From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id 9A5CF37AF for ; Fri, 6 May 2016 18:31:52 +0200 (CEST) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga101.fm.intel.com with ESMTP; 06 May 2016 09:31:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,587,1455004800"; d="scan'208";a="800515800" Received: from sie-lab-212-209.ir.intel.com (HELO silpixa00377983.ir.intel.com) ([10.237.212.209]) by orsmga003.jf.intel.com with ESMTP; 06 May 2016 09:31:51 -0700 From: Sergio Gonzalez Monroy To: dev@dpdk.org Date: Fri, 6 May 2016 17:31:42 +0100 Message-Id: <1462552302-5852-10-git-send-email-sergio.gonzalez.monroy@intel.com> X-Mailer: git-send-email 2.4.11 In-Reply-To: <1462552302-5852-1-git-send-email-sergio.gonzalez.monroy@intel.com> References: <1462552302-5852-1-git-send-email-sergio.gonzalez.monroy@intel.com> Subject: [dpdk-dev] [PATCH 9/9] doc: update ipsec sample guide X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 16:31:53 -0000 Signed-off-by: Sergio Gonzalez Monroy --- doc/guides/sample_app_ug/ipsec_secgw.rst | 583 ++++++++++++++++++++----------- 1 file changed, 381 insertions(+), 202 deletions(-) diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index c11c7e7..5dbee2e 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -76,10 +76,10 @@ Path for IPsec Outbound traffic: Constraints ----------- -* IPv4 traffic -* ESP tunnel mode -* EAS-CBC, HMAC-SHA1 and NULL -* Each SA must be handle by a unique lcore (1 RX queue per port) +* No IPv6 options headers +* No AH mode +* Currently only EAS-CBC, HMAC-SHA1 and NULL +* Each SA must be handle by a unique lcore (*1 RX queue per port*) * No chained mbufs Compiling the Application @@ -108,6 +108,14 @@ To compile the application: make +#. [Optional] Build the application for debugging: + This option adds some extra flags, disables compiler optimizations and + is verbose. + + .. code-block:: console + + make DEBUG=1 + Running the Application ----------------------- @@ -141,8 +149,9 @@ where, * --ep1: configure the app as Endpoint 1. Either one of --ep0 or --ep1 *must* be specified. -The main purpose of these options is two easily configure two systems -back-to-back that would forward traffic through an IPsec tunnel. +The main purpose of these options is to easily configure two systems +back-to-back that would forward traffic through an IPsec tunnel (see +:ref:`figure_ipsec_endpoints`). The mapping of lcores to port/queues is similar to other l3fwd applications. @@ -196,7 +205,8 @@ Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options. The application would do a best effort to "map" crypto devices to cores, with -hardware devices having priority. +hardware devices having priority. Basically, hardware devices if present would +be assign to a core before software ones. This means that if the application is using a single core and both hardware and software crypto devices are detected, hardware devices will be used. @@ -221,6 +231,20 @@ The following sections provide some details on the default values used to initialize the SP, SA and Routing tables. Currently all the configuration is hard coded into the application. +The following image illustrate a few of the concepts regarding IPSec, such +as protected/unprotected and inbound/outbound traffic, from the point of +view of two back-to-back endpoints: + +.. _figure_ipsec_endpoints: + +.. figure:: img/ipsec_endpoints.svg + + IPSec Inbound/Outbound traffic + +Note that the above image only displays uniderectional traffic per port +for illustration purposes. +The application supports bidirectional traffic on all ports, + Security Policy Initialization ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -228,107 +252,122 @@ As mention in the overview, the Security Policies are ACL rules. The application defines two ACLs, one each of Inbound and Outbound, and it replicates them per socket in use. -Following are the default rules: +Following are the default rules which show only the relevant information, +assuming ANY value is valid for the fields not mentioned (src ip, proto, +src/dst ports). Endpoint 0 Outbound Security Policies: -+---------+------------------+-----------+------------+ -| **Src** | **Dst** | **proto** | **SA idx** | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.105.0/24 | Any | 5 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.106.0/24 | Any | 6 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.107.0/24 | Any | 7 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.108.0/24 | Any | 8 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.200.0/24 | Any | 9 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.250.0/24 | Any | BYPASS | -| | | | | -+---------+------------------+-----------+------------+ ++-----------------------------------+------------+ +| **Dst** | **SA idx** | +| | | ++-----------------------------------+------------+ +| 192.168.105.0/24 | 5 | +| | | ++-----------------------------------+------------+ +| 192.168.106.0/24 | 6 | +| | | ++-----------------------------------+------------+ +| 192.168.175.0/24 | 10 | +| | | ++-----------------------------------+------------+ +| 192.168.176.0/24 | 11 | +| | | ++-----------------------------------+------------+ +| 192.168.200.0/24 | 15 | +| | | ++-----------------------------------+------------+ +| 192.168.201.0/24 | 16 | +| | | ++-----------------------------------+------------+ +| 192.168.55.0/24 | 25 | +| | | ++-----------------------------------+------------+ +| 192.168.56.0/24 | 26 | +| | | ++-----------------------------------+------------+ +| 192.168.240.0/24 | BYPASS | +| | | ++-----------------------------------+------------+ +| 192.168.241.0/24 | BYPASS | +| | | ++-----------------------------------+------------+ +| 0:0:0:0:5555:5555:0:0/96 | 5 | +| | | ++-----------------------------------+------------+ +| 0:0:0:0:6666:6666:0:0/96 | 6 | +| | | ++-----------------------------------+------------+ +| 0:0:1111:1111:0:0:0:0/96 | 10 | +| | | ++-----------------------------------+------------+ +| 0:0:1111:1111:1111:1111:0:0/96 | 11 | +| | | ++-----------------------------------+------------+ +| 0:0:0:0:aaaa:aaaa:0:0/96 | 25 | +| | | ++-----------------------------------+------------+ +| 0:0:0:0:bbbb:bbbb:0:0/96 | 26 | +| | | ++-----------------------------------+------------+ Endpoint 0 Inbound Security Policies: -+---------+------------------+-----------+------------+ -| **Src** | **Dst** | **proto** | **SA idx** | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.115.0/24 | Any | 5 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.116.0/24 | Any | 6 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.117.0/24 | Any | 7 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.118.0/24 | Any | 8 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.210.0/24 | Any | 9 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.240.0/24 | Any | BYPASS | -| | | | | -+---------+------------------+-----------+------------+ - -Endpoint 1 Outbound Security Policies: - -+---------+------------------+-----------+------------+ -| **Src** | **Dst** | **proto** | **SA idx** | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.115.0/24 | Any | 5 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.116.0/24 | Any | 6 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.117.0/24 | Any | 7 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.118.0/24 | Any | 8 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.210.0/24 | Any | 9 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.240.0/24 | Any | BYPASS | -| | | | | -+---------+------------------+-----------+------------+ - -Endpoint 1 Inbound Security Policies: - -+---------+------------------+-----------+------------+ -| **Src** | **Dst** | **proto** | **SA idx** | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.105.0/24 | Any | 5 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.106.0/24 | Any | 6 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.107.0/24 | Any | 7 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.108.0/24 | Any | 8 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.200.0/24 | Any | 9 | -| | | | | -+---------+------------------+-----------+------------+ -| Any | 192.168.250.0/24 | Any | BYPASS | -| | | | | -+---------+------------------+-----------+------------+ ++-----------------------------------+------------+ +| **Dst** | **SA idx** | +| | | ++-----------------------------------+------------+ +| 192.168.115.0/24 | 105 | +| | | ++-----------------------------------+------------+ +| 192.168.116.0/24 | 106 | +| | | ++-----------------------------------+------------+ +| 192.168.185.0/24 | 110 | +| | | ++-----------------------------------+------------+ +| 192.168.186.0/24 | 111 | +| | | ++-----------------------------------+------------+ +| 192.168.210.0/24 | 115 | +| | | ++-----------------------------------+------------+ +| 192.168.211.0/24 | 116 | +| | | ++-----------------------------------+------------+ +| 192.168.65.0/24 | 125 | +| | | ++-----------------------------------+------------+ +| 192.168.66.0/24 | 126 | +| | | ++-----------------------------------+------------+ +| 192.168.245.0/24 | BYPASS | +| | | ++-----------------------------------+------------+ +| 192.168.246.0/24 | BYPASS | +| | | ++-----------------------------------+------------+ +| ffff:0:0:0:5555:5555:0:0/96 | 105 | +| | | ++-----------------------------------+------------+ +| ffff:0:0:0:6666:6666:0:0/96 | 106 | +| | | ++-----------------------------------+------------+ +| ffff:0:1111:1111:0:0:0:0/96 | 110 | +| | | ++-----------------------------------+------------+ +| ffff:0:1111:1111:1111:1111:0:0/96 | 111 | +| | | ++-----------------------------------+------------+ +| ffff:0:0:0:aaaa:aaaa:0:0/96 | 125 | +| | | ++-----------------------------------+------------+ +| ffff:0:0:0:bbbb:bbbb:0:0/96 | 126 | +| | | ++-----------------------------------+------------+ + +For Endpoint 1, we use the same policies in reverse, meaning the Inbound SP +entries are set as Outbound and vice versa. Security Association Initialization @@ -350,91 +389,81 @@ Following are the default values: Endpoint 0 Outbound Security Associations: -+---------+------------+-----------+----------------+------------------+ -| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ ++---------+----------+------------+-----------+----------------+----------------+ +| **SPI** | **Mode** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 5 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 6 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 10 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 11 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 15 | Tunnel | NULL | NULL | 172.16.1.5 | 172.16.2.5 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 16 | Tunnel | NULL | NULL | 172.16.1.6 | 172.16.2.6 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 25 | Tunnel | AES-CBC | HMAC-SHA1 | 1111:1111: | 2222:2222: | +| | | | | 1111:1111: | 2222:2222: | +| | | | | 1111:1111: | 2222:2222: | +| | | | | 1111:5555 | 2222:5555 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 26 | Tunnel | AES-CBC | HMAC-SHA1 | 1111:1111: | 2222:2222: | +| | | | | 1111:1111: | 2222:2222: | +| | | | | 1111:1111: | 2222:2222: | +| | | | | 1111:6666 | 2222:6666 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ Endpoint 0 Inbound Security Associations: -+---------+------------+-----------+----------------+------------------+ -| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ - -Endpoint 1 Outbound Security Associations: - -+---------+------------+-----------+----------------+------------------+ -| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ - -Endpoint 1 Inbound Security Associations: - -+---------+------------+-----------+----------------+------------------+ -| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ -| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 | -| | | | | | -+---------+------------+-----------+----------------+------------------+ ++---------+----------+------------+-----------+----------------+----------------+ +| **SPI** | **Mode** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 105 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 106 | Tunnel | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 110 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 111 | Trans | AES-CBC | HMAC-SHA1 | N/A | N/A | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 115 | Tunnel | NULL | NULL | 172.16.2.5 | 172.16.1.5 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 116 | Tunnel | NULL | NULL | 172.16.2.6 | 172.16.1.6 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 125 | Tunnel | AES-CBC | HMAC-SHA1 | 2222:2222: | 1111:1111: | +| | | | | 2222:2222: | 1111:1111: | +| | | | | 2222:2222: | 1111:1111: | +| | | | | 2222:5555 | 1111:5555 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ +| 126 | Tunnel | AES-CBC | HMAC-SHA1 | 2222:2222: | 1111:1111: | +| | | | | 2222:2222: | 1111:1111: | +| | | | | 2222:2222: | 1111:1111: | +| | | | | 2222:6666 | 1111:6666 | +| | | | | | | ++---------+----------+------------+-----------+----------------+----------------+ + +For Endpoint 1, we use the same policies in reverse, meaning the Inbound SP +entries are set as Outbound and vice versa. + Routing Initialization ~~~~~~~~~~~~~~~~~~~~~~ @@ -452,34 +481,109 @@ Endpoint 0 Routing Table: | 172.16.2.5/32 | 0 | | | | +------------------+----------+ -| 172.16.2.6/32 | 0 | +| 172.16.2.6/32 | 1 | +| | | ++------------------+----------+ +| 192.168.175.0/24 | 0 | +| | | ++------------------+----------+ +| 192.168.176.0/24 | 1 | | | | +------------------+----------+ -| 172.16.2.7/32 | 1 | +| 192.168.240.0/24 | 0 | | | | +------------------+----------+ -| 172.16.2.8/32 | 1 | +| 192.168.241.0/24 | 1 | | | | +------------------+----------+ | 192.168.115.0/24 | 2 | | | | +------------------+----------+ -| 192.168.116.0/24 | 2 | +| 192.168.116.0/24 | 3 | +| | | ++------------------+----------+ +| 192.168.65.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.66.0/24 | 3 | | | | +------------------+----------+ -| 192.168.117.0/24 | 3 | +| 192.168.185.0/24 | 2 | | | | +------------------+----------+ -| 192.168.118.0/24 | 3 | +| 192.168.186.0/24 | 3 | | | | +------------------+----------+ | 192.168.210.0/24 | 2 | | | | +------------------+----------+ -| 192.168.240.0/24 | 2 | +| 192.168.211.0/24 | 3 | +| | | ++------------------+----------+ +| 192.168.245.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.246.0/24 | 3 | +| | | ++------------------+----------+ +| 2222:2222: | 0 | +| 2222:2222: | | +| 2222:2222: | | +| 2222:5555/116 | | +| | | ++------------------+----------+ +| 2222:2222: | 1 | +| 2222:2222: | | +| 2222:2222: | | +| 2222:6666/116 | | | | | +------------------+----------+ -| 192.168.250.0/24 | 0 | +| 0000:0000: | 0 | +| 1111:1111: | | +| 0000:0000: | | +| 0000:0000/116 | | +| | | ++------------------+----------+ +| 0000:0000: | 1 | +| 1111:1111: | | +| 1111:1111: | | +| 0000:0000/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 2 | +| 0000:0000: | | +| aaaa:aaaa: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 3 | +| 0000:0000: | | +| bbbb:bbbb: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 2 | +| 0000:0000: | | +| 5555:5555: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 3 | +| 0000:0000: | | +| 6666:6666: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 2 | +| 1111:1111: | | +| 0000:0000: | | +| 0000:0000/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 3 | +| 1111:1111: | | +| 1111:1111: | | +| 0000:0000/116 | | | | | +------------------+----------+ @@ -489,36 +593,111 @@ Endpoint 1 Routing Table: | **Dst addr** | **Port** | | | | +------------------+----------+ -| 172.16.1.5/32 | 2 | +| 172.16.1.5/32 | 0 | +| | | ++------------------+----------+ +| 172.16.1.6/32 | 1 | +| | | ++------------------+----------+ +| 192.168.185.0/24 | 0 | | | | +------------------+----------+ -| 172.16.1.6/32 | 2 | +| 192.168.186.0/24 | 1 | | | | +------------------+----------+ -| 172.16.1.7/32 | 3 | +| 192.168.245.0/24 | 0 | | | | +------------------+----------+ -| 172.16.1.8/32 | 3 | +| 192.168.246.0/24 | 1 | | | | +------------------+----------+ -| 192.168.105.0/24 | 0 | +| 192.168.105.0/24 | 2 | | | | +------------------+----------+ -| 192.168.106.0/24 | 0 | +| 192.168.106.0/24 | 3 | | | | +------------------+----------+ -| 192.168.107.0/24 | 1 | +| 192.168.55.0/24 | 2 | | | | +------------------+----------+ -| 192.168.108.0/24 | 1 | +| 192.168.56.0/24 | 3 | | | | +------------------+----------+ -| 192.168.200.0/24 | 0 | +| 192.168.175.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.176.0/24 | 3 | +| | | ++------------------+----------+ +| 192.168.200.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.201.0/24 | 3 | | | | +------------------+----------+ | 192.168.240.0/24 | 2 | | | | +------------------+----------+ -| 192.168.250.0/24 | 0 | +| 192.168.241.0/24 | 3 | +| | | ++------------------+----------+ +| 1111:1111: | 0 | +| 1111:1111: | | +| 1111:1111: | | +| 1111:5555/116 | | +| | | ++------------------+----------+ +| 1111:1111: | 1 | +| 1111:1111: | | +| 1111:1111: | | +| 1111:6666/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 0 | +| 1111:1111: | | +| 0000:0000: | | +| 0000:0000/116 | | +| | | ++------------------+----------+ +| ffff:0000: | 1 | +| 1111:1111: | | +| 1111:1111: | | +| 0000:0000/116 | | +| | | ++------------------+----------+ +| 0000:0000: | 2 | +| 0000:0000: | | +| aaaa:aaaa: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| 0000:0000: | 3 | +| 0000:0000: | | +| bbbb:bbbb: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| 0000:0000: | 2 | +| 0000:0000: | | +| 5555:5555: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| 0000:0000: | 3 | +| 0000:0000: | | +| 6666:6666: | | +| 0000:0/116 | | +| | | ++------------------+----------+ +| 0000:0000: | 2 | +| 1111:1111: | | +| 0000:0000: | | +| 0000:0000/116 | | +| | | ++------------------+----------+ +| 0000:0000: | 3 | +| 1111:1111: | | +| 1111:1111: | | +| 0000:0000/116 | | | | | +------------------+----------+ -- 2.5.5