Re: Temporary IPv6 addresses vs. netgroups

To: tech-net%NetBSD.org@localhost
Subject: Re: Temporary IPv6 addresses vs. netgroups
From: David Young <dyoung%pobox.com@localhost>
Date: Sun, 3 Feb 2013 16:51:54 -0600

On Thu, Jan 31, 2013 at 10:27:53PM +1100, Darren Reed wrote:
> is%netbsd.org@localhost wrote:
> >On Thu, Jan 31, 2013 at 09:57:17PM +1100, Darren Reed wrote:
> >
> >>I wonder if focusing on addresses is the correct thing to do.
> >>
> >>Should we in fact be focusing on network interfaces instead?
> >
> >No. At least that's a different problem.
> >
> >We started talking about multiple addresses on the same LAN, some being
> >randomized and only intended for pseudonymous access to untrusted peers.
> >
> >The desire is to have an application tell it doesn't want to use them;
> >think address-authorized lpr or nfs.
> 
> What about being able to give an address a "metric" that enabled
> a sorting order for address selection?
> 
> # ifconfig bge0 alias 192.168.1.1 netmask 255.255.255.0 weight 15
> # ifconfig bge0 alais 10.1.1.1 netmask 255.255.252.0 weight 50

You can set an address preference using ifconfig, but it is only
considered by the kernel if you set 'options IPSELSRC' in your kernel.
'options IPSELSRC' contains solutions to some of the problems mentioned
in this thread.  See in_getifa(9).

I forgot to document the 'preference' keyword in ifconfig(8) and I think
that a PR recently may have been filed on that.

It would be nice if one could create more than one source-selection
policy and select one for the default global policy, a default for
a particular interface, a default for a process and its descendants,
and so on.

BTW, 'options IPSELSRC' is not enabled by default because it will
override a route's preferred source address set using 'route add ...
-ifa ...' and that's not desirable.  One day I will fix that, but it
requires messing some with routing code and in order to mess with
routing code one has to decipher it, no easy feat. :-) Also, I have
found that it is useful to select a source address because it is on the
same local subnet as the destination, but the implementation doesn't yet
allow for that because no routing entry is passed to in_getifa().

Dave

-- 
David Young
dyoung%pobox.com@localhost    Urbana, IL    (217) 721-9981

References:
- Re: Temporary IPv6 addresses vs. netgroups
  - From: Robert Elz
- Re: Temporary IPv6 addresses vs. netgroups
  - From: Darren Reed
- Re: Temporary IPv6 addresses vs. netgroups
  - From: Robert Elz
- Re: Temporary IPv6 addresses vs. netgroups
  - From: Darren Reed
- Re: Temporary IPv6 addresses vs. netgroups
  - From: is
- Re: Temporary IPv6 addresses vs. netgroups
  - From: Darren Reed

Prev by Date: Re: refactoring ip_output() and the L2 _output()
Next by Date: Re: refactoring ip_output() and the L2 _output()
Previous by Thread: Re: Temporary IPv6 addresses vs. netgroups
Next by Thread: Re: Temporary IPv6 addresses vs. netgroups
Indexes:

Home | Main Index | Thread Index | Old Index