On Tue, Sep 25, 2007 at 07:21:29AM +0200, Michael van Elst wrote:
> On Tue, Sep 25, 2007 at 12:11:39PM +0900, JINMEI Tatuya / ???? wrote:
> > At Mon, 24 Sep 2007 11:45:55 +0200,
> > Ignatios Souvatzis <is@netbsd.org> wrote:
> > 
> > > > >On Fri, Sep 21, 2007 at 02:21:19PM +0200, Ignatios Souvatzis wrote:
> > > > >> How can I influence the source address used on a socket if the application
> > > > >> doesn't set one?
> > > > 
> > > > >Would the "deprecated" keyword of ifconfig help you?
> > > > 
> > > > 
> > > > He is probably looking for the IPSELSRC equivalent for IPv6.
> > > 
> > > Hm.... right.
> > 
> > I didn't know IPSELSRC, but does the source address selection
> > mechanism based on RFC3484 satisfy your need?  The (current) NetBSD
> > kernel already supports the framework, although the configuration tool
> > (called ip6addrctl in FreeBSD) seems to be missing.
> 
> If I read RFC3484 correctly you can configure a 'policy table'
> with a best precedence value assigned to the single IP address
> that you want to use when talking to some network by giving the
> single address and the network the same distinguished label.
> 
> That seems to be sufficient.
> 
> Is the RFC3484 support implemented for KAME and for FAST_IPSEC?

IMO the best way to provide RFC3484 support is to adapt IPSELSRC for the
purpose, so that we do not have two entirely different policy mechanisms
for source selection, and all of the kernel bloat and operator confusion
that entails.

Conceptually, IPSELSRC is at least powerful enough to express
RFC3484-style source-selection rules, which is all that the RFC requires.

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933 ext 24