tech-net: Re: default route and private networks

Subject: Re: default route and private networks
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-net
Date: 04/26/2005 00:06:21
--rJwd6BRFiFCcLxzm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 26, 2005 at 01:11:06AM -0400, Steven M. Bellovin wrote:
> In message <86ll76uodh.fsf@athene.hamartun.priv.no>, Tom Ivar Helbekkmo w=
rites:
> >"Steven M. Bellovin" <smb@cs.columbia.edu> writes:
> >
> >> The current semantics, as I understand them, is that the source addres=
s=20
> >> assigned is taken from the routing table entry used for the (initial,=
=20
> >> for TCP) outgoing packet.  In particular, the first address on the=20
> >> interface selected is used.  Suppose we try to extend that, by=20
> >> associating explicit source addresses with routing entries.  When a
> >> destination address matches some particular route table entry, the=20
> >> source address associated with that address would be used as the sourc=
e=20
> >> address for the packet.
> >
> >This is already in the code, and I've just checked that it works.
> >
> ># ifconfig vlan1 inet 192.168.1.10 netmask 255.255.255.0
> ># ifconfig vlan1 inet 192.168.1.20 netmask 255.255.255.0 alias
> ># route add 192.168.2.0/24 192.168.1.1 -ifa 192.168.1.20
> >
> >Outbound packets not explicitly bound, but using the given route, are
> >addressed from 192.168.1.20.  Other packets sent out that interface
> >are addressed from 192.168.1.10.  "route get" shows what is stored.
>=20
> That's almost, but not quite, what is needed here.  If you specify=20
> -ifa, the packet is sent out on that interface.  We want to send on=20
> interface A while using some address from interface B.=20

Do we necessarily want that? I'd be happy with going out an interface that=
=20
that address is on.

Another optioon would be that the -ifa and -ifp parameters could both be=20
set such that we indicate we use address X out iface Y, when address X is=
=20
on iface Z.

However I'm not sure if/when we'd want this. I was thinking about the=20
problem where we don't have a defined source address but have=20
administrative knowledge based on the destination address. So we are=20
replacing the "just pick one" behavior now.

The cases when we'd want to go out address A but with an addr on B are all=
=20
ones where, AFAICT, we have a defined source address already. So we=20
wouldn't be using the ifa in the route.

Take care,

Bill

--rJwd6BRFiFCcLxzm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFCbehtWz+3JHUci9cRAoOeAJ9LFcNnc+Vdf1+7gOgAuqNAF5KzBgCeOZDw
642PvtLPR89c7RZL+0y0PCU=
=XO8O
-----END PGP SIGNATURE-----

--rJwd6BRFiFCcLxzm--