 Hello everyone, I'm Hamil Liu from Red Hat Network Service Team, and today I will give you an introduction about Linux Tunnels. Okay, here's the internet. First, we will talk about what's tunnel, and then what tunnels you really use in Linux. And then last, we will talk about what tunnels could be chosen for cloud network. Okay, here. First, what's the tunnel in the real world? It's an underground passageway, and vehicles could go through it from one end to another end. And here is what tunnel looks like in the network. Linux Tunnel is, in the concept, it could encapsulate network packets within another protocol and transmit over a network. It allows you to create a virtual network link between the two endpoints and provide security and private communication over the existing network. So, let's see some what packet looks like in the network. First, let's see, here is what packet looks like on the internet. First is the internet part, and then is IP header. It may be IPv4 or IPv6 in the recent years. And the next is TCP or UDP header. And the last is the payload or the data it carries. So, what if this is an internal packet and you want to transmit it from one internet network to another internet network through the public IPv4 network? Here is what we do for IP tunnel. Here is the internal packet you have in the private network, and you put it in the existing or the outer header or the internal network header, and then the outer is the internet. So, this is what an IP tunnel looks like. As the name said, it is an IP or IP tunnel. So, this is simple. As the name said, it is IP or IP tunnel. So, it is used to connect the two internal network, internal IPv4 subnet through the public IPv4 internet. The outer header is very simple. So, it could only transmit the unicast packets. Okay. This is very old protocol. It was developed in the 1990s. The connection is not stable. Let me go through it quickly. It was developed in the 1990s. So, after some years, there we have IPv6. It started to be used in the internet work. But how to connect the IPv6 networks between the public IPv4 network? We have the SIT tunnel. This was developed at the year of 2005, and its name stands for Simple Internet Transition. The main purpose of this tunnel is to communicate the isolated IPv6 network between the global IPv4 network. But after years of development, we also support IPv4 headers. So, in fact, no, the SIT tunnel has already covered the IP tunnel. Okay. So, but after recent years, IPv6 network also development and we have a lot of global IPv6 networks. So, here's the IPv6 version of SIT tunnel. It's IPv6 tunnel. And the outer header, you can see, is using IPv6 headers. So, this is IPv4 version and this is IPv6 version. So, recently, with all the tunnels, we talked about the data plan in the network. If anyone captures the packets, they can know what's inside the packet. So, how to protect our data? So, we have more breaks between each slice. So, how to protect the data? There is IPv6. IPv6 actually has a transmission model and the tunnel model. Here, we will only talk about the tunnel in this talk. So, IPv6 supports two models. One is the H model. It will do data authentication. Another is ESP model. It will encapsulate the inner data. So, here, the H model only do authentication for the inner data. And the ESP will do encapsulate the inner data. But it's also support to combine them together. So, you have both H header and ESP header. Okay. So, we can protect our data. But sometimes, we need to connect our network from... We want to connect to our company or school or some private network and then we need to do some user identification. How to do that? Here, we have PPP, PPTP tunnel and L2TP tunnel. L2TP is a level 2 protocol and PPTP is only a point to point protocol. So, both of them are based on PPP protocol. But L2TP is a level 2. So, it supports to create a multi-tunnel between the two endpoints. But L2TP has a basic capital method compared to L2TP. L2TP only could combine with Epishek or it just talked. So, PPTP is a little faster than L2TP because L2TP needs to do much more in competition. But on the other hand, PPTP is a little... It's not security and easy to be cracked. So, it's not recommended in recent years. This protocol was developed at the 1990s, the very old. Well, the L2TP is developed at 2000, year of 2000 year. So, it's much... It's a little newer. But as we talked about, PPTP is faster but not security. And L2TP is security but a little slower. So, how to balance the performance and the security? Okay, we have OpenVPN. OpenVPN is very famous. It's also created at 2001. And this is default. This default is using UDP model. So, it has very good performance and also it uses LIB SSL to encrypt the data. So, it's also very... The security is also very good. So, but it's popular since 2000. So, it's already 20 years. And recently, we have Regard tunnel. Regard tunnel is created at 2015. And it's also merged to Linux at 2019. So, it's a modern tunnel. Regard is a very new and open source VPN protocol. And it's much faster than the OpenVPN. Because it has a very simple design. And it also has a lower overhead. The overhead is not much. It's very simple. And also it uses a modern encryption protocol that compared with OpenVPN, which uses SSL, which is old. So, Regard is more security and more faster. So, all the current tunnels we talked about has a fixed header. And it also has... They are limited to with fixed inner protocols like we have IP or IP or IPv6. The users need to config different tunnels with different inner protocols. So, how to... How is there a way to not care the inner protocols? We can only use one outer header, outer protocol. We have the journey tunnel. Journey is called the generic routine encapsulation. It's also a very old protocol designed at 1994 and updated at the year of 2000. As the name said, it's a generic tunnel. So, the protocol is independent. Not sure if it is because my commentaries are not sure. So, the journey tunnel is a protocol independent tunnel. So, it supports IP as an inner header and PPP. Also, it supports Ethernet header. It also supports to transmit the multicast traffic. As we talked before, an IP tunnel only supports unicast package. And the journey is supported multicast routine, multicast traffic. Also, its name is a generic routine protocol. So, it supports routine protocols like OSPF, but it's not supported on Linux. Some routers, like Cisco routers, they support this with OSPF. In Linux, we have the GI tunnel and the IPv6 GI tunnel, which is IPv4 and IPv6 version. There's also a GI type tunnel. The difference is we have an Ethernet header. So, it could carry level 2 package through the Internet. And here also IPv6 GI type tunnel. And last is an ESPN tunnel. It's called encapsulate remote switch part analyzer. In the hardware switch, there's a function that it could monitor one part, one part traffic to another part through level 2, as in the same switch. But sometimes we want to monitor all the traffic to another subnet. So, with this protocol, we can monitor the part traffic through the rotatable Internet and transmit to other subnets. So, the good part is we can extend the basic part monitoring capacity from level 2 to level 3. So, we can see the tunnels can happen at multi-levels. Here we have GRE or IP header or IP IPA or SIT. Most of are based on the IP header. But also in the recent years, more and more tunnels happen at UDP level. Here we have 3 UDP tunnels. First, the full tunnel is full over UDP. It's all developed at 2014. So, it's a new protocol. But one thing of using UDP tunnel is UDP works with existing hardware infrastructure, like the RSS in EEC, the review site scaling, and the EMCP or switch that equals the multi-pass routing protocol. And the other is like checksum upload and the JSO JRO. With this feature, this makes UDP tunnel has a significant performance increase compared with the IP tunnel. So, that's why we talked about the open VPN and the wear guard. They both over the UDP. So, the performance is very good. The next is the bare UDP tunnel. Bare UDP tunnel is the full tunnel. The full tunnel supports IP and the GRE header as the inner header. And the bare UDP supports IP and NPL as the header as the inner header. And the last is the GRE tunnel. The difference compared with these two others is the GRE tunnel has a GRE header. GRE is the generic UDP encapsulation tunnel. Since it's a header, but the header is also lightweight. So, the speed is also good. But it allows the header to have the optional data field and could be used for virtualization, security, and the checksum controls. The next is the WEXLAN. WEXLAN is also developed at the year of 2014. So, in the year of like 2000 or 10 years ago or 15 or 20 years ago, most of the data centers are in the same place or we separate the network with WEXLAN. And it's enough in that time, but after years of we have cloud network, the data center may separate in a lot of places. So, how could we connect this data center? So, WEXLAN is called a virtual extensible LAN. It was developed to address the limitation of the traditional VLANs. And the traditional VLAN, it has only 4,000 VLAN IDs, which is not enough for the large-scale data center. And WEXLAN, it has a 24-bit WEXLAN network identifier. It's called VNI. It allows up to 16 million virtual networks, which is very, more than enough. And also WEXLAN encapsulates on their two internet frames. So, it carries their two data over the UDP header. This means you can create an isolated network on their two across the data center and the cloud network. This flexibility also allows VAMs to be deployed across the data center or cloud network. And you can migrate it from different physical place or data center and still keep the same logical network. Yes. And there are also some other protocols like the WEXLAN, like the NWGRI. NWGRI also uses a GRI header to encapsulate the data compared to the UDP header. And also, like STT uses a stateless TTP to encapsulate data. They are different protocols, but they have similar functions like the identifier to address the problem, to address the WEXLAN issue. But as we see, WEXLAN is popular, but also how the NWGRI or STT, they all have fixed header, and it's not easy to extend. So, what if we want to have some other features in the future? It's not easy to do that. So, we have the Genel tunnel. Genel is a generic network visualization. And from this picture, it looks like the same, but actually Genel header is a flexible header. It supports how using a type length value option, the TROA option. So, this could make us to add new functions without modifying the basic protocol. It also uses a larger VNI field compared to WEXLAN. Genel uses 22 bytes, and Genel has 32, and WEXLAN only has 24. So, this is more than enough now. It also supports built-in support. The Genel also supports built-in encryption to make the data more secure. So, also the WEXLAN encapsulates there, too. While the Genel could encapsulate there, too, or there are three, so it's more flexible. So, many sources could become the new filter tunnels we can use on. We can use the OIN, and OIN is currently still using the Genel tunnel as the default tunnel. So, that's almost what we talked about on what we know Linux support now. Let's think, since the cloud network is more popular, so let's think about what kind of tunnels should be used in the cloud network. First, the cloud network may have different products. So, the GI tunnel should be fit because it could support different inner protocols. And next, as we know, WEXLAN. WEXLAN is popular, and it has a large VNI field to separate the networks. And the last is the Genel tunnel. It's the future. It's designed for the future. So, that's all the tunnels we know, and I want to introduce. Thank you.