Hi everyone, I'm using 'bird' to announce some prefixes for the anycast DNS servers for the NTP Pool system. It's working great and I really enjoy how straightforward the configuration is. We're planning to make the DNS servers (about ~18 currently) all connect to two out of three "master nodes"; probably one in Europe and one in western and one in eastern United States. For another similar VPN network I use BGP with private ASN's for the routing; but for this project each site is generally just one or two actual servers, so allocating a private ASN and all that seems extra tedious. Would it make sense to use OSPF for this instead? My only experience with OSPF is setting it up between routers in one site so they know how to get to the 'next hop' of routes coming in and shared via BGP/IBGP. I've also been considering just running IPv6 on the VPN instead; but I have even less experience with OSPFv3. :-) Any advice? - ask -- Ask Bjørn Hansen, http://askask.com/
On Sun, Apr 03, 2011 at 06:09:55PM +0200, Ask Bj?rn Hansen wrote:
Hi everyone,
I'm using 'bird' to announce some prefixes for the anycast DNS servers for the NTP Pool system. It's working great and I really enjoy how straightforward the configuration is.
We're planning to make the DNS servers (about ~18 currently) all connect to two out of three "master nodes"; probably one in Europe and one in western and one in eastern United States.
For another similar VPN network I use BGP with private ASN's for the routing; but for this project each site is generally just one or two actual servers, so allocating a private ASN and all that seems extra tedious.
Would it make sense to use OSPF for this instead? My only experience with OSPF is setting it up between routers in one site so they know how to get to the 'next hop' of routes coming in and shared via BGP/IBGP.
I think OSPF should work just right for such setting. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Apr 3, 2011, at 18:35, Ondrej Zajicek wrote:
Would it make sense to use OSPF for this instead? My only experience with OSPF is setting it up between routers in one site so they know how to get to the 'next hop' of routes coming in and shared via BGP/IBGP.
I think OSPF should work just right for such setting.
Thank you! I got it to work in a basic test setup. When I "upgraded" OpenVPN to use certificates and server mode (so the servers can use a relatively simple configuration) I can no longer make it work. Maybe the hack that OpenVPN uses in this mode is incompatible with bird. I'll explain to have you verify or maybe suggest a work-around. I have OpenVPN use a 'pool' of addresses (10.221.0.0/24). What it does is setup tun0 as a PtP link (.1 being itself and .2 being the 'remote') and then add a route for 10.221.0.0/24 going to 10.221.0.2. Then OpenVPN does the routing to the actual remote end-points (.4, .5, ...) internally. From the manual page I gathered that I need to use 'point to multipoint' mode and specify the neighbors manually. I tried that; but even so then the .1 IP keeps sending Hello packets to the .2 IP (the other end of the PtP link that goes to the openvpn process). The remote bird is configured to use .1 as a neighbor and does so dutifully; but according to tcpdump I only get "hello" packets going back and forth. I'm including the ospf section of my bird configuration. This is the "server side". The client side is the same except the neighbor is .1. I'm also including 'show interfaces' that shows the mismatched perception of the tunnel IPs. - ask protocol ospf ntp { debug all; rfc1583compat yes; import all; export filter { if (source = RTS_STATIC) then accept; else reject; }; area 0 { interface "tun0" { cost 20; type ptmp; hello 5; retransmit 2; wait 10; dead 60; authentication none; neighbors { 10.221.0.4; }; }; }; } [server]# birdc show interfaces BIRD 1.3.0 ready. lo up (index=1) MultiAccess AdminUp LinkUp Loopback Ignored MTU=16436 127.0.0.1/8 (Primary, scope host) eth0 up (index=2) MultiAccess Broadcast Multicast AdminUp LinkUp MTU=1500 207.171.3.3/29 (Primary, scope univ) 207.171.3.6/29 (Secondary, scope univ) eth1 up (index=3) MultiAccess Broadcast Multicast AdminUp LinkUp MTU=1500 10.220.0.12/24 (Primary, scope site) sit0 DOWN (index=4) MultiAccess AdminDown LinkDown MTU=1480 tun0 up (index=19) PtP Multicast AdminUp LinkUp MTU=1500 10.221.0.1/32 (Primary, opposite 10.221.0.2, scope site) [client]# birdc show interfaces BIRD 1.3.0 ready. lo up (index=1) MultiAccess AdminUp LinkUp Loopback Ignored MTU=16436 127.0.0.1/8 (Primary, scope host) eth0 up (index=2) MultiAccess Broadcast Multicast AdminUp LinkUp MTU=1500 64.142.113.2/27 (Primary, scope univ) sit0 DOWN (index=3) MultiAccess AdminDown LinkDown MTU=1480 dummy0 DOWN (index=4) MultiAccess Broadcast Multicast AdminDown LinkDown MTU=1500 dummy1 up (index=5) MultiAccess Broadcast Multicast AdminUp LinkUp MTU=1500 10.220.1.1/24 (Primary, scope site) dummy2 DOWN (index=6) MultiAccess Broadcast Multicast AdminDown LinkDown MTU=1500 tun0 up (index=16) PtP Multicast AdminUp LinkUp MTU=1500 10.221.0.4/32 (Primary, opposite 10.221.0.1, scope site)
On Wed, Apr 06, 2011 at 03:15:29AM +0200, Ask Bj?rn Hansen wrote:
On Apr 3, 2011, at 18:35, Ondrej Zajicek wrote:
Would it make sense to use OSPF for this instead? My only experience with OSPF is setting it up between routers in one site so they know how to get to the 'next hop' of routes coming in and shared via BGP/IBGP.
I think OSPF should work just right for such setting.
Thank you!
I got it to work in a basic test setup. When I "upgraded" OpenVPN to use certificates and server mode (so the servers can use a relatively simple configuration) I can no longer make it work.
Maybe the hack that OpenVPN uses in this mode is incompatible with bird. I'll explain to have you verify or maybe suggest a work-around.
I have OpenVPN use a 'pool' of addresses (10.221.0.0/24).
What it does is setup tun0 as a PtP link (.1 being itself and .2 being the 'remote') and then add a route for 10.221.0.0/24 going to 10.221.0.2. Then OpenVPN does the routing to the actual remote end-points (.4, .5, ...) internally.
From the manual page I gathered that I need to use 'point to multipoint' mode and specify the neighbors manually. I tried that; but
Yes, this is incompatible. BIRD generally assumes that direct neighbors have IPs from interfaces' address ranges (like .2 in this case). The OpenVPN setting is definitely strange, it looks like two hops. The proper and consistent addressing for that case is either add one peer IP address pair for each PTP link on tun0 (like .1 peer .3, .1 peer .4, .1 peer .5 ...) and appropriate peer addresses on other ends (and use PTP mode in BIRD), or use 10.221.0.1/24 on tun0 and 10.221.0.3/24, 10.221.0.4/24 ... on other ends and use PTMP mode in BIRD (the fact that 10.221.0.4 is not directly reachable from 10.221.0.3 is OK, that is what PTMP means, BIRD would install /32 routes to 10.221.0.1). So possible fix/workaround might be tweak OpenVPN to use the proper addressing, the second way (one /24 prefix) might be easier. Or perhaps just ditch OpenVPN completely and use IPIP or GRE tunnels protected by IPSec (transport mode). -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Ask Bjørn Hansen -
Ondrej Zajicek