From owner-freebsd-questions Thu Jun 27 8:57:32 2002 Delivered-To: freebsd-questions@freebsd.org Received: from stewart.chicago.il.us (user166.64.47.24.dsli.com [64.47.24.166]) by hub.freebsd.org (Postfix) with ESMTP id 09A1337B405; Thu, 27 Jun 2002 08:56:56 -0700 (PDT) Received: from stewart.chicago.il.us (stewlap [10.1.1.5]) by stewart.chicago.il.us (8.11.1/8.11.1) with ESMTP id g5RFuWH06017; Thu, 27 Jun 2002 10:56:32 -0500 (CDT) (envelope-from randall@stewart.chicago.il.us) Message-ID: <3D1B35B0.1945DAAC@stewart.chicago.il.us> Date: Thu, 27 Jun 2002 10:56:32 -0500 From: Randall Stewart X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Matt Impett Cc: "'Julian Elischer'" , Lars Eggert , "'freebsd-net@freebsd.org'" , "'freebsd-questions@freebsd.org'" Subject: Re: source address based routing References: <8C92E23A3E87FB479988285F9E22BE46FDE77D@ftmail.lab.flarion.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Matt Impett wrote: > > inline.. > > > -----Original Message----- > > From: Julian Elischer [mailto:julian@elischer.org] > > Sent: Wednesday, June 26, 2002 9:40 PM > > To: Lars Eggert > > Cc: Matt Impett; 'freebsd-net@freebsd.org'; > > 'freebsd-questions@freebsd.org' > > Subject: Re: source address based routing > > > > > > On Wed, 26 Jun 2002, Lars Eggert wrote: > > > > > Matt Impett wrote: > > > > gladly.. I am trying to implement reverse tunneling for mobile-IP. > The > > > > basic idea is that packets must be reverse tunneled to different IP > > > > addresses depending on the source address of the packet. The reason > the > > > > tunnel does not have an IP address associated with it is that I don't > want > > > > to forward traffic down the tunnel for any other reason besides source > > > > addresses. As soon as I assign the tunnel interface an address, > traffic > > > > sent to that address will be tunneled. > > > > Surely 10.200.x.x is unlikely to be used.. it gives you 64000 possible > > tunnels. What I am having trouble with is that the tunnel to use depends > > on the SOURCE? That seems a little unusual.. Obviously I'm missing > > something in the words "reverse tunnelling". > > The company I work for (Flarion Technologies) is building an IP access box > for mobile wireless networks that will plug into existing network > infrastructure. I would be a little scared reserving a large piece of the > private address space as I cannot be assured that the operator that owns the > (private) network we will be plugging into is not using the same space. > Doing so would require agreements with them about the use or reservation of > the chunks of addressing space. It could be done, but I would rather avoid > it. > > As for tunneling based on SOURCE, here is a brief explanation. We are > running mobileIP to handle device mobility in our network. Basically, > mobile nodes can have IP addresses which are not topologically correct at > the access router they are connected to, but rather ARE topologically > correct at some node (the Home Agent) back in the network. Downlink traffic > (to the mobile node) is tunnelened from the Home Agent to the mobile's > current point of attachment. Similarly, uplink traffic (from the mobile > node), needs to be reverse tunneled back to the Home Agent, as the IP > address the mobile will be sourcing traffic with is not topologically > correct and will be dropped by any routers doing ingress filtering. So, our > access box has to look for packets from particular source addresses and > tunnel them back to that address's Home Agent. > > matt Matt: Curiosity drives me to ask the question... Where is the Foreign agent (FA)? In most mobile IP scenarios I have been familar with (granted a limited set.. and I have a tiny idea of how it should work that may be dated) the mobile has a FA. The FA is either co-located inside the mobile.. which in that case it would have the tunnel back to the home agent... OR the FA is a box somewhere in your network that picks up the packets from the wire and then encapsulates them and stuffs them back up the tunnel to the home agent... I think this is your "access box" if I read things correctly. In such a case the "access box" SHOULD have a valid address on the network and should have its tunnel going from it to the home agent. All the FA needs to do is grab the packets sourced from these mobiles. I would think the firewall should be able to redirect these to your code much like the nat something like ... add divert natd all from any to any via ... This will get your user space code all of the packets going by on this box. From there I would think you could write code that would look at the sources and put them into the right tunnels... Not sure if you could use the GIF tunnel itself... or just write the tunneling software yourself... probably there is a creative way to do this with one of th GIF tunnels... R -- Randall R. Stewart randall@stewart.chicago.il.us 815-342-5222 (cell phone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message