doc/user/nhrpd.rst

   1 .. _NHRP:
   2
   3 ****
   4 NHRP
   5 ****
   6
   7 *nhrpd* is a daemon to support Next Hop Routing Protocol (NHRP).
   8 NHRP is described in RFC2332.
   9
  10 NHRP is used to improve the efficiency of routing computer network
  11 traffic over Non-Broadcast, Multiple Access (NBMA) Networks. NHRP provides
  12 an ARP-like solution that allows a system to dynamically learn the NBMA
  13 address of the other systems that are part of that network, allowing
  14 these systems to directly communicate without requiring traffic to use
  15 an intermediate hop.
  16
  17 Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and
  18 |PACKAGE_NAME| nhrpd implements this scenario.
  19
  20 .. _Routing_Design:
  21
  22 Routing Design
  23 ==============
  24
  25 nhrpd never handles routing of prefixes itself. You need to run some
  26 real routing protocol (e.g. BGP) to advertise routes over the tunnels.
  27 What nhrpd does it establishes 'shortcut routes' that optimizes the
  28 routing protocol to avoid going through extra nodes in NBMA GRE mesh.
  29
  30 nhrpd does route NHRP domain addresses individually using per-host prefixes.
  31 This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
  32 a generic subnet route.
  33
  34 To create NBMA GRE tunnel you might use the following (linux terminal
  35 commands):
  36 ::
  37
  38   @group
  39    ip tunnel add gre1 mode gre key 42 ttl 64
  40    ip addr add 10.255.255.2/32 dev gre1
  41    ip link set gre1 up
  42   @end group
  43
  44
  45 Note that the IP-address is assigned as host prefix to gre1. nhrpd will
  46 automatically create additional host routes pointing to gre1 when
  47 a connection with these hosts is established.
  48
  49 The gre1 subnet prefix should be announced by routing protocol from the
  50 hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
  51 to decide which is the closest hub and determine the relay hub on prefix
  52 basis when direct tunnel is not established.
  53
  54 nhrpd will redistribute directly connected neighbors to zebra. Within
  55 hub nodes, these routes should be internally redistributed using some
  56 routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
  57
  58 This can be achieved in hubs with the following bgp configuration (network
  59 command defines the GRE subnet):
  60 ::
  61
  62   @group
  63   router bgp 65555
  64    address-family ipv4 unicast
  65      network 172.16.0.0/16
  66      redistribute nhrp
  67    exit-address-family
  68   @end group
  69
  70
  71 .. _Configuring_NHRP:
  72
  73 Configuring NHRP
  74 ================
  75
  76 FIXME
  77
  78 .. _Hub_Functionality:
  79
  80 Hub Functionality
  81 =================
  82
  83 In addition to routing nhrp redistributed host prefixes, the hub nodes
  84 are also responsible to send NHRP Traffic Indication messages that
  85 trigger creation of the shortcut tunnels.
  86
  87 nhrpd sends Traffic Indication messages based on network traffic captured
  88 using NFLOG. Typically you want to send Traffic Indications for network
  89 traffic that is routed from gre1 back to gre1 in rate limited manner.
  90 This can be achieved with the following iptables rule.
  91
  92 ::
  93
  94   @group
  95   iptables -A FORWARD -i gre1 -o gre1 \\
  96         -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
  97         --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
  98         --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
  99   @end group
 100
 101
 102 You can fine tune the src/dstmask according to the prefix lengths you
 103 announce internal, add additional IP range matches, or rate limitation
 104 if needed. However, the above should be good in most cases.
 105
 106 This kernel NFLOG target's nflog-group is configured in global nhrp config
 107 with:
 108 ::
 109
 110   @group
 111   nhrp nflog-group 1
 112   @end group
 113
 114
 115 To start sending these traffic notices out from hubs, use the nhrp
 116 per-interface directive:
 117 ::
 118
 119   @group
 120   interface gre1
 121    ip nhrp redirect
 122   @end group
 123
 124
 125 .. _Integration_with_IKE:
 126
 127 Integration with IKE
 128 ====================
 129
 130 nhrpd needs tight integration with IKE daemon for various reasons.
 131 Currently only strongSwan is supported as IKE daemon.
 132
 133 nhrpd connects to strongSwan using VICI protocol based on UNIX socket
 134 (hardcoded now as /var/run/charon.vici).
 135
 136 strongSwan currently needs few patches applied. Please check out the
 137 `http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release>`_
 138 and
 139 `http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree>`_
 140 git repositories for the patches.
 141
 142 .. _NHRP_Events:
 143
 144 NHRP Events
 145 ===========
 146
 147 FIXME
 148
 149 Configuration Example
 150 =====================
 151
 152 FIXME
 153