Operational Issues

Setting up and operating a tunnel opens a number of issues that we need to keep in mind.

Tunnels that need to be explicitly configured can become a serious burden. A single tunnel is not too bad, but if we want to configure tunnels between a dozen tunnel routers, then we need 12 x 11 = 132 separate tunnels. This makes self-configuring 6to4 tunnels particularly valuable.

In some cases, broken tunnels are difficult to debug. If we have access to the tunnel entry and exit nodes, then the situation isn't too bad. But if one of the tunnel nodes is outside our administrative control, then things can quickly become tedious and frustrating because we see the tunnel as a broken link-layer connection only.

It is possible to set up nested tunnels, like tunneling IPv4 over IPv6 over IPv4. In fact, there are situations where we might have reason to do so. But nested tunnels pose the risk that we route a tunneled packet into the tunnel again. These tunnel loops can cause traffic storms that we must avoid. Fortunately, in many cases a tunnel entry point will refuse to let an already-tunneled packet enter the tunnel unless explicitly configured to do so.

Prepending an additional IP header to a packet will make it larger. The maximum transmission unit (MTU) of a tunnel is therefore smaller than that of the actual link layer. Thanks to the mandatory path MTU discovery this usually won't affect network traffic too much. But there have been cases of "telnet works but FTP doesn't" that were eventually traced back to a bad MTU configuration.

Finally, tunnels can seriously distort the topology of a network. Tunnels will always be considered direct link-layer connections between the tunnel end points. Without proper planning and documentation tunnels will make networks unintelligible to both us as well as dynamic routing, which needs to be configured properly to reflect the actual "distance" between the tunnel endpoints, otherwise it will send traffic through a tunnel even though a better route exists.

