Linux Networking HOWTO | ||
---|---|---|
Prev | Chapter 7. IP Related Information | Next |
Why would you want to encapsulate IP datagrams within IP datagrams? It must seem odd if you've never seen a working application. Two common places where it is used are in Mobile-IP and IP-Multicast. Amateur Radio is perhaps the most widely spread (and least known) useage.
Kernel Compile Options:
Networking options ---> [*] TCP/IP networking [*] IP: forwarding/gatewaying .... <*> IP: tunneling |
IP tunnel devices are called `tunl0', `tunl1' etc.
"But why ?". Ok, ok. Conventional IP routing rules mandate that an IP network comprises a network address and a network mask. This produces a series of contiguous addresses that may all be routed via a single routing entry. This is very convenient. It means that you may use any particular IP address while you are connected to its piece of the network. In most instances this is ok. If you are a mobile netizen, however, then you may not be able to stay connected to the one place all the time. IP/IP encapsulation (IP tunneling) allows you to overcome this restriction by allowing datagrams destined for your IP address to be wrapped up and redirected to another IP address. If you know that you're going to be operating from another IP network, you can set up a machine on your home network to accept datagrams to your IP address. You can then redirect these datagrams to the address that you will be temporarily using.
192.168.1/24 192.168.2/24 - - | ppp0 = ppp0 = | | aaa.bbb.ccc.ddd fff.ggg.hhh.iii | | | | /-----\ /-----\ | | | | // | | | |---| A |------//---------| B |---| | | | // | | | | \-----/ \-----/ | | | - - |
The diagram illustrates another possible reason to use IPIP encapsulation; virtual private networking. This example presupposes that you have two machines, each with a simple dial up Internet connection. Each host is allocated just a single IP address. Behind each of these machines are some private local area networks. These LANs are configured with reserved IP network addresses. Suppose that you want to allow any host on network A to connect to any host on network B (just as if they were properly connected to the Internet with a network route). IPIP encapsulation will allow you to do this configuration. Note: encapsulation does not solve the problem of how you get the hosts on networks A and B to talk to any other on the Internet. You will still need to use tricks like IP Masquerade. Encapsulation is normally performed by machines functioning as routers.
Linux router `A' would be configured with a script like the following:
#!/bin/sh PATH=/sbin:/usr/sbin mask=255.255.255.0 remotegw=fff.ggg.hhh.iii # # Ethernet configuration ifconfig eth0 192.168.1.1 netmask $mask up route add -net 192.168.1.0 netmask $mask eth0 # # ppp0 configuration (start ppp link, set default route) pppd route add default ppp0 # # Tunnel device configuration ifconfig tunl0 192.168.1.1 up route add -net 192.168.2.0 netmask $mask gw $remotegw tunl0 |
Linux router `B' would be configured with a similar script:
#!/bin/sh PATH=/sbin:/usr/sbin mask=255.255.255.0 remotegw=aaa.bbb.ccc.ddd # # Ethernet configuration ifconfig eth0 192.168.2.1 netmask $mask up route add -net 192.168.2.0 netmask $mask eth0 # # ppp0 configuration (start ppp link, set default route) pppd route add default ppp0 # # Tunnel device configuration ifconfig tunl0 192.168.2.1 up route add -net 192.168.1.0 netmask $mask gw $remotegw tunl0 |
The command:
route add -net 192.168.1.0 netmask $mask gw $remotegw tunl0 |
reads: `Send any datagrams destined for 192.168.1.0/24 inside an IPIP encap datagram with a destination address of aaa.bbb.ccc.ddd'.
Note that the configurations are reciprocated at either end. The tunnel device uses the `gw' in the route as the destination of the IP datagram (where it will place the datagram it has received to route). That machine must know how to decapsulate IPIP datagrams. In other words, it must also be configured with a tunnel device.
You do not have to be routing a whole network. You could, for example, route just a single IP address. In that instance you might configure the tunl device on the `remote' machine with its home IP address. At the A end would have a host route (and Proxy Arp) rather than a network route via the tunnel device. Let's redraw and modify our configuration appropriately. Now we have just host `B' which you want to act and behave as if it is both fully connected to the Internet, and also part of the remote network supported by host `A':
192.168.1/24 - | ppp0 = ppp0 = | aaa.bbb.ccc.ddd fff.ggg.hhh.iii | | /-----\ /-----\ | | | // | | |---| A |------//---------| B | | | | // | | | \-----/ \-----/ | also: 192.168.1.12 - |
Linux router `A' would be configured with:
#!/bin/sh PATH=/sbin:/usr/sbin mask=255.255.255.0 remotegw=fff.ggg.hhh.iii # # Ethernet configuration ifconfig eth0 192.168.1.1 netmask $mask up route add -net 192.168.1.0 netmask $mask eth0 # # ppp0 configuration (start ppp link, set default route) pppd route add default ppp0 # # Tunnel device configuration ifconfig tunl0 192.168.1.1 up route add -host 192.168.1.12 gw $remotegw tunl0 # # Proxy ARP for the remote host arp -s 192.168.1.12 xx:xx:xx:xx:xx:xx pub |
Linux host `B' would be configured with:
#!/bin/sh PATH=/sbin:/usr/sbin mask=255.255.255.0 remotegw=aaa.bbb.ccc.ddd # # ppp0 configuration (start ppp link, set default route) pppd route add default ppp0 # # Tunnel device configuration ifconfig tunl0 192.168.1.12 up route add -net 192.168.1.0 netmask $mask gw $remotegwtunl0 |
This sort of configuration is more typical of a Mobile-IP application: a single host wants to roam around the Internet and maintain a single usable IP address the whole time. You should refer to the Mobile-IP section for more information on how this is handled in practice.