Linux隧道
更新于 2021-02-19
英文原文点此处
Linux支持多种隧道,这里简介下几种常用的隧道.
常用的隧道包括
- IPIP Tunnel
- SIT Tunnel
- ip6tnl Tunnel
- VTI and VTI6
- GRE and GRETAP
- IP6GRE and IP6GRETAP
- FOU
- GUE
- GENEVE
- ERSPAN and IP6ERSPAN
IPIP Tunnel
隧道头如图:
应用
通过IPv4公网链接连两个IPv4子网.
优势
开销低,但是只支持单播报文,不支持多播报文.
创建
当IPIP模块加载后,或者创建IPIP设备后,
Linux内核会创建一个默认名为tun10 设备,属性:local=any,remote=any
| Bash |
|---|
1
2
3
4
5
6
7
8
9
10
11
12 | On Server A:
# ip link add name ipip0 type ipip local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR
# ip link set ipip0 up
# ip addr add INTERNAL_IPV4_ADDR/24 dev ipip0
Add a remote internal subnet route if the endpoints don't belong to the same subnet
# ip route add REMOTE_INTERNAL_SUBNET/24 dev ipip0
On Server B:
# ip link add name ipip0 type ipip local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR
# ip link set ipip0 up
# ip addr add INTERNAL_IPV4_ADDR/24 dev ipip0
# ip route add REMOTE_INTERNAL_SUBNET/24 dev ipip0
|
LOCAL_IPv4_ADDR,REMOTE_IPv4_ADDR,INTERNAL_IPV4_ADDR,
REMOTE_INTERNAL_SUBNET
SIT Tunnel
SIT即简单网络传输.
应用
连接IPv4环境下鼓励的IPv6网络.
最开始仅支持IPv4封装IPv6,现在支持ipip (the same with IPIP tunnel), ip6ip, mplsip, any
创建
当sit模块加载后,内核会创建名为sit0的设备.
| Bash |
|---|
| On Server A:
# ip link add name sit1 type sit local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR mode any
# ip link set sit1 up
# ip addr add INTERNAL_IPV4_ADDR/24 dev sit1
|
ip6tnl Tunnel
ip6tnl是用IPv6封装IPv4/IPv6
支持模式:ip6ip6,ipip6,any
当ip6tnl模块加载后,内核会创建名为ip6tnl0的设备
| Bash |
|---|
| # ip link add name ipip6 type ip6tnl local LOCAL_IPv6_ADDR remote REMOTE_IPv6_ADDR mode any
|
VTI and VTI6
linux上的虚拟隧道接口(Virtual Tunnel Interface,VTI),即IPsec隧道
通过内核xfrm模块,对内部IP报文进行加密并封装.
| Bash |
|---|
| # ip link add name vti1 type vti key VTI_KEY local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR
# ip link set vti1 up
# ip addr add LOCAL_VIRTUAL_ADDR/24 dev vti1
# ip xfrm state add src LOCAL_IPv4_ADDR dst REMOTE_IPv4_ADDR spi SPI PROTO ALGR mode tunnel
# ip xfrm state add src REMOTE_IPv4_ADDR dst LOCAL_IPv4_ADDR spi SPI PROTO ALGR mode tunnel
# ip xfrm policy add dir in tmpl src REMOTE_IPv4_ADDR dst LOCAL_IPv4_ADDR PROTO mode tunnel mark VTI_KEY
# ip xfrm policy add dir out tmpl src LOCAL_IPv4_ADDR dst REMOTE_IPv4_ADDR PROTO mode tunnel mark VTI_KEY
|
GRE and GRETAP
通用路由封装(Generic Routing Encapsulation)
GRE隧道在内部和外部IP头之间增加GRE头部
GRE可以在有效的Ethernet头内封装任意的三层协议头
可以在GRE隧道内传播多播报文和IPv6报文.
| Bash |
|---|
| # ip link add name gre1 type gre local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR [seq] key KEY
|
| Bash |
|---|
| # ip link add name gretap1 type gretap local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR
|
IP6GRE and IP6GRETAP
| Bash |
|---|
| # ip link add name gre1 type ip6gre local LOCAL_IPv6_ADDR remote REMOTE_IPv6_ADDR
# ip link add name gretap1 type ip6gretap local LOCAL_IPv6_ADDR remote REMOTE_IPv6_ADDR
|
FOU
FOU(foo over UDP)是UDP层的隧道.
UDP隧道通常配合硬件指令(网卡RSS,交换机ECMP,checksum卸载)同时使用,
目前,FOU隧道支持基于IPIP,SIT,GRE的封装协议
| Bash |
|---|
| # ip fou add port 5555 ipproto 4
# ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2 ttl 225 encap fou encap-sport auto encap-dport 5555
|
GUE
Generic UDP Encapsulation (GUE)是另一种UDP隧道.
与FOU不同之处是,它有自己的协议头.
GUE内部指出IPIP, SIT, GRE封装.
| Bash |
|---|
| # ip fou add port 5555 gue
# ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2 ttl 225 encap gue encap-sport auto encap-dport 5555
|
GENEVE
Generic Network Virtualization Encapsulation (GENEVE)包含VXLAN, NVGRE, and STT所有功能
此图与VXLAN看起来很相似
主要区别是:GENEVE头部是可扩展(通过添加TLV)
| Bash |
|---|
| # ip link add name geneve0 type geneve id VNI remote REMOTE_IPv4_ADDR
|
ERSPAN and IP6ERSPAN
Encapsulated Remote Switched Port Analyzer (ERSPAN)使用GRE封装实现二层或三层的端口镜像功能.
针对三层流量镜像,报文格式如下:
linux主机通过ERSPAN隧道将镜像流量发送到远端主机.
| Bash |
|---|
| # ip link add dev erspan1 type erspan local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR seq key KEY erspan_ver 1 erspan IDX
or
# ip link add dev erspan1 type erspan local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR seq key KEY erspan_ver 2 erspan_dir DIRECTION erspan_hwid HWID
Add tc filter to monitor traffic
# tc qdisc add dev MONITOR_DEV handle ffff: ingress
# tc filter add dev MONITOR_DEV parent ffff: matchall skip_hw action mirred egress mirror dev erspan1
|
总结
| Tunnel/Link Type |
Outer Header |
Encapsulate Header |
Inner Header |
| ipip |
IPv4 |
None |
IPv4 |
| sit |
IPv4 |
None |
IPv4/IPv6 |
| ip6tnl IPv6 |
None |
IPv4/IPv6 |
|
| vti |
IPv4 |
IPsec |
IPv4 |
| vti6 |
IPv6 |
IPsec |
IPv6 |
| gre |
IPv4 |
GRE |
IPv4/IPv6 |
| gretap |
IPv4 |
GRE |
Ether + IPv4/IPv6 |
| ip6gre |
IPv6 |
GRE |
IPv4/IPv6 |
| ip6gretap |
IPv6 |
GRE |
Ether + IPv4/IPv6 |
| fou |
IPv4/IPv6 |
UDP |
IPv4/IPv6/GRE |
| gue |
IPv4/IPv6 |
UDP + GUE |
IPv4/IPv6/GRE |
| geneve |
IPv4/IPv6 |
UDP + Geneve |
Ether + IPv4/IPv6 |
| erspan |
IPv4 |
GRE + ERSPAN |
IPv4/IPv6 |
| ip6erspan |
IPv6 |
GRE + ERSPAN |
IPv4/IPv6 |