Theoretical Explanation of the VPN Protocol

The Enhanced Interior Gateway Routing Protocol enhances the Routing Protocol of the Internal Gateway. It is also a private Protocol of Cisco. When a Cisco device is connected to a device of another manufacturer, it cannot be used ), it combines the Cisco dedicated protocol of link status and distance vector routing selection protocol, and features fast convergence and reduced bandwidth usage. Next, we have sorted out detailed theoretical knowledge about the kernel,

About VPC and VPC

VPN is a combination of Distance Vector and link status routing protocols. Therefore, you can obtain update information from its adjacent routers like distance vector, save a topology table, and use its own DUAL algorithm to select an optimal non-ring path.

Different from the traditional distance vector protocol, VPN has a fast convergence time and does not need to send regular route updates. Unlike the Link Status Protocol, it does not know what the entire network is like, it can only rely on information published by neighbors. The same routing algorithm DUAL (diffusion update algorithm) as IGRP is used in the network. The DUAL mechanism is the core of the network. The Management Distance of the internal subnet is 90, and the Management Distance of the external subnet is 170. Equivalent and non-equivalent load balancing are supported. In the IP packet, the protocol field of the OSPF protocol is 88.

Benefits:

100% no-ring: if the entire network is contained in a self-made system, using DUAL in the network can ensure a 100% no-ring route forwarding table;

Fast Convergence: Using DUAL () by using the backup route, VPN gateway can quickly switch to FS when S is unavailable;

Use multicast or unicast: Use multicast (224.0.0.10) or unicast for Route updates to save link bandwidth;

The network scale is increased: the maximum RIP can only be 15 hops, while the maximum number of hops is 255 hops and the IGRP value is 224 hops. Both of them are 100 hops by default;

Three Network-layer protocols are supported: the network-layer protocols of IP, IPX, and Apple Talk are supported by the network-layer protocol, which increases the use scope of the network-layer protocol;

Support VLSM and non-continuous networks: RIP and IGRP are not supported;

This reduces bandwidth consumption and makes better use of bandwidth: Unlike RIP and IGRP, VPN gateway exchange route information at intervals. It uses trigger update and incremental update, the route update is sent to the neighbor only when the route status of a destination network changes or the measurement of the route changes. Therefore, the bandwidth required for updating the route is much lower than that of RIP and subnet. The bandwidth parameter is obtained from the interface to be sent by the OSPF group. The parameter value is specified based on the interface. For example, by default, all serial interfaces have a bandwidth of 1544kb/s, but this bandwidth value can be configured, VPN gateway can use up to 50% of the interface bandwidth to host the VPN gateway. You can use ip bandwidth-percent to modify the bandwidth ), this ensures that the MongoDB group does not starve to death in the major network convergence process.

RIP and IGRP do not have this feature. Therefore, a large number of RIP and IGRP update groups may block the passing of regular groups.

Glossary:

Measurement value: the bandwidth, latency, reliability, load, and maximum transmission unit (MTU) values are used for the calculation of the measurement, by default, only bandwidth and latency work. The calculation formula is: [(10 ^ 7/low bandwidth on the path) + (sum of all latencies)] × 256; [1, 256.

Feasible Distance: The minimum measurement value for reaching a destination.

Advertise Distance: Minimum metric value advertised by an adjacent router to reach a specific destination.

Feasible Condition: If the advertised distance (AD) is smaller than the Feasible distance, that is, AD

VPN Successor (Successor): A directly connected neighbor router that meets the FC requirements. It has a router that has the minimum measurement value to reach the destination. The successor router is used as the next hop to forward packets to the destination.

Feasible Successor: A neighboring router that meets the requirements of FC and has the second low-level value router to the destination. When the primary route S is unavailable, FS is used to replace the primary route and is saved in the topology table as a backup route.

Active status/active route: it is a status in which the FS is being searched. When the vro loses S and no FS is available, the route enters the active status, is an unavailable route. When a route is active, the router sends a query to all neighbors to find another route to reach the destination.

Passive state/passive state: a status in which the correct route is sent to the destination. When the router loses S and has a FS, or, when another second is found, the route enters the passive state, which is an available route.

Neighbor Relationship: uses the hello packet to establish a neighbor relationship. On the low-speed link, the hello packet transmission interval is 60 seconds, and the high-speed link is 5 seconds. If the hello packet is not received within a period of time, the neighbor relationship is reset. This time is the hold time, and the default retention time is three times the hello time. You can manually modify the two time ranges. When establishing a neighbor relationship, the K value must be the same as the self-made system number. You can view the neighbor relationship by using show ip VPN.

Condition for forming a neighbor in the kernel:

1. Same AS number;

2. the K value of measurement calculation is the same;

3. the authentication is the same (only the ciphertext authentication is supported for the VPN gateway );

4. The Neighbor ID advertised by the peer must exist in the local direct connection CIDR block.

Note: The routing protocol transmits data streams through the port's Primary IP and forms a Neighbor ID (representing an interface ). After receiving the Hello message, the VPN Router uses its own Primary IP subnet mask to calculate and calculate the Neighbor ID in Hello. Then, it obtains the network address and matches it with the direct connection CIDR Block in its route table, otherwise, the peer is considered as a neighbor and placed in the neighbor table. If the peer is not in the same subnet, the neighbor is denied.

Note: In the same self-made system, IGRP and VPN can automatically publish route information, but they can also disable auto-publish route information.

Four important technologies involved in VPN:

1. Neighbor Discovery Protocol: uses the hello group to discover neighbors, maintain neighbors, and check the neighbor status.

2. Reliable Transport Protocol (RTP): ensures that the OSPF group can be transmitted to all neighbors in sequence.

3. DUAL Algorithm: finite state machine. The final state machine selects the non-loop path to the destination based on the distance information of all routes advertised by all neighbors.

4. Protocol-independent module: the Protocol-independent module of Network-layer is responsible for handling different requirements. Such as IP-EIGRP is compatible with IP Networks

Detailed explanation of the concept

The following table lists the three tables of the source node:Neighbor Table, Topology Table, and Routing Table

The routers that initially run the VPN must discover their neighbors, understand the network, and select routes. In this process, create three independent tables: Neighbor Table, Topology Table, and Routing Table. The Neighbor Table stores the directly connected vrouters that have established a Neighbor relationship with the vro. The Topology Table contains all route entries learned by the vro to the destination. the Routing Table is the optimal route Table.

The Neighbor Table, Topology Table, and Routing Table are introduced using vror4 as an example.

 

1. Each Neighbor in the Neighbor Table of R4 forwards a backup copy of the IP route Table to R4;

2. R4 stores the route Table received from the neighboring place in its own Topology Table, and R4 receives the announcement from R2 and R3 to the network 172.16.1.0/24 respectively. The announcement distance is 110 and 160, after receiving the data, R4 adds its own measurement to R2 and R3, and then obtains the calculation distance of 210 and 260;

3. Check the Topology Table in R4, select an optimal route to the destination, and set the optimal Successor routers to R2, and then place it in the Routing Table.

The Routing Table of MongoDB:

D: The route learned in this self-made system.

D ex: Route Entry released from outside.

The Neighbor Table of MongoDB:

Address: the Address of the neighbor router.

Interface: The local Interface to the neighbor.

Hold time: the maximum time for waiting for meters to receive any data packets from neighboring homes. When new packets are received, Hold time is reset.

SRTT (Smooth round-trip time) Smooth round-trip time: the time it takes to send an IPv4 packet to a neighbor and then receive the validation packet from the neighbor's home. The unit is ms.

RTO (Retransmission timeout) Retransmission timeout: the time before the message is re-transmitted, in ms.

Q Cnt (Queue count) Queue count: Number of OSPF packets waiting to be sent. If this value continues to exceed 0, the network is congested.

The Topology Table of the network type:

P: passive, indicating that the network is stable.

A: active, indicating that the current network is unavailable and the query is being sent.

U: update, indicating that the network is waiting for confirmation of the update package.

Q: query, indicating that the network is waiting for confirmation of the query package.

SIA: stuck-in-active indicates that the network continues to be active, indicating that the network convergence problem has occurred.

The Traffic Table (receiving and sending info Table) of the OSPF route ):

 

The Message Type of the network type:

Using the Reliable Transport protocol RTP (Reliable Transport Protocl), RTP ensures that each VPN group must be confirmed and the next group will be sent only after the previous group is confirmed, RTP's retransmission mechanism makes it possible to send reliable packets to neighbors after RTO (Retransmit Time Out) is exceeded. If it is not confirmed yet, RTP will Retransmit packets by group (retransmission is unicast, the purpose is to avoid affecting those routes that have been properly confirmed. A maximum of 16 Re-transmissions can be performed. If no re-confirmation is performed after 16 times, the neighbor relationship is reset until the retention time of the neighbor relationship (hold time) exceeds, announcing that the neighbors are not reachable. The recipient needs to confirm the packets with serial numbers such as update, reply, and query, and there is no need to confirm the packets without reliability (such as Hello and ACK.

Hello: it is sent in multicast mode. It is used to discover the neighbor router and maintain the neighbor relationship.

Update: When a router receives the first Hello packet from a neighboring router, an update packet containing the route information it knows is sent back through single-point transmission. When the route information changes, an update packet containing only the changed information is sent in multicast mode. Note that the content of the two Update packets is different.

Query: When a link fails, the Router performs route computing again. However, when there is no feasible successor route in the topology table, the router sends a query packet to its neighbor in multicast mode to check whether they have a feasible successor route to the destination.

Reply: A single point is sent back to the query party to respond to the queried data packets.

ACK: A single point of transmission is used to confirm update, query, and reply data packets to ensure transmission reliability.

Note: OSPF requires that the neighbor must have the same judgment interval of Hello and Down before communication can be performed. However, this restriction does not apply to the OSPF neighbor. In practice, the retention time of the OSPF is set to three times the Hello interval, and the retention time in OSPF is set to four times the Hello interval.

The maintenance process of the routes in the source VPC is as follows:

1. Establish the adjacent relationship: the router that runs the VPN gateway from the very beginning, and continuously uses the multicast address 224.0.0.10 to send Hello packets from the interfaces involved in the VPN gateway. When both routers receive Hello messages, the two sides establish a neighbor relationship.

2. Find the network topology and select the shortest route: When the router dynamically discovers a new neighbor through the Hello message, it also obtains the route information advertised by the new neighbor update. The router first compares the obtained route update information with the information recorded in the topology table. The minimum FD is S. If the same FD exists, the route table can have multiple S, by default, four instances can exist. The FC-compliant route is placed in the topology table and serves as the FS alternative router. If S is invalid for some reason and a valid FS exists, FS will replace S and no re-computing is required. Multiple valid FS can exist at a time in the TopologyTable of the network.

3. Route query and update: when the route information does not change, the OSPF neighbors only send Hello messages to maintain the relationship between the neighbors to reduce the occupation of network bandwidth. When a neighbor is lost or a link is unavailable, the system immediately searches for the FS in the topology table to enable the alternative router. If the topology table does not have FS, set the route to active and send query data packets to all neighbors, except for invalid neighbors. If a neighbor has a route to the destination, it will reply to the query and no longer spread the query. Otherwise, the neighboring router will further query each of its neighbors. Only after all the queries are answered will the routers re-calculate the route, reset FD, and select a new successor router. If the adjacent Router does not have a replaceable route or a neighboring router, it sends a reply packet that is measured as infinity to the requesting router.

Address: http://blog.sina.com.cn/s/blog_635e1a9e01010x13.html