribute nhrp
 320     exit-address-family
 321
 322 Spoke1 configuration
 323 --------------------
 324
 325 Creating gre interface
 326
 327 .. code-block:: console
 328
 329    ip tunnel add gre1 mode gre key 42 ttl 64
 330    ip addr add 10.0.0.1/32 dev gre1
 331    ip link set gre1 up
 332
 333
 334 FRR config on Spoke1
 335
 336 .. code-block:: frr
 337
 338   interface gre1
 339    description DMVPN Tunnel Interface
 340    ip address 10.0.0.1/32
 341    ip nhrp network-id 1
 342    ip nhrp nhs dynamic nbma 198.51.100.1
 343    ip nhrp redirect
 344    ip nhrp registration no-unique
 345    ip nhrp shortcut
 346    no link-detect
 347    tunnel protection vici profile dmvpn
 348    tunnel source eth0
 349   !
 350   router bgp 65001
 351    no bgp ebgp-requires-policy
 352    neighbor 10.0.0.254 remote-as 65000
 353    neighbor 10.0.0.254 disable-connected-check
 354    !
 355    address-family ipv4 unicast
 356     network 172.16.1.0/24
 357    exit-address-family
 358
 359
 360 Spoke2 configuration
 361 --------------------
 362
 363 Creating gre interface
 364
 365 .. code-block:: console
 366
 367    ip tunnel add gre1 mode gre key 42 ttl 64
 368    ip addr add 10.0.0.1/32 dev gre1
 369    ip link set gre1 up
 370
 371 FRR config on Spoke2
 372
 373 .. code-block:: frr
 374
 375   interface gre1
 376    description DMVPN Tunnel Interface
 377    ip address 10.0.0.2/32
 378    ip nhrp network-id 1
 379    ip nhrp nhs dynamic nbma 198.51.100.1
 380    ip nhrp redirect
 381    ip nhrp registration no-unique
 382    ip nhrp shortcut
 383    no link-detect
 384    tunnel protection vici profile dmvpn
 385    tunnel source eth0
 386   !
 387   router bgp 65002
 388    no bgp ebgp-requires-policy
 389    neighbor 10.0.0.254 remote-as 65000
 390    neighbor 10.0.0.254 disable-connected-check
 391    !
 392    address-family ipv4 unicast
 393     network 172.16.2.0/24
 394    exit-address-family
 395
 396
 397 Spoke3 configuration
 398 --------------------
 399
 400 Creating gre interface
 401
 402 .. code-block:: console
 403
 404    ip tunnel add gre1 mode gre key 42 ttl 64
 405    ip addr add 10.0.0.3/32 dev gre1
 406    ip link set gre1 up
 407
 408 FRR config on Spoke3
 409
 410 .. code-block:: frr
 411
 412   interface gre1
 413    description DMVPN Tunnel Interface
 414    ip address 10.0.0.3/32
 415    ip nhrp network-id 1
 416    ip nhrp nhs dynamic nbma 198.51.100.1
 417    ip nhrp redirect
 418    ip nhrp registration no-unique
 419    ip nhrp shortcut
 420    no link-detect
 421    tunnel protection vici profile dmvpn
 422    tunnel source eth0
 423   !
 424   router bgp 65003
 425    no bgp ebgp-requires-policy
 426    neighbor 10.0.0.254 remote-as 65000
 427    neighbor 10.0.0.254 disable-connected-check
 428    !
 429    address-family ipv4 unicast
 430     network 172.16.3.0/24
 431    exit-address-family
 432