tech-net: Re: default route and private networks

Subject: Re: default route and private networks
To: None <tech-net@NetBSD.org>
From: Tom Ivar Helbekkmo <tih@eunetnorge.no>
List: tech-net
Date: 04/22/2005 22:44:07

David Young <dyoung@pobox.com> writes:

> Here are two heuristics that will help NetBSD select IPv4 source
> addresses that I believe will satisfy most askers on tech-net:

OK, I'm posting as one of said askers.

>         (1) Prefer a source address on the nexthop interface that
>             belongs to the same global/link-local/private category as
>             the destination address.  For example, prefer a source in
>             169.254/16 over all others for destinations 169.254.0.1
>             and 224.0.0.1; do not pick a source in 10/8, 192.168/16,
>             or 172.16/12 for a globally-routable destination.

That would avoid using RFC1918 addresses for non-RFC1918 targets,
without having to do NAT tricks on the outside interface.  Cool.

>         (2) Prefer the source addresses that have the longest prefix
>             in common with the destination address.

Probably even better.

> ISTR one asker wants to prefer one source address over another on the
> same interface.  Both the source addrs were in the same subnet.

That's easy: our existing routing system allows you to associate an
address with a route, so that any outgoing packets using the route
table entry will use the source address specified.

> Thoughts?

I'd like to see the "associate a source address with a route" thing
expanded to be completely cross-interface.  Case in point is my main
system at home.  It's connected to my internal (non-RFC1918) network,
"which is mine", and also to a tiny, /30, glue network that connects
me to my ISP's backbone.  I'd really like to be able to specify, for
instance in that machine's default route, that any outgoing traffic
from it that doesn't have a specified address to bind to as source
should be bound to the address it has on my inside network; the glue
net is completely uninteresting, and occurs nowhere in my DNS zones.

The alternative, I know, is to add a router to my hardware setup.  I'd
rather avoid that, for reasons of cost, noise, heat, and power use.

-tih
-- 
Don't ascribe to stupidity what can be adequately explained by ignorance.