Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-graphviz

.gitignore

@@ -2,3 +2,4 @@
 *.pdf
 *.svg
 *.jpg
+*.eps

Makefile

@@ -1,13 +1,18 @@
-all:
-	for dot in *.dot; do make $${dot%%.dot}.png; done
-	for dot in *.dot; do make $${dot%%.dot}.pdf; done
-	for dot in *.dot; do make $${dot%%.dot}.svg; done
+all: $(addsuffix .png, $(basename $(wildcard *.dot))) $(addsuffix .pdf, $(basename $(wildcard *.dot))) $(addsuffix .svg, $(basename $(wildcard *.dot)))
+
+# all:
+# 	for dot in *.dot; do make $${dot%%.dot}.png; done
+# 	for dot in *.dot; do make $${dot%%.dot}.pdf; done
+# 	for dot in *.dot; do make $${dot%%.dot}.svg; done
 
 clean:
 	rm -f *.png *.pdf *.svg
 
 %.png: %.dot
-	dot -Tpng < $< > $@
+	dot -Tpng -Gdpi=300 < $< > $@
+
+%.eps: %.dot
+	dot -Teps < $< > $@
 
 %.jpg: %.dot
 	dot -Tjpg < $< > $@

active-active-firewall.dot

@@ -0,0 +1,17 @@
+digraph G {
+    node [ shape=box ]
+
+    upstream [ label="Upstream Router" ];
+    upstreamswitch [ label="Upstream Switch" ];
+    router1 [ label="Router1" ];
+    router2 [ label="Router2" ];
+    clients [ label="Clients" ];
+
+    upstreamswitch->{router1,router2} [ label="Receive packets from 'outside'" ]
+
+    {router1,router2}->upstream [ label="BGP peering" ]
+    clients->{router1,router2} [ label="Connect to either router via 'virtual' IP address" ]
+
+    router1->router2 [ label="Exchange of session database" ]
+    router2->router1 [ label="Exchange of session database" ]
+}

dev-cdn.dot

@@ -0,0 +1,27 @@
+digraph G {
+    node [ shape=box ]
+
+    label="Development Environment CDN"
+
+    apu1 [ label="apu1\nRemote access" ]
+    apu2 [ label="apu2\nRemote access (Backup)" ]
+    cisco [ label="Nexus 3064 Switch" shape=doubleoctagon color="#40a9e3", style="filled" ]
+    upstreamswitch [ label="Upstream Switch" shape=doubleoctagon ]
+    upstreamrouter [ label="Upstream Router\nAS213081" ]
+    servers [ label="Servers 1-10" color="#40a9e3", style="filled"]
+    downstreamrouter [ label="Downstream Router\nAS399354" color="#40a9e3", style="filled" ]
+
+    apu1->cisco [ label="serial: ttyUSB0" ]
+    apu1->cisco [ label="apu1: eth2\nNexus: ether13" ]
+    apu2->cisco [ label="apu1: eth2\nNexus: ether14" ]
+    apu1->upstreamswitch [ label="eth0\n2a0a:e5c0:1:f::a1/64\n147.78.195.3/29" ]
+    apu2->upstreamswitch [ label="eth0\n2a0a:e5c0:1:f::a2/64\n147.78.195.4/29" ]
+    cisco->upstreamswitch [ label="Nexus:\nether1" ]
+
+    upstreamrouter->upstreamswitch [ label="2a0a:e5c0:1:f::50/64\n147.78.195.1/29" ]
+    downstreamrouter->cisco [ label="2a0a:e5c0:1:e::ffff/64\n147.78.195.5/29"  ]
+    servers->cisco [ label="Nexus:\nether3-12" ]
+
+    upstreamrouter->downstreamrouter [ label="BGP session\nfull table" ]
+    downstreamrouter->upstreamrouter [ label="Announce (parts of)\n2606:2BC0::/32\n104.219.56.0/21" ]
+}

dns-easy.dot

@@ -0,0 +1,16 @@
+digraph G {
+    node [ shape=box ]
+    #rankdir=LR;
+
+    label="
+    DNS lookups at ungleich.ch\n
+    No systemd, no network manager, no resolvconf, no systemd-resolved."
+
+    start [ shape=Mdiamond ] ;
+    resolvconf [ label="/etc/resolv.conf exists?" shape=oval ];
+    lookup [ label="Do DNS lookup" shape=doubleoctagon ];
+
+    start->resolvconf
+    resolvconf->lookup [ label="yes" ];
+
+}

dynamic-ips.dot

@@ -0,0 +1,41 @@
+digraph G {
+    node [ shape=box ]
+    rankdir=LR;
+
+    label="ungleich Dynamic IP access"
+
+    client [ label="IPv6 client" ];
+    vpnserver  [ label="ungleich Server" ];
+
+    v6net [ label="IPv6 Internet" ];
+    v4net [ label="IPv4 Internet" ];
+
+    v4ip1 [ label="IPv4 address #1\nProvider 1" ]
+    v4ip2 [ label="IPv4 address #2\nProvider 2" ]
+    v4ipn [ label="IPv4 address #n\nProvider x" ]
+
+    dnsserver [ label="ungleich DNS Server\nSource based DNS routing" ]
+
+    client->vpnserver [ label="Establishes VPN" ]
+    vpnserver->client [ label="Routes 2001:db8::/48 IPv6 network" ]
+
+    vpnserver->{v4ip1, v4ip2, v4ipn} [ label="Outgoing connection" ]
+
+    client->v4ip1 [ label="Access IPv4 Internet\nvia
+    2001:db8:0:1:0:1::/96" style=dashed ]
+    client->v4ip2 [ label="Access IPv4 Internet\nvia
+    2001:db8:0:1:0:2::/96"  style=dashed ]
+    client->v4ipn [ label="Access IPv4 Internet\nvia
+    2001:db8:0:1:0:n::/96"  style=dashed ]
+    {v4ip1, v4ip2, v4ipn}->v4net [ label="Specific IPv4 Source" ]
+
+    client->v6net [ label="Source: 2001:db8:2::/64" style=dashed ]
+
+    client->dnsserver [ label="(Optional) Request AAAA address"
+    style=dotted ]
+    dnsserver->client [ label="Source address based answer"
+    style=dotted ]
+
+
+
+}

ipv4-as-a-service-mapping.dot

@@ -0,0 +1,52 @@
+digraph G {
+    node [ shape=box, fontcolor="#ffffff", color="#40a9e3", style="filled"  ]
+    label="IPv4 as a service\nby ungleich.ch"
+
+#    rankdir=LR
+
+    # subgraph cluster_v6_vm {
+    #     label="IPv6 only VM"
+    #     ipv6onlyvm [ label="IPv6 only VM"  color="#ee1100" ]
+    # }
+
+    subgraph cluster_client {
+        label="Anywhere"
+
+        client [ label="Server, VM, Notebook, Desktop" color="#ee1100" ]
+        # vm [ label="Virtual Machine"  color="#ee1100" ]
+        # server [ label="Server"  color="#ee1100" ]
+        # notebook [ label="Notebook"  color="#ee1100" ]
+        # desktop [ label="Desktop"  color="#ee1100" ]
+    }
+
+    subgraph cluster_internet {
+        label="The Internet"
+
+        v4host [ label="IPv4 host\na.b.c.d" shape=oval ]
+        v6host [ label="IPv6 host" shape=oval ]
+    }
+
+    subgraph cluster_dcl {
+        label="Data Center Light in Switzerland"
+
+        vpnserver [ label="VPN Server" ]
+        nat64 [ label="NAT64 translator" ]
+    }
+
+#    {vm,server,notebook,desktop}->vpnserver [ label="Connect to VPN" ]
+#    vpnserver->{vm,server,notebook,desktop} [ label="Route static /48 IPv6 Network\n2001:db8:42::/48" ]
+#    nat64->{vm,server,notebook,desktop} [ label="Maps 192.0.2.1\nto 2001:db8:42:b00::192.0.2.1/96" ]
+#    v6host->{vm,server,notebook,desktop} [ label="Native access to 2001:db8:42::/48" ]
+
+    client->vpnserver [ label="Connect to VPN" ]
+    vpnserver->client [ label="Route static /48 IPv6 Network\n2001:db8:42::/48" ]
+    nat64->client [ label="Maps 192.0.2.1\nto 2001:db8:42:b00::192.0.2.1/96" ]
+
+    v4host->nat64 [ label="Accesses 192.0.2.1" ]
+    v4host->client [ label="Accesses 192.0.2.1" style=dashed ]
+    v6host->client [ label="Native access to 2001:db8:42::/48" ]
+
+    client->v4host [ label="Access any IPv4 host" style=dashed ]
+    client->nat64 [ label="Access any IPv4 host\nvia 2001:db:c001::a.b.c.d/96" ]
+
+}

ipv4-as-a-service-simple.dot

@@ -0,0 +1,15 @@
+graph G {
+    node [ shape=box, fontcolor="#ffffff", color="#40a9e3", style="filled"  ]
+    label="IPv4 as a service\n(simplified)\nby ungleich.ch"
+
+    concentrate=true
+
+    client [ label="Notebook, Desktop,\nServer, IoT device"  color="#ee1100" ]
+
+    ipv4internet [ label="IPv4 Internet" shape=oval ]
+    ipv6internet [ label="IPv6 Internet" shape=oval ]
+
+    ipv6internet--client [ label="Access via VPN"  ]
+
+    ipv4internet--client [ label="Access via NAT64 translator" ]
+}

ipv4-as-a-service.dot

@@ -1,44 +1,60 @@
 digraph G {
     node [ shape=box, fontcolor="#ffffff", color="#40a9e3", style="filled"  ]
-    label="IPv4 as a service\nby ungleich"
+    label="IPv4 as a service\nby ungleich.ch"
 
-    subgraph cluster_v6_vm {
-        label="IPv6 only VM"
-        ipv6onlyvm [ label="IPv6 only VM"  color="#ee1100" ]
-    }
+#    rankdir=LR
 
-    subgraph cluster_roadwarrior {
-        label="Roadwarrior"
+    #
 
-        notebook [ label="Notebook"  color="#ee1100" ]
-        desktop [ label="Desktop"  color="#ee1100" ]
-    }
+    # Merge double edges into single one
+#    concentrate=true
 
-    subgraph cluster_roadwarrior {
-        label="Roadwarrior"
+    # allow edges to subgraphs
+#    compound=true
 
-        notebook [ label="Notebook"  color="#ee1100" ]
-    }
+#    subgraph cluster_endpoints {
+#        label="IPv6 and IPv4 reachable hosts"
 
-    subgraph cluster_internet {
-        label="The Internet"
+        client [ label="Notebook, Desktop,\nServer, IoT device"  color="#ee1100" ]
+        // notebook [ label="Notebook"  color="#ee1100" ]
+        // desktop [ label="Desktop"  color="#ee1100" ]
+        // ipv6onlyvm [ label="IPv6 only VM"  color="#ee1100" ]
+#    }
+
+    // subgraph cluster_roadwarrior {
+    //     label="Roadwarrior"
+
+    //     notebook [ label="Notebook"  color="#ee1100" ]
+    // }
+
+#    subgraph cluster_internet {
+#        label="The Internet"
 
         ipv4internet [ label="IPv4 Internet" shape=oval ]
         ipv6internet [ label="IPv6 Internet" shape=oval ]
-    }
+#    }
 
     subgraph cluster_dcl {
         label="Data Center Light in Switzerland"
 
-        vpnserver [ label="VPN Server in\nData Center Light" ]
-
+        vpnserver [ label="VPN Server" ]
+        nat64t [ label="NAT64 translator (inbound)" ]
+        nat64tout [ label="NAT64 translator (outbound)" ]
     }
 
-    ipv6onlyvm->ipv6internet [ label="Connect via IPv6" ]
-    {desktop,notebook}->{ipv4internet,ipv6internet} [ label="Connect either way" ]
-    {ipv4internet,ipv6internet}->vpnserver [ label="Connect to VPN" ]
+    ipv4internet->client [ label="Access via NAT64 translator" style=dashed ]
+    ipv4internet->nat64t [ label="Access via IPv4" ]
 
-    vpnserver->{ipv6onlyvm, desktop, notebook} [ label="Route IPv4 address via VPN" ]
+    ipv6internet->client [ label="Access via IPv6" style=dashed ]
+    ipv6internet->vpnserver [ label="Access via VPN server"  ]
 
+    client->ipv4internet [ label="Access IPv4 Internet\nvia 2a0a:e5c0:1e:c001::a.b.c.d/96" style=dashed ]
+    client->nat64tout [ label="IPv4 via IPv6 access" ]
+    nat64tout->ipv4internet [ label="Translate mapped IPv4 to native IPv4" ]
+    client->vpnserver [ label="Connects to" ]
+
+    nat64t->vpnserver [ label="Translate IPv4 traffic to IPv6" ]
+
+    vpnserver->client [ label="Route IPv6 network" ]
 
 }

ipv4-ipv6-nat-asymmetric.dot

@@ -0,0 +1,18 @@
+digraph G {
+    node [ shape=box ]
+    rankdir=LR;
+
+
+    label="Asymmetry in mapping IPv6 <-> IPv4"
+
+    v4hosts [ label="IPv4 only network\n192.0.2.0/24" ]
+    v4internet [ label="IPv4 Internet\n0.0.0.0/0" ]
+#    nat64 [ label="NAT64 translator" ]
+    v6internet [ label="IPv6 Internet\n::/0" ]
+
+    v6lan [ label="IPv6 only network\n2001:db8::/64 " ]
+    v6lan->v4internet [ label="Mapped as 64:ff9b::/96" ]
+
+    v4hosts->v6internet [ label="No 1:1 mapping possible" style=dashed ]
+
+}

ipv4-nat.dot

@@ -0,0 +1,14 @@
+digraph G {
+    node [ shape=box ]
+
+    label="Standard IPv4 NAT"
+
+    v4lan [ label="IPv4 LAN\n192.168.x.y/24" ]
+    router [ label="Router/Firewall\nPublic IP address" ]
+    v4internet [ label="IPv4 Internet\n0.0.0.0/0" ]
+
+    v4lan->v4internet [ label="Connects via NAT" style=dashed ]
+    v4lan->router [ label="Connects via default route" ]
+    router->v4internet [ label="Masquerades 192.168.x.y\nto public IP address" ]
+
+}

ipv4-only-island-ipv6-reachable.dot

@@ -0,0 +1,13 @@
+digraph G {
+    node [ shape=box ]
+
+    label="Enabling IPv4 islands with stateful NAT64"
+
+    v4island [ label="IPv4 only network\n192.0.2.0/24" ]
+    nat64 [ label="NAT64 translator" ]
+    v6internet [ label="IPv6 Internet\n::/0" ]
+
+    v6internet->v4island [ label="Allow access\nfrom the IPv6 Internet" style=dashed ]
+    v6internet->nat64 [ label="Connects to\n2001:db8:cafe::/120" ]
+    nat64->v4island [ label="Translates 2001:db8:cafe::/120 to\n192.0.2.0/24\nSquashes ::/0 to 192.0.2.1" ]
+}

ipv4-over-ipv6-static-tunnel.dot

@@ -0,0 +1,32 @@
+digraph G {
+    node [ shape=box ]
+
+    label="ungleich IPv4-over-IPv6-Tunnels"
+
+    subgraph cluster_remote {
+        label="Local site accessing remote"
+        vpnbox2 [ label="ungleich VPN box\nWith Firewall" ]
+        clients2 [ label="IPv4 Client device" ];
+        clients3 [ label="IPv6 Client device" ];
+    }
+
+
+    subgraph cluster_site {
+        label="Remote site with devices"
+        vpnbox [ label="ungleich VPN box\nWith Firewall" ]
+        clients [ label="Client devices\nin private IPv4 network\nf.i. 10.0.0.0/8" ];
+    }
+    vpnbox->clients [ label="IPv6 connectivity" ]
+
+    clients2->clients [ label="Access 10.0.0.1 via 2001:db8::10.0.0.1"
+    style=dashed ]
+    clients2->vpnbox2 [ label="1. Access 10.0.0.1:\nlocal vpnbox translates to 2001:db8::10.0.0.1" ]
+    clients3->clients [ label="Directly access 10.0.0.1 as 2001:db8::10.0.0.1"
+    style=dashed ]
+    clients3->vpnbox2
+
+    vpnbox2->vpnbox [ label="2. Sends packet to 2001:db8::10.0.0.1" ]
+    vpnbox->clients [ label="3. Translates 2001:db8::10.0.0.1\nto 10.0.0.1" ]
+
+
+}

ipv4-via-ipv6-nat64-siit.dot

@@ -0,0 +1,13 @@
+digraph G {
+    node [ shape=box ]
+
+    label="IPv4 via IPv6 (NAT64/SIIT) by ungleich.ch pu"
+
+    v4island [ label="IPv4 only network\n192.0.2.0/24" ]
+    nat64 [ label="NAT64 translator" ]
+    v6internet [ label="IPv6 Internet\n::/0" ]
+
+    v6internet->v4island [ label="Allow access\nfrom the IPv6 Internet" style=dashed ]
+    v6internet->nat64 [ label="Connects to\n2001:db8:cafe::/120" ]
+    nat64->v4island [ label="Translates 2001:db8:cafe::/120 to\n192.0.2.0/24\nSquashes ::/0 to 192.0.2.1" ]
+}

ipv6-dr.dot

@@ -0,0 +1,52 @@
+digraph G {
+    node [ shape=box, fontcolor="#ffffff", color="#40a9e3", style="filled"  ]
+
+#    rankdir="LR"
+
+    ipv6internet [ label="The IPv6 Internet" shape=oval ];
+    ipv4internet [ label="The IPv4 Internet" shape=oval ];
+    ipv6vpn [ label="IPv6VPN.ch\nIPv6 via wireguard" shape=oval ];
+
+    subgraph cluster_regular {
+        label="Non-enhanced mobile connection (DR)"
+
+        subgraph cluster_onedev {
+            label="One end device"
+            mobile1 [ label="Mobile device" ]
+        }
+
+        subgraph cluster_multidev {
+            label="Multiple end devices"
+            router2 [ label="Router w/ mobile uplink" ];
+            dev1 [ label="Desktop" ];
+            dev2 [ label="NAS" ];
+            dev3 [ label="Printer" ];
+        }
+    }
+
+    subgraph cluster_enhanced {
+        label="Enhanced mobile connection (DR+ungleich)"
+
+        subgraph cluster_onedev_enhanced {
+            label="One end device"
+            mobile1plus [ label="Mobile device" ]
+        }
+        subgraph cluster_multidev_enhanced {
+            label="Multiple end devices"
+            router2plus [ label="Router w/ mobile uplink" ];
+            dev1plus [ label="Desktop" ];
+            dev2plus [ label="NAS" ];
+            dev3plus [ label="Printer" ];
+        }
+    }
+
+    {router2,mobile1,router2plus,mobile1plus}->ipv4internet [ label="Outgoing connections work" ]
+    {router2,mobile1}->ipv6internet [ shape=dashed label="Inaccessible" ]
+    {router2plus,mobile1plus}->ipv6vpn [ shape=dashed label="Establish IPv6 connection" ]
+    {dev1,dev2,dev3}->router2 [ label="Connect via router" ]
+
+    ipv4internet->mobile1 [ label="Incoming connections don't work" ]
+    ipv6vpn->ipv6internet [ label="Access the IPv6 Internet" ]
+    ipv6internet->{router2plus,mobile1plus,dev2plus,dev3plus,dev1plus} [ label="Access via IPv6" ]
+
+}

ipv6-eye.dot

@@ -0,0 +1,80 @@
+graph G {
+    node [ shape=box, fontcolor="#ffffff", color="#40a9e3", style="filled"  ]
+
+    label="The IPv6 eye"
+
+    subgraph cluster_sample {
+        wired [ label="Wired Internet" ]
+        wifi  [ label="WiFi Internet" ]
+        modem0  [ label="4G Internet" ]
+        ipv6vpn [ label="IPv6VPN.ch" shape=oval ]
+
+        label="Any eye"
+
+        eye0 [ label="Eye Base" ]
+
+    }
+
+    subgraph cluster_regular {
+        label="The eye"
+
+        eye1 [ label="Eye Base" ]
+        cam1 [ label="USB Camera" ]
+        eye1--cam1
+
+    }
+
+    eye0--{wifi,wired,modem0} [ style=dotted  ]
+    {wired,wifi,modem0}--ipv6vpn  [ style=dotted  ]
+
+
+    subgraph cluster_auto {
+        label="The autonomous eye"
+
+        eye2 [ label="Eye Base" ]
+        usb2 [ label="USB Hub" ]
+        cam2 [ label="USB Camera" ]
+        modem2 [ label="4G modem" ]
+        bat2 [ label="Battery" ]
+
+        eye2--usb2
+        usb2--cam2
+        usb2--modem2
+        bat2--eye2
+    }
+
+    subgraph cluster_fully_auto {
+        label="The fully autonomous eye"
+
+        eye3 [ label="Eye Base" ]
+        usb3 [ label="USB Hub" ]
+        cam3 [ label="USB Camera" ]
+        modem3 [ label="4G modem" ]
+        bat3 [ label="Battery" ]
+        solar3 [ label="Solar Panel" ]
+
+        eye3--usb3
+        usb3--cam3
+        usb3--modem3
+        solar3--bat3
+        bat3--eye3
+    }
+
+
+
+    subgraph cluster_car {
+        label="The car eye"
+
+        eye4 [ label="Eye Base" ]
+        usb4 [ label="USB Hub" ]
+        cam4 [ label="USB Camera" ]
+        modem4 [ label="4G modem" ]
+        carusb4 [ label="Car USB Charger" ]
+
+        eye4--usb4
+        usb4--cam4
+        usb4--modem4
+        carusb4--eye4
+    }
+
+}

ipv6-ipv4-stateful-mapping.dot

@@ -0,0 +1,13 @@
+digraph G {
+    node [ shape=box ]
+
+    label="Stateful NAT64 for masquarading IPv6 networks"
+
+    v6net [ label="IPv6 Network\n2001:db8:0:0::/64\n(64 bit)" ]
+    v4net [ label="IPv4 Internet\n0.0.0.0/0\n(32 bit)" ]
+    nat64 [ label="NAT64 translator" ]
+
+    v6net->v4net [ label="Allow access\nfrom an IPv6 network" style=dashed ]
+    v6net->nat64 [ label="Connects to\n2001:db8:0:0:c001::/96\n(32 bit)" ]
+    nat64->v4net [ label="Squashes 2001:db8::/64 to 192.0.2.1" ]
+}

ipv6-ipv4-stateless-mapping.dot

@@ -0,0 +1,16 @@
+digraph G {
+    node [ shape=box ]
+    rankdir=LR;
+
+    v6lan [ label="IPv6 only hosts\n2001:db8::/120 " ]
+    v4hosts [ label="IPv4 addresses\n192.0.2.0/24" ]
+    v6lan->v4hosts [ label="Map 8 bits of IPv6 to IPv4" ]
+    v4hosts->v6lan [ label="Map 8 bits of IPv4 to IPv6" ]
+
+    v6lan1 [ label="2001:db8::1 " ]
+    v4hosts1 [ label="192.0.2.1" ]
+    v6lan1->v4hosts1 [ label="Map IPv6 address to IPv4" ]
+    v4hosts1->v6lan1 [ label="Map IPv4 address to IPv6" ]
+
+    label="Stateless NAT64 (SIIT)"
+}

ipv6-naming-with-proxy.dot

@@ -0,0 +1,36 @@
+digraph G {
+    node [ shape=box ]
+#    rankdir=LR;
+
+    label="Hostnames for IPv6 only hosts"
+
+    serverv6  [ label="Server (IPv6 only)" ];
+    proxy  [ label="Proxy (IPv4+IPv6)" ];
+
+    http [ label="HTTP(s) for\nwww.example.com" ]
+    dns [ label="DNS for www.example.com" ]
+
+    dnsv6 [ label="v6.example.com" ]
+    dnsv6->serverv6 [ label="Only AAAA entry configured" ]
+
+    clientv4 [ label="IPv4 client" ];
+    clientv6 [ label="IPv6 client" ];
+    clientdual [ label="Dual Stack client" ];
+
+    dns->proxy [ label="A entry points to proxy" style=dashed ]
+    dns->serverv6 [ label="AAAA entry points to the server" style=dashed ]
+
+    {clientv4,clientv6,clientdual}->dns [ label="1. perform a DNS lookup" ]
+
+    clientdual->{proxy,serverv6} [ label="2. Accesses either way" style=dashed ]
+
+    clientv4->proxy [ label="2. Accesses server via proxy" ]
+    clientv6->serverv6 [ label="2. Accesses server directly" ]
+
+    proxy->serverv6 [ label="Forwards HTTP/HTTPS requests" ]
+    serverv6->http [ label="Serves content for" ]
+
+    {clientv6,clientdual}->serverv6 [ label="3. Access via\nv6.example.com\nAlways directly" ]
+
+
+}

ipv6-to-ipv4-proxy.dot

@@ -1,6 +1,6 @@
 digraph G {
     node [ shape=box ]
-    rankdir=TB!;
+    rankdir=TB;
 
     label="IPv4-to-IPv6 proxy by ungleich.ch"
 

ipv6-viwib.dot

@@ -0,0 +1,62 @@
+digraph G {
+    node [ shape=box, fontcolor="#ffffff", color="#40a9e3", style="filled"  ]
+
+    label="The VIWVIB in action"
+    node [ shape=box ]
+
+    rankdir=LR
+
+
+    ipv6internet [ label="The IPv6 Internet" shape=oval ]
+    ipv4internet [ label="The IPv4 Internet" shape=oval ]
+    ipv6vpn [ label="IPv6VPN.ch\nIPv6 via wireguard" shape=oval ]
+
+    lan [ label="Your regular LAN" shape=oval ];
+    lan_v6 [ label="IPv6 only lan" shape=oval ]
+
+    lanclients [ label="Clients in the lan" ]
+    lan_v6_clients [ label="IPv6 only clients" ]
+
+    wificlients [ label="WiFi clients" ]
+    wifi [ label="IPv6 only wifi\n'IPv6 everywhere'" shape=oval ]
+
+
+    subgraph cluster_viwib {
+        viwib [ label="The VIWIB" color="#ee1100" ];
+        viwib_lan [ label="LAN Port" color="#ee1100" ];
+        viwib_wan [ label="WAN Port" color="#ee1100" ];
+        viwib_wifi [ label="WiFi" color="#ee1100" ];
+
+        viwib->{viwib_lan,viwib_wan,viwib_wifi};
+    }
+
+    viwib_wan->ipv4internet [ label="Connects to" ]
+    ipv4internet->ipv6vpn [ label="Connected to" ]
+
+    viwib_lan->lan_v6 [ label="Creating IPv6 only LAN" style=dashed ]
+    viwib_lan->lan [ label="Enabling existing LAN with IPv6" style=dashed ]
+
+    lan_v6_clients->lan_v6 [ label="Assign themselves IPv6" ]
+    lanclients->lan [ label="Assign themselves IPv6" ]
+
+    {lan_v6,wifi}->ipv4internet [ label="via DNS64/NAT64" style=dashed ]
+    {lan_v6,wifi}->ipv6internet [ label="Direct access" ]
+
+    ipv6vpn->viwib [ label="Gets /48 IPv6 network via VPN" ]
+
+
+    viwib_wifi->wifi [ label="Provides IPv6 only WiFi" ]
+    wificlients->wifi [ label="Assign IPv6 address themselves" ]
+    wifi->ipv6internet [ label="Connect to" ]
+
+
+    ipv6vpn->ipv6internet [ label="Is connected to" ]
+
+    // ipv6internet->{wificlients,lanclients} [
+    //     label="SSH, HTTP, HTTPS\nports are open" ]
+}
+
+
+
+#    viwib_wan->lan [ label="1. Gets IPv4 via cable" ]
+#    viwib->ipv6vpn [ label="Connect the VPN to IPv6VPN.ch" ]

nicos-ipv6-vpn-routing-issue.dot

@@ -0,0 +1,32 @@
+digraph G {
+    node [ shape=box ]
+    label="Why IPv6 upstream on test devices does not work
+    ICMP works as it's on 1 reply
+    SSH does not work
+    Testdev only receives first syn, not 2nd ack packet
+    Notebook receives duplicated syn-ack packets from testdev
+    Likely problem: router does not see return packet and drops the packet, no session entry?
+    It's an outgoing packet, so this should not be a problem
+    Router seems only to send first syn packet from the client
+    VERIFIED by disabling ip6tables / flushing rules"
+
+    notebook [ label="Notebook: 2a0a:e5c0:13::a/64" ]
+    router  [ label="Router: 2a0a:e5c0:13::42/64" ]
+    testdev [ label="Testdev: 2a0a:e5c0:13::zz/64" ]
+
+    vpnserver [ label="VPN server" ]
+
+    vpnserver->testdev [ label="Route for 2a0a:e5c1:VPN::/48" ]
+
+    notebook->router [ label="1. Connect to 2a0a:e5c1:VPN::42\nWith MAC
+    of router" ]
+    router->vpnserver [ label="2. Forwarding packing for Testdev to
+    router" ]
+    vpnserver->testdev [ label="3. Forwarding packing for Testdev via
+    VPN" ]
+    testdev->notebook [ label="4. Reply directly to notebook\n
+    testdev has same local network as notebook
+    Using a different mac address than the router has" ]
+
+
+}

organigram.dot

@@ -6,7 +6,6 @@ digraph G {
 
     nico [ label="Nico Schottelius (CH, VR, GL)" ];
     sanghee [ label="Sanghee Kim (CH)" ];
-    balazs [ label="Balazs Unyi (CH)" ]
     timothee [ label="Timothee Floure (CH)" ]
     dominique [ label="Dominique Roux (CH)" ]
     samuel [ label="Samuel Hailu (CH)" ]
@@ -15,7 +14,6 @@ digraph G {
     mondi [ label="Mondi Ravi (IN)" ]
     jinguk [ label="Jinguk Kwon (KR)" ]
     jason [ label="Jason Kim (KR)" ]
-    youngrong [ label="Young-Rong Park (KR)" ]
     youngjin [ label="Young-Jin Han (KR)" ]
     jerry [ label="Jerry Padavath (CH, VR)" ]
 
@@ -29,11 +27,11 @@ digraph G {
 
     subgraph cluster_ch {
         label="Schweiz"
-        nico->{sanghee, balazs, timothee, marc, dominique, samuel};
+        nico->{sanghee, timothee, marc, dominique, samuel};
     }
     subgraph cluster_international {
         label="International"
-        nico->{ahmed, mondi, jinguk,jason,youngrong,youngjin}
+        nico->{ahmed, mondi, jinguk,jason,youngjin}
     }
 
 

routing-multirouter-stateful-bad.dot

@@ -0,0 +1,20 @@
+digraph G {
+    node [ shape=box ]
+
+    upstreamrouter1 [ label="Upstream Router 1\nStateless routing" ];
+    upstreamrouter2 [ label="Upstream Router 2\nStateless routing" ];
+
+    router1 [ label="Internal Router 1\nStateful routing" ];
+    router2 [ label="Internal Router 2\nStateful routing" ];
+
+    servers [ label="Servers" ]
+    internet [ label="Internet" shape=oval ]
+
+    servers->router1 [ label="Use as default router" ]
+    router1->{upstreamrouter1,upstreamrouter2} [ label="Forward packet" ]
+    {upstreamrouter1,upstreamrouter2}->internet [ label="Forward packet" ]
+    internet->{upstreamrouter1,upstreamrouter2} [ label="Send answers" ]
+    {upstreamrouter1,upstreamrouter2}->router2 [ label="Return anwers from the Internet" ]
+    router2->servers [ label="Drop the answer, no state entry" ]
+
+}

routing-multirouter-stateful-good.dot

@@ -0,0 +1,19 @@
+digraph G {
+    node [ shape=box ]
+
+    upstreamrouter1 [ label="Upstream Router 1\nStateless routing" ];
+    upstreamrouter2 [ label="Upstream Router 2\nStateless routing" ];
+
+    router1 [ label="Internal Router 1\nStateful routing" ];
+
+    servers [ label="Servers" ]
+    internet [ label="Internet" shape=oval ]
+
+    servers->router1 [ label="Use as default router" ]
+    router1->{upstreamrouter1,upstreamrouter2} [ label="Forward packet" ]
+    {upstreamrouter1,upstreamrouter2}->internet [ label="Forward packet" ]
+    internet->{upstreamrouter1,upstreamrouter2} [ label="Send answer" ]
+    {upstreamrouter1,upstreamrouter2}->router1 [ label="Return anwers from the Internet" ]
+    router1->servers [ label="Forward the answer" ]
+
+}

routing-multirouter-stateful.dot

@@ -0,0 +1,21 @@
+digraph G {
+    node [ shape=box ]
+#    rankdir=LR;
+
+    upstreamrouter1 [ label="Upstream Router 1\nStateless routing" ];
+    upstreamrouter2 [ label="Upstream Router 2\nStateless routing" ];
+
+    router1 [ label="Internal Router 1\nStateful routing" ];
+    router2 [ label="Internal Router 2\nStateful routing" ];
+
+    servers [ label="Servers" ]
+    internet [ label="Internet" shape=oval ]
+
+    servers->{router1,router2} [ label="Use as default router\nSend packets via either" ]
+    {router1,router2}->{upstreamrouter1,upstreamrouter2} [ label="Announce 2001:db8::/64\n via BGP\nUse as default router" ]
+    {upstreamrouter1,upstreamrouter2}->internet [ label="Forward packets" ]
+    internet->{upstreamrouter1,upstreamrouter2} [ label="Send answers" ]
+    {upstreamrouter1,upstreamrouter2}->{router1,router2} [ label="Return anwers from the Internet" ]
+    {router1,router2}->servers [ label="Forward the answer" ]
+
+}

ungleich-infrastructure.dot

@@ -28,10 +28,10 @@ graph G {
         router1p5 [ label="router1\nfirewall\nrouter\nnetboot" ];
         router2p5 [ label="router2\nfirewall\nrouter\nnetboot" ];
 
-	apurouter1p5 [ label="dhcpv4\nnetboot\ncoworking" ];
-	apurouter2p5 [ label="dhcpv4\nnetboot\ncoworking" ];
+	    apurouter1p5 [ label="dhcpv4\nnetboot\ncoworking" ];
+	    apurouter2p5 [ label="dhcpv4\nnetboot\ncoworking" ];
 
-	red1p5 [ label="red1\nceph monitor\nopennebula mysql" ];
+	    red1p5 [ label="red1\nceph monitor\nopennebula mysql" ];
         red2p5 [ label="red2\nceph monitor\n" ];
         red3p5 [ label="red3\nceph monitor\n" ];
 
@@ -59,16 +59,16 @@ graph G {
         ups2 [ label="UPS2\n2200VA\n1320W" ]
         ups3 [ label="UPS3\n2200VA\n1320W" ]
         ups4 [ label="UPS4\n2200VA\n1320W" ]
-	ups5 [ label="UPS5\n2200VA\n1320W" ]
-	ups6 [ label="UPS6\n2200VA\n1320W" ]
-	ups7 [ label="UPS7\n2200VA\n1320W" ]
-	ups1small [ label="UPS1-Small\n1000VA\n550W" ]
+      	ups5 [ label="UPS5\n2200VA\n1320W" ]
+	    ups6 [ label="UPS6\n2200VA\n1320W" ]
+	    ups7 [ label="UPS7\n2200VA\n1320W" ]
+	    ups1small [ label="UPS1-Small\n1000VA\n550W" ]
         noorunknownups [ label="No or unknown UPS" ]
 
         server1p5 -- ups1 [ label="Power connection 1100W" ]
         server2p5 -- ups3 [ label="Power connection 1100W" ]
-	server3p5 -- ups6 [ label="Power connection 1100W" ]
-	server4p5 -- ups7 [ label="Power connection 1100W" ]
+	    server3p5 -- ups6 [ label="Power connection 1100W" ]
+	    server4p5 -- ups7 [ label="Power connection 1100W" ]
 
 	router1p5 -- ups5 [ label="Power connection 1100W" ]
 
@@ -327,4 +327,8 @@ graph G {
     redp7--saltlte;
     server1p11--mythicbeasts [ label="Default Route" ];
 
+
+    # BGP / routing / logic networking
+
+
 }

ungleich-network.dot

@@ -0,0 +1,65 @@
+digraph G {
+    node [ shape=rect ];
+
+    label="Data Center Light networking/routing (2021-04-11)"
+
+    {router1p5,router2p5}->sunrise;
+
+    sunrise->igp [ label="Add sunrise on-link routes" ]
+    netstream->igp [ label="Add netstream on-link routes" ]
+    vpnserver->routers [ label="eBGP: Announce /40's (reprop)" ]
+
+    apurouters->routers [ label="Announce (internal) /64's" ]
+    apurouters->igp [ label="Announce internal on-link routes (these
+    are /64's" ]
+
+    k8s->apurouters [ label="Announce /122, /128 routes (iBGP/eBGP)" ]
+
+    something->switches [ label="Re-Announce k8s routes for ECMP" ]
+
+    # Questions:
+    # Do VPN servers import routes? Probably not, can use default route
+    # Do APU routers import routes? Yes from k8s
+    # Do APU routers import routes from routers? Maybe.
+    # Maybe not: can have default route to routers
+    # Maybe yes: to learn k8s routes
+    # Will announce k8s routes via eBGP, nexthop reset. not what we want
+
+    # Can we use iBGP + separate table instead of ospf/babel?
+
+    ######################################################################
+    # Switch interaction
+    # Either OSPF or BGP
+    #
+    # Primary objective: ecmp routes for k8s nodes / pods
+    # Secondary objective (maybe) routing for the switch
+    #
+    # BGP: f.i. connecting to a route reflector; or routes come in via
+    # eBGP
+    # BGP / maybe RR seems a bit more native
+    # OSPF: MTU mismatch showing, automatic join, only internal routes
+
+    ######################################################################
+    #
+    #
+
+
+    ######################################################################
+    # k8s
+    # k8s systems could in theory peer with switches -> security
+    # design not so eay
+    #
+    # k8s systems could peer with routers (multihop, iBGP)
+    #
+    # k8s systems could peer with apu-routers (direct, iBGP)
+    # apu-routers would need to become route-reflector towards routers
+    #
+    # k8s systems could peer with apu-routers (direct, eBGP)
+    #
+    # routers can re-export to APUs as route reflectors
+
+    # How do the routers reach k8s system? Need route from apu routers
+    # probably via igb
+
+
+}

v6onlyvm-vs-dualstackvm-dns64-nat64.dot

@@ -0,0 +1,21 @@
+digraph G {
+    node [ shape=box ]
+#    rankdir=LR;
+
+    v6only [ label="IPv6 only VM\nIPv6 network (A)" ];
+    dualvm [ label="Dual Stack VM\nIPv6 network (B)" ];
+    dnsserver [ label="DNS server" ]
+    nat64 [ label="NAT64 translator" ]
+    v4onlysite [ label="IPv4 destination" ]
+
+    v6only->dnsserver [ label="A1. Request AAAA entry for IPv4 only site" ]
+    dnsserver->v6only [ label="A2. Returns fake AAAA entry for IPv4 only site" ]
+
+    v6only->nat64 [ label="A3. Send request via IPv6" ]
+    nat64->v4onlysite [ label="A4. Translate and send request via IPv4" ]
+
+    dualvm->dnsserver [ label="B1. Request A entry for IPv4 only site" ]
+    dnsserver->dualvm [ label="B2. Returns fake A entry for IPv4 only site" ]
+    dualvm->v4onlysite [ label="B3. Connect via IPv4" ]
+
+}