I'm investigating what may need to be done to implement virtual
routing on a Linux box, using the kernel forwarder. I am interested
both in virtual routers (VRs) where each virtual router is pretty much
independent from others (each port assigned to a single VR, with no
overlap) and virtual-routing-and-forwarding (VRFs) where there can be
routes between VRFs, typically used as a technology to implement
layer-3 VPNs (as in RFC 4364 -
http://tools.ietf.org/html/rfc4364).
Based on various web searches, it appears that the Linux community is
using network namespaces to support this approach in the standard
kernel. As I understand it, network namespaces require namespaces to
be assigned to processes at process-creation time, that a process
can't change its namespace, and a process can only access one
namespace.
If this is true, it creates a problem if you want to have a single
route-table-management process collecting routes from all instances of
protocols, to select the best routes and push them into the kernel's
forwarder. You would require a separate instance of this process for
each VR/VRF, in order to program all the different forwarder instances
through their respective namespaces.
Is this right?
Some third-party protocol stacks, like Wind River's "ANT" stack use a
different approach. They defined a socket option that assigns a
socket to a VR. When used with the sockets used for ioctl or Netlink
communication with the kernel, they can be used to allow a single
process to access all of the different VRs managed by the kernel.
I didn't see any similar functionality in the standard Linux kernel.
Is this correct or did I miss something?
Finally, it appears that the Linux kernel, since version 2.2, has
supported multiple route tables. There can be up to 255 tables, and
all can be managed by a single process using standard Netlink calls.
They are configured using files in the /etc/iproute2 directory. It
appears that these are meant to be used for policy-based routing,
however. A lot of searching has not revealed any attempt to use this
mechanism to implement VRs or VRFs, with all such effort focusing on
namespaces.
Is there a reason why the Linux-2.2 system of multiple route tables is
not used for VRs? Is it simply due to the fact that route tables are
a limited quantity or is there something else that makes them
unusable?
If this is not the best newsgroup to ask this question in, let me know
what might be better and I'll ask over there.
Thanks in advance.
-- David
Similar Threads
Linear Mode
