Routing Encapsulation (封装)
Like a proxy, tunneling allows you to pass traffic from a filtered IP to another destination. Tunnels are much like a V**, except that not every tunnel involves encryption. A machine that is "tunneled" into another network has a virtual interface configured with an IP that is not local, but exists on a remote network. This traffic is forwarded in the form of packets at the kernel level, and therefore not susceptible to server interruptions.
与代理一样,隧道允许您将流量从筛选的 IP 传递到另一个目标。隧道很像V**,只是不是每个隧道都涉及加密。通过"隧道"连接到另一个网络的计算机具有一个虚拟接口,该虚拟接口配置了一个 IP,该 IP 不是本地的,但存在于远程网络上。此流量在内核级别以数据包的形式转发,因此不易受到服务器中断的影响。
Below is a quick summary of both protocols, check here for more details, or move directly to Troubleshooting if you want to get straight into it.
以下是这两种协议的快速摘要,请查看此处了解更多详细信息,或者如果您想直接进入故障排除,请直接转到故障排除。
What's important about tunnels is that they forward all packet details without packet modifications required for techniques such as Reverse Proxying and Transparent Proxying, namely, the clients connecting IP address is preserved.
隧道的重要之处在于,它们转发所有数据包详细信息,而无需对反向代理和透明代理等技术进行数据包修改,即保留连接IP地址的客户端。
More often than not, once you register an IP and get the green light from IT, one or both of these protocols will have already been set up on your kernel. You can confirm this by sshing into your server and checking the configuration. The following flow will confirm the existence (or lack) of your protocols, and manage how to configure it.
通常情况下,一旦您注册了IP并从IT部门获得绿灯,这些协议中的一个或两个将已在您的内核上设置。您可以通过插入服务器并检查配置来确认这一点。以程将确认协议是否存在(或缺少),并管理如何配置它。
代码语言:javascript复制So from your last point of setup,
uname -r
List the current working/bootup kernel version. You'll need to know this.
modprobe -c | grep ipip
modprobe -c | grep ip_gre
If these exist at all, you'll want to check where
ls -l /lib/modules
Check this directory for a list of kernels, and look for the current one.
If the config was found, check which modules.dep files contain them,
$ grep ip_gre /lib/modules/<working kernel>/modules.dep
kernel/net/ipv4/ip_gre.ko: kernel/net/ipv4/ip_tunnel.ko kernel/net/ipv4/gre.ko
Confirm whether it belongs to boot.
If you don't have any configuration set for your bootup kernel
$ wc -l /lib/modules/<working kernel>/modules.dep
What is Generic Routing Encapsulation (GRE)?
什么是通用路由封装 (GRE)?
Generic Routing Encapsulation (GRE) is a simple protocol for encapsulating internet packets to route protocols over IP networks as defined by RFC 2784. It has been developed as a tool for conveying a tunneling OSI Layer 3 protocol over an IP network. In essence, the GRE creates a defines a point-to-point private tunnel like a virtual private network (V**) only it is stateless unlike a V** (increased reliability).
通用路由封装 (GRE) 是一种简单的协议,用于封装 Internet 数据包,以通过 RFC 2784 定义的 IP 网络路由协议。它被开发为通过 IP 网络传输隧道 OSI 第 3 层协议的工具。从本质上讲,GRE创建了一个定义点对点专用隧道,如虚拟专用网络(V**),只是它与V**不同(可靠性更高)。
Generic Routing Encapsulation works by encapsulating a payload - that is, an internal packet to be delivered to a destination network - within an outer IP packet. GRE tunnel endpoints send payloads into GRE tunnels for routing packets to other IP networks. Other IP routers along the path do not analyze the payload (the inner packet); they analyze the external IP packet as they send to the end of the GRE tunnel. After reaching the end point GRE tunnel encapsulation is removed and the payload is transmitted along its final destination.
通用路由封装的工作原理是将有效负载(即要传递到目标网络的内部数据包)封装在外部 IP 数据包中。GRE 隧道端点将有效负载发送到 GRE 隧道中,以便将数据包路由到其他 IP 网络。沿路径的其他 IP 路由器不分析有效负载(内部数据包);它们在发送到 GRE 隧道末端时分析外部 IP 数据包。到达终点后,GRE隧道封装被移除,有效载荷沿其最终目的地传输。
In contrast to IP-in-IP, GRE tunnels have following advantages:
- GRE tunnels wrap multiple protocols on a single backbone protocol.
- GRE tunnels provide solutions for networks with limited hops.
- GRE tunnels connecting discontinuous subnets.
- GRE tunnels allow V**wide area networks (WAN).
- Better support on devices and systems that miss-interoperate IP-in-IP packets or are unable to forward them.
- When using the optional tunnel identifier field can support up to 64K tunnels between two unique endpoints (IPv4 pairs)
- An optional checksum field can be utilized for integrity checking of the contained packet
- An optional sequence field for ensuring order of received packets is maintained over the tunnel, this may be useful for some UDP applications
与 IP 中的 IP 相比,GRE 隧道具有以下优点:
GRE 隧道将多个协议包装在单个主干协议上。
GRE 隧道为跃点有限的网络提供解决方案。
连接不连续子网的 GRE 隧道。
GRE 隧道允许 V** 广域网 (WAN)。
在 IP 中的 IP 数据包未进行互操作或无法转发它们的设备和系统上提供更好的支持。
使用可选隧道标识符字段时,最多可以支持两个唯一端点(IPv4 对)之间的 64K 隧道
可选的校验和字段可用于对包含的数据包进行完整性检查
一个可选的序列字段,用于确保通过隧道维护接收数据包的顺序,这对于某些UDP应用程序可能很有用
What is IP-in-IP?
什么是 IP 中的 IP?
IP-in-IP is an even simpler encapsulating protocol, using this technique IP packets are encapsulated only in an additional IP header. So unlike GRE tunnels an IP-in-IP tunnel cannot carry multicast traffic, other protocols or IPv6 between networks.
IP in-IP 是一种更简单的封装协议,使用此技术,IP 数据包仅封装在附加的 IP 报头中。因此,与GRE隧道不同,IP中的IP隧道不能在网络之间承载多播流量,其他协议或IPv6。
In contrast to GRE tunnels, IP-in-IP tunnels have the following advantages:
- Lower overhead due to less layers encapsulated
- Use of IP packets for encapsulation can allow for support (e.g. forwarding) on devices not supporting the GRE protocol
- Supports a single tunnel between two endpoints.
与 GRE 隧道相比,IP 中的 IP 隧道具有以下优点:
由于封装的层更少,因此开销更低
使用 IP 数据包进行封装可以允许在不支持 GRE 协议的设备上提供支持(例如转发)
支持两个端点之间的单个隧道。
In modern times IP-in-IP has decreased in popularity as the overheads of GRE are minimal at best. However there remains niche applications where IP-in-IP remains in use.
在现代,IP-in-IP的受欢迎程度有所下降,因为GRE的开销充其量是最小的。然而,仍然存在一些利基应用,其中IP-in-IP仍在使用中。
- https://gist.github.com/kalyco/22f528066285497141a40c20292e9d3a#setting-up
- https://etutorials.org/Networking/Integrated cisco and unix network architectures/Chapter 11. V** Technologies Tunnel Interfaces and Architectures/IP-IP Tunnel/
- https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels#ipip_tunnel