Hi Carl,
I think both options are viable. Perhaps 1) is preferable when IKE is a
responder and 2) when an initiator.
1) doesn't exist, but there are many other cases where VPP sends notifcation
events to the agent when it has discovred something - search for APIs named
want_*
For 2) it's important, IMO, for the entities managing the tunnel to have
separate roles. I'd suggest that the agent/API/CLI manages the existence of the
tunnel and IKE manages its state. That way the agent can add the tunnel and
routes through it, but leave it admin down so clear text packets won't pass.
Then when IKE negotiation completes IKE can bring it admin up. The agent is
then responsible for disabling IKE first and this makes IKE set the tunnel
state to admin down, and then the agent can delete the tunnel.
I'd say this IKE behaviour should be controlled by a config knob, rather than
assumed based on the pre-existence of a tunnel IKE would otherwise create. But
i've no strong preference.
regards
neale
On 26/11/2019 21:10, "vpp-dev@lists.fd.io on behalf of Carl Smith"
<vpp-dev@lists.fd.io on behalf of carl.sm...@alliedtelesis.co.nz> wrote:
What is the current thinking on how IPIP tunnels should be configured
(admin state, routes etc) if they are created by IKE.
In the Linux kernel we statically create the tunnel, bring it admin up,
route packets over it. But it drops the packets
(triggering an IKE acquire) until a valid SA exists. This has advantages
and disadvantages. It is great for static point-to-
point tunnels in smaller VPN deployments, but requires a lot of duplicated
config in VPN concentrator deployments where some
form of tunnel template would be better.
This change (https://gerrit.fd.io/r/c/vpp/+/23634) allows a mechanism
similar to the Linux kernel, but as was pointed out in the
review comments, is not complete and possibly not in line with the approach
we might want to take to solve the above problem.
I think there are 2 options:
1. Provide some form of templating/script trigger for tunnels being
established so that configuration can be applied when a
tunnel appears [Does a mechanism for this already exist?].
2. Allow the tunnel to be preconfigured, but ensure traffic does not pass
until the SA is ready.
Thanks,
Carl
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14724): https://lists.fd.io/g/vpp-dev/message/14724
Mute This Topic: https://lists.fd.io/mt/61965522/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
