[prev in list] [next in list] [prev in thread] [next in thread]
List: quagga-users
Subject: [quagga-users 15056] Re: Fail-over using OSPF or other routing protocols
From: Pieter Hulshoff <pieter () towel42 ! nl>
Date: 2021-11-27 16:22:44
Message-ID: 843d931f-8c1a-6ca1-0a01-c0090ae3c0b4 () towel42 ! nl
[Download RAW message or body]
Hello William,
On 26-11-2021 18:46, William Herrin wrote:
> On Fri, Nov 26, 2021 at 6:35 AM <pieter@towel42.nl> wrote:
>> I design crypto products that, for reasons of security, use static
>> routing to route IP traffic over their secure associations (SAs) to
>> their destination. As such, they do not participate in any routing
>> protocols, though they will pass unicast routing protocols between
>> routers in the customer network. Our customers would like to know if
>> they can use their routers to set up fail-over scenarios over the crypto
>> products (and perhaps the ISPs they're connected to).
> Tunnel mode IPSec is actually a tunnel protocol (IP-IP I think? I
> don't remember) on top of transport mode IPSec where the tunnel is
> sort of implicit and subject to the SA definitions. If you want to use
> dynamic routing, your best bet is to separate the components: use a
> tunnel protocol like GRE explicitly between transport mode IPSec
> endpoints. This will expose GRE virtual interfaces on the two routers
> which are clean for whichever dynamic routing protocol you feel like
> using.
That is correct. Tunnel mode IPsec provides an IP over IP or UDP tunnel.
I had a quick look into how routers configure GRE tunnels these days,
and since they connect from source to destination IP, it's certainly an
option our customers can consider. It's certainly one we prefer from a
security perspective, but not all of our customers are willing to lose
the bandwidth necessary for the GRE overhead. Running OSPF over GRE
should solve some of the issues we're running into though.
Kind regards,
Pieter Hulshoff
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic