From: John Huttley <john@mib-infotech.co.nz>
To: wireguard@lists.zx2c4.com
Subject: DMVPM appreciation
Date: Sun, 4 Dec 2016 07:07:21 +1300 [thread overview]
Message-ID: <e1085a46-e38f-c13c-86f5-de312b3a5c05@mib-infotech.co.nz> (raw)
In-Reply-To: <20161203115342.20950-1-list@eworm.de>
When Wireguard was first announced, there were several comments like
"Can you do DMVPM?"
So
What is DMVPN?
Do we care?
Can we do it better?
DMVPN
http://www.cisco.com/c/en/us/products/security/dynamic-multipoint-vpn-dmvpn/index.html
Is a Cisco product to lets spokes create spoke-to-spoke links in an
otherwise spoke-hub VPN architecture.
If we have A<-> HUB <-> B then we can get A <-> B directly. This
unloads the hub.
So how do they do it?
They document 3 things
1) mGRE tunnels.
The tunnel is good old GRE on proto 47.
For every endpoint you create an interface. So hub with 1000 spokes has
int gre0 -> int gre999.
Nope, not that dumb. They have a multipoint GRE, mGRE with one interface
that can terminate all the tunnels.
--Just like Wireguard.
2)Ipsec. But GRE is encapsulation only, so they protect it with ipsec.
Presumably ESP transport mode.
Wireguard doesn't need that.
3)NHRP. https://en.wikipedia.org/wiki/Next_Hop_Resolution_Protocol
This is a repurposed bit of the ATM suite. Sort of DB of remote internet
addresses (endpoints) that spokes look up to set up tunnels.
Wireguard. So much easier.
There is a 4th part. The actually doing it and the policy for
controlling it.
When you look at it, a spoke-hub network that can overlay itself is a
mesh network.
So, do we care about DMVPN? No, it's vendor specific.
Can we do it better? Sure, Jason has already done all the hard work.
The key thought going forward is that that security doesn't matter. It's
outside the scope.
If A,B,C are /already/ in the VPN, they are /already/ authorised.
A tunnel overlay does not impact /security/, it impacts /routing/.
I suggest looking up
Homenet https://www.irif.fr/~jch/software/homenet/howto.html
So lets consider a simplified case
A <-> B <-> C
A is sending a lot of data to C.
Policy triggers starting a direct A <-> C tunnel.
We need public key and endpoint to set up a tunnel.
First. A can talk to C just fine on the VPN. Thats all the
authentication required.
A and C swap public keys
Endpoints? you could look up myip.com, but there is one perfect way.
A asks B, because if two nodes are peered, they always know the
endpoint of their peer.
In this case B knows how to contact A.
B passes that back to A
A then passes that to C along with A's public key
Ok, UDP Rendevous and we have a A <-> C tunnel, no NHRP required.
The routing daemon engages and a new route becomes active.
--Dad
next prev parent reply other threads:[~2016-12-03 18:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-03 11:53 [PATCH 1/1] include tests/debug.mk only if exists Christian Hesse
2016-12-03 18:07 ` John Huttley [this message]
2016-12-03 18:48 ` DMVPM appreciation Dave Taht
2016-12-04 3:01 ` Kalin KOZHUHAROV
2016-12-04 5:57 ` John Huttley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1085a46-e38f-c13c-86f5-de312b3a5c05@mib-infotech.co.nz \
--to=john@mib-infotech.co.nz \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).