[Swan-dev] overlapping address pools
D. Hugh Redelmeier
hugh at mimosa.com
Mon Apr 21 02:43:50 EEST 2014
| From: Antony Antony <antony at phenome.org>
| It would be nice to have an options to assign unique address. When there
| is an overlap, the new pool mark the unused overlapping addresses in the
| old pool as used. If an address already in use in an old pool mark it
| used in the new pool.
That's the kind of logic that I tried to portray as theoretically
useful but probably used rarely enough that it isn't worth the
considerable effort of coding, testing, and documenting. What's the
I also am suspicious of anything that isn't symmetric when the problem
seems more-or-less symmetric. And you've got to make sure that the
solution is transitive (i.e. what happens when a third inexactly
overlapping pool comes along, and a fourth, ... all with complicated
| In libreswan, as far I know, there is no overlap check for a subnet. An
| address pool is very similar to a subnet, imagine it as a /32 subnet.
| You could even replace it with a subnet. If subnet overlaps with another
| subnet there is no warning. Then I am wondering why treat an addresspool
| overlap as an error?
When two subnets overlap, one contains the other (they can be the
same, in which case they contain each other). That's simpler than
IP-address ranges that are used for addresspools. Especially when
considering more than two.
Libreswan assigns from the addresspool. Subnet assignment isn't our
In the old days, FreeS/WAN installed eroutes and routes, and the rules
of routing dictated what would happen. Something well-defined: the
smaller subnet wins. I think that FreeS/WAN generated an error if the
subnets were identical but the routing was different. I don't know
what happens now.
More information about the Swan-dev