[Swan-dev] overlapping address pools
Antony Antony
antony at phenome.org
Tue Apr 22 01:02:09 EEST 2014
On Sun, Apr 20, 2014 at 07:43:50PM -0400, D. Hugh Redelmeier wrote:
> | From: Antony Antony <antony at phenome.org>
>
> | It would be nice to have an options to assign unique address. When there
> | is an overlap, the new pool mark the unused overlapping addresses in the
> | old pool as used. If an address already in use in an old pool mark it
> | used in the new pool.
>
> That's the kind of logic that I tried to portray as theoretically
> useful but probably used rarely enough that it isn't worth the
> considerable effort of coding, testing, and documenting. What's the
> use-case?
Lets say I create a conn with an addresspool and everything is working fine.
However, now I want to test a new conn, with different IKE/ISKAMP parameters such as port number, IKE algorithm, authby.... Then I would take a part of the old address pool, a small range, which is contained in the big one, and create a different conn with new IKE parameters.
The alternative is to create a new conn with the exact same addresspool range as the previous one. Which probably is not a bad solution. Also I realized if I really want I can take a single address from an addresspool and configure it as /32 leftsubnet. The proposed partial overlap check will not prohibit that:)
> | In libreswan, as far I know, there is no overlap check for a subnet. An
> | address pool is very similar to a subnet, imagine it as a /32 subnet.
> | You could even replace it with a subnet. If subnet overlaps with another
> | subnet there is no warning. Then I am wondering why treat an addresspool
> | overlap as an error?
>
> When two subnets overlap, one contains the other (they can be the
> same, in which case they contain each other). That's simpler than
> IP-address ranges that are used for addresspools. Especially when
> considering more than two.
>
> Libreswan assigns from the addresspool. Subnet assignment isn't our
> business.
Libreswan assigns from a user configured addresspool. So I think addresspool and subnet assignments are similar.
Any way, lets agree that a partial overlap between addresspools will be rejected. I will make the change.
regards,
-antony
More information about the Swan-dev
mailing list