Let's say you want the traffic to fc42::/64 to receive an SRH with segments fc00::12 and fc00:89. This encapsulation must be performed on the network node with loopback address fc01::1.
# ip -6 route add fc42::/64 via NH encap seg6 mode encap segs fc00:12,fc00:89
Let's decompose the command:
fc42::/64
: the matching prefix for encapsulation
via NH
: the "default" next-hop for the route. It can be the next-hop that would normally be used to forward the traffic for the matching prefix, but it does not really matter as the kernel will restart its routing decision process to route the SR-enabled packet to the first segment. Also, the Linux IPv6 stack requires a route to have a valid IPv6 next-hop in order to support features such as ECMP, in order to avoid issues with routes such as ff00::/8
and fe80::/64
that are automatically assigned to each IPv6-enabled interface.
encap seg6
: this tells the kernel to give the packet to the SR-IPv6 subsystem.
mode encap
: this specifies the encapsulation mode. Two values are possible: encap
creates an outer IPv6 header with the SRH attached, followed by the original, unmodified inner packet. The other value, inline
, directly attach the SRH to the original IPv6 packet. The encap
mode should be used, unless you know what you are doing.
segs fc00:12,fc00:89
: a list of comma-separated segments
Other parameters can be added after the segments list:
hmac KEYID
: define an HMAC key ID for the SRH. See the page ConfigureSecurityFeatures for more information.
cleanup
: this keyword requires the penultimate segment to strip the SRH from the packet before forwarding it to the last segment. This option should only be used in inline mode.
If you wish to add a route for locally generated packets, you have to specify the MTU for the route by adding mtu NUMBER
at the end of the iproute command. Indeed, there is currently no practical way to automatically set a route MTU on insertion (it is of course possible but not in a proper manner). Basically, you need to take the MTU of the outgoing interface and substract the length of the encapsulation. The formula is the following:
encap_size = (1 - isinline)*40 + 8 + nsegs*16 + ishmac*32
Where isinline = 1
if the encap mode is inline
, 0 otherwise; and ishmac = 1
if an HMAC is set, 0 otherwise.
When the encap mode is used, an outer IPv6 header is created. The destination address of this header is the first segment, and a source address must be selected. By default, the kernel looks for a usable IPv6 address attached to the outgoing interface. However, this process is expensive, and for performances reasons it may be useful to define a static source address for encapsulated packets. This can be performed with the following command:
# ip sr tunsrc set fc01::1
You can display the current source address with:
# ip sr tunsrc show