Re: IPIP Tunnelling.

David Woodhouse (D.W.Woodhouse@nortel.co.uk)
Fri, 15 Aug 1997 09:05:06 +0100

> A multiple-encapsulated IP packet could be found if an ISP is using
> a Linux box as a router on a Virtual Private Network (VPN) and one of
> their users is using that ISP to setup their own VPN... Granted, this is
> a small case but could easily come up.

Not really, as at the moment, the ipip code just isn't suitable for use by an
ISP in this fashion, because it's not transparent enough. If it was, I
wouldn't be working on it :)

> How much overhead are we going to add if we have the system look at each
> packet to determine if it is an encapsulated packet, dis-assemble it, and
> recursively go into that packets data to see where it's going???

Not a lot. Only packets going out through the tunnel device(s) need to be
checked, and almost all packets will fall through the first
if (iph->protocol == IP_PROTO_IPIP)

IPIP-in-IPIP packets will then have to check whether the address is local,
which I believe is a single route lookup, followed by checking for RTF_LOCAL
unless anyone tells me a quicker way. So it's a single compare, followed by a
route lookup and two compares for each level of IPIP-in-IPIP-in-IPIP-...

-- 
David Woodhouse,	CB3 9AN		http://dwmw2.robinson.cam.ac.uk/
	dwmw2@cam.ac.uk 		 Tel: 0976 658355        
	D.W.Woodhouse@nortel.co.uk	 Tel: 01279 402332