[Swan-dev] overlapping address pools

Antony Antony antony at phenome.org
Tue Apr 22 01:02:09 EEST 2014 

On Sun, Apr 20, 2014 at 07:43:50PM -0400, D. Hugh Redelmeier wrote:
> | From: Antony Antony <antony at phenome.org>
> 
> | It would be nice to have an options to assign unique address. When there 
> | is an overlap, the new pool mark the unused overlapping addresses in the 
> | old pool as used. If an address already in use in an old pool mark it 
> | used in the new pool.
> 
> That's the kind of logic that I tried to portray as theoretically
> useful but probably used rarely enough that it isn't worth the
> considerable effort of coding, testing, and documenting.  What's the
> use-case?

Lets say I create a conn with an addresspool and everything is working fine.
However, now I want to test a new conn, with different IKE/ISKAMP parameters such as port number, IKE algorithm, authby.... Then I would take a part of the old address pool, a small range, which is contained in the big one, and create a different conn with new IKE parameters.

The alternative is to create a new conn with the exact same addresspool range as the previous one. Which probably is not a bad solution. Also I realized if I really want I can take a single address from an addresspool and configure it as /32 leftsubnet. The proposed partial overlap check will not prohibit that:)

> | In libreswan, as far I know, there is no overlap check for a subnet. An 
> | address pool is very similar to a subnet, imagine it as a /32 subnet. 
> | You could even replace it with a subnet. If subnet overlaps with another 
> | subnet there is no warning. Then I am wondering why treat an addresspool 
> | overlap as an error?
> 
> When two subnets overlap, one contains the other (they can be the
> same, in which case they contain each other).  That's simpler than
> IP-address ranges that are used for addresspools.  Especially when
> considering more than two.
> 
> Libreswan assigns from the addresspool.  Subnet assignment isn't our
> business. 

Libreswan assigns from a user configured addresspool. So I think addresspool and subnet assignments are similar.

Any way, lets agree that a partial overlap between addresspools will be rejected. I will make the change.

regards,
-antony

More information about the Swan-dev mailing list