Rare project developers

[mc36 <>]

btw, i also forget my secret favorite, the l2tp... it have the fancy feature 
that it
goes over udp, that is, a given side could be behind a nat... if you want to 
configure
it as site-to-site, then the knob here is int virtualppp, much like in 
ciscos...
but, if you was fine with the sdwan stuff, then that beast also uses l2tp 
under
the hood, and there is a trick... ppp e(ncryption)cp rfc is a defined thing,
and as nobody except freerotuer implements it, i decided to speak the raw 
macsec
here too, but within the ppp(oe/ol2tp) encapsulation... that is, you can 
easily
turn on macsec on these sdwan tunnels, and they get exported to the dataplane 
too..
and afterwards, macsec internally have an inner ethertype to distinguish the 
upper
protocol, that is, you can do the polka within these sdwan tunnels...
fot your convenience, this is what i use now within my nodes...
as you can see below, even cdp/lldp goes through these easily...
regarding the performance, it bumps about 10% of a single i7-4770 core for 
1gbps
of l2tp/macsec/mpls to get through on these... (it's hard to measure because 
the
dpdk dataplane uses 40% cpu on such a box when it have no packets at all, 
because
of the poll mode and the nics bound to different cores...)
br,
cs

mchome#show running-config interface dialer26
interface dialer26
 description sdwan clients
 encapsulation ppp
 ppp multilink 6000 long
 ppp fragment 1400
 vrf forwarding inet
 ipv4 address dynamic dynamic
 ipv6 address dynamic dynamic
 template template9
 shutdown
 log-link-change
 exit
!

mchome#show running-config interface template9
interface template9
 description vpn links
 lldp enable
 cdp enable
 macsec core
 sgt enable
 vrf forwarding inet
 ipv4 address dynamic 255.255.255.252
 ipv4 srh enable
 ipv4 bfd 500 1500 3
 ipv4 pim enable
 ipv4 pim bier-tunnel 10
 ipv4 pim join-source loopback0
 ipv6 address dynamic ffff:ffff:ffff:ffff::
 ipv6 srh enable
 ipv6 bfd 500 1500 3
 ipv6 pim enable
 ipv6 pim bier-tunnel 10
 ipv6 pim join-source loopback0
 polka enable 10 70000 256
 mpolka enable 10 70000 256
 mpls enable
 mpls ldp4
 mpls ldp6
 mpls rsvp4
 mpls rsvp6
 router lsrp4 1 enable
 router lsrp4 1 dynamic-metric inband
 no router lsrp4 1 verify-source
 router lsrp4 1 metric 11111
 router lsrp4 1 dynamic-size 10
 router lsrp4 1 dynamic-ignore 3
 router lsrp6 1 enable
 router lsrp6 1 dynamic-metric inband
 no router lsrp6 1 verify-source
 router lsrp6 1 metric 11111
 router lsrp6 1 dynamic-size 10
 router lsrp6 1 dynamic-ignore 3
 shutdown
 no log-link-change
 exit
!

mchome#
mchome#show lldp neighbor | include access
access1329841223  parents       access1916482575           10.18.127.116  
2001:db8:187f::1138
access1416754329  rare100Glns   access205453278            10.18.127.129  
2001:db8:187f::1116
access1440008884  www           access1224654570           10.18.127.160  
2001:db8:187f::117f
access1469396242  rare10Gcpe    access1293184708           10.18.127.216  
2001:db8:187f::114f
access1530655722  www           access2108449690           10.18.127.204  
2001:db8:187f::1151
access1582363604  parents       access314343028            10.18.127.180  
2001:db8:187f::117a
access1688835491  meso          access738428782            10.18.127.119  
2001:db8:187f::115a
access1774263872  player        access795136019            10.18.127.193  
2001:db8:187f::1140
access1785199222  p4deb         access101646330            10.18.127.198  
2001:db8:187f::1135
access325147323   p4deb         access2031630200           10.18.127.138  
2001:db8:187f::1176
access352833097   vpn           access1532029535           10.18.127.212  
2001:db8:187f::1165
access567780039   vpn           access1688644597           10.18.127.142  
2001:db8:187f::116b
access847327014   meso          access1048622411           10.18.127.211  
2001:db8:187f::1124
access9453062     rare10Gcpe    access565091272            10.18.127.134  
2001:db8:187f::113e

mchome#show cdp neighbor | include access
access1329841223  parents       access1916482575  10.18.127.116  
2001:db8:187f::1138
access1416754329  rare100Glns   access205453278   10.18.127.129  
2001:db8:187f::1116
access1440008884  www           access1224654570  10.18.127.160  
2001:db8:187f::117f
access1469396242  rare10Gcpe    access1293184708  10.18.127.216  
2001:db8:187f::114f
access1530655722  www           access2108449690  10.18.127.204  
2001:db8:187f::1151
access1582363604  parents       access314343028   10.18.127.180  
2001:db8:187f::117a
access1688835491  meso          access738428782   10.18.127.119  
2001:db8:187f::115a
access1774263872  player        access795136019   10.18.127.193  
2001:db8:187f::1140
access1785199222  p4deb         access101646330   10.18.127.198  
2001:db8:187f::1135
access325147323   p4deb         access2031630200  10.18.127.138  
2001:db8:187f::1176
access352833097   vpn           access1532029535  10.18.127.212  
2001:db8:187f::1165
access567780039   vpn           access1688644597  10.18.127.142  
2001:db8:187f::116b
access847327014   meso          access1048622411  10.18.127.211  
2001:db8:187f::1124
access9453062     rare10Gcpe    access565091272   10.18.127.134  
2001:db8:187f::113e

mchome#
mchome#show p4lang p4 status
category       value
peer           127.0.0.1
closed         0
reconn         1
since          2022-08-09 11:45:07
for            04:10:34
capability     punting copp acl nat vlan bundle bridge pppoe hairpin gre l2tp route mpls vpls evpn eompls gretap pppoetap l2tptap vxlan ipip macsec ipsec pckoudp openvpn wireguard 
srv6 pbr qos flwspc mroute duplab bier amt nsh polka racl inspect mpolka sgt vrfysrc gtp loconn tcpmss pmtud mlppp
platform       p4emu/dpdk
cpuport        3
dynamic ifc    128 65535
dynamic vrf    1 65535
messages sent  59731
messages got   2462769
rounds done    117436
last done      2022-08-09 15:55:42 (00:00:00 ago)
time took      19
rounds skip    0
last skip      1970-01-01 01:00:00 (never ago)

mchome#



On 8/9/22 15:33, mc36 wrote:
> hi,
>
> On 8/9/22 15:08, Edgard da Cunha Pontes wrote:
> > We're still figuring out what kind of overlay we'll use for these connections.
> > For now, we have tested: VXLan, GRE and Wireguard. 
> for raw ip tunneling, all of these should work, and could be exported to the 
> dataplanes...
>
> > And the idea of using PolKA to enable a "network service at the ends" came up.
> so polka requires an ethertype to be distinguished as upper layer protocol,
> and such, wireguard cannot do the job because that one cannot carry anything
> but ip... vxlan could work, but when it comes to the dataplane exports, you'll
> have to xconnect a hairpinX1 with vxlan between the two nodes, and do the 
> polka
> on the hairpinX2...
> on the other hand, gre can carry anything, including polka, even in the 
> dataplanes...
>
> > We are not sure which type of tunnel to use. Always making a 
> > performance/safety/practical tradeoff...
> for performance and mtu, gre is the best because it have the lowest overhead:
> no udp layer at all, so the nodes don't have to deal with the outer udp 
> checksum,
> just the outer ip checksum...
>
> regarding security, you can always put macsec to the tunnel interface if it 
> can carry
> an ethertype... it's not quite standard but heyy, if the ethertype is there, 
> then
> nothing can stop freerouter and dataplane to do the encapsulation this way... 
> :)
>
> br,
> cs
>
>
> > Thanks again for your help.
> >
> > Em seg., 8 de ago. de 2022   s 12:26, mc36 < <>> 
> > escreveu:
> >
> >        imho i've an idea what happened: so the one-line installer wipes the 
> > linux networking completely,
> >        from that point the linux's network stack only have a 10.255.255.1/24 
> > <http://10.255.255.1/24> ip and is hidden behind freerouter...
> >        so imho it failed to bind to the requested ip:port pair from the 
> > config... moreover, since the linuxes
> >        dont have the public ips anymore, the given setup you're trying to do 
> > is a double-nat case, but without
> >        anything to punch through the nats, as these interface sockets should 
> > have direct visibility....
> >        br,
> >        cs
> >
> >
> >        On 8/8/22 17:18, mc36 wrote:
> >          > hi,
> >          >
> >          > On 8/8/22 17:01, Edgard da Cunha Pontes wrote:
> >          >> i everyone,
> >          >>
> >          >> Testing a socket connection between   RARE/freeRtr VMs (one line 
> > install),   as in the image shown below.
> >          >>
> >          >> socket-connection.jpg
> >          >>
> >          >> I put the following settings:
> >          >>
> >          >> VM1 /rtr/rtr-hw.txt
> >          >> ....
> >          >> [other configs]
> >          >> int eth2 eth [mac-vm1] [public-ip-vm1] 20004 [public-ip-vm2] 20004
> >          >> ....
> >          >>
> >          >> VM2 /rtr/rtr-hw.txt
> >          >> ....
> >          >> [other configs]
> >          >> int eth2 eth [mac-vm2] [public-ip-vm2] 20004 [public-ip-vm1] 20004
> >          >> ....
> >          >>
> >          >> After restarting the VM I lost SSH access permanently.
> >          >> Is there any way to make this socket connection prevent this from 
> > happening?
> >          >>
> >          >> PS:   I'm trying to create this eth2 dynamically, ie a new 
> > internal interface was not created.
> >          >
> >          > this one should work as long as you dont reuse nor eth2 nor the 
> > port 20004...
> >          > so for now i see nothing to justify why you lost the ssh access...
> >          >
> >          > but on the other hand, is there any reason you want to connect 
> > these this way?
> >          >
> >          > i mean, there are plenty of other tunneling modes in freerouter 
> > that can make it work:
> >          > http://sources.freertr.org/cfg/conn-gre01.tst 
> > <http://sources.freertr.org/cfg/conn-gre01.tst> -- is a a plain old stuff and 
> > imho
> >          > it have less overhead than anything else.... and it also can carry 
> > layer2 frames,
> >          > you just have to put a bridge-group on the tunnel...
> >          >
> >          > br,
> >          > cs