protected routes problem :


V P N - F U L L M E S H E D


All the 6 sites are linked together by a BM37/BM38 full meshed network
using VPN S2S circuits

Despite what's commonly practiced, there is some cases of figure for not
pushing systematically the protected networks on all the remote sites

1/ For some network architecture reasons it can be usefull to decide to use
non direct routes between 2 sites, even if the full meshed network gives
them a peer to peer connectivity. For example SiteA (protected by BM-A)
to SiteC (protected by BM-C) must go through
BM-E (=SiteE) because we know that there is a routing issue on the
internet between
the 2 ISPs providing SiteA-SiteC but the trafic goes well through SiteE..

2/ Now let's imagine that SiteA (=BM-A) and SiteB (=BM-B) have their
private interface on the
same LAN but are using a different ISP. Theorically it gives us the
possiliby to tune the way the trafic goes
through very efficiently with accurate routing tables. In this case we
don't want that the protected network/hosts are
pushed on the remote site but keep the hand on the /etc/Gateways files

-> If we keep the protected network list empty the algorithm thinks that
"it becomes empty" and clean the remote
gateways files of every route concerning the private lan protected by
BM-A and BM-B (easy to reproduce..)
-> If we try to dispatch the protected hosts between BM-A and BM-B and
let the system pushing the routes, then for
some machines on the private network, it will be necessary to go outside
BM-A, use the tunnel, and come inside BM-B to
communicate with the machines declared protected by BM-B. Not very
efficient and the opposite of what we want, protecting
the bandwidth for example !
-> WORSE, if now we continue in the same process and, for some reasons,
decide to delete the protected hosts from the
list of BM-B, again the system will think that the table "becomes
empty", it will clean the table of BM-A of EVERY instance
of routes concerning the private LAN !!!! EVEN THE "Direct" CONNECTION
through the private interface !! AND BM-A IN THIS
reproduce also). The only way is to reboot the server


1/ Add a flag when the list of protected network is empty to tell to the
system if we want to push an empty table to the remote
sites or if we just want "no action"
2/ Add a multivalue attribute for each protected network/host to let us
deciding to which member we want to push the route