[Swan-dev] virutal-private [was: overlapping address pools]
D. Hugh Redelmeier
hugh at mimosa.com
Tue Apr 22 04:18:07 EEST 2014
| From: Paul Wouters <paul at nohats.ca>
| On Mon, 21 Apr 2014, D. Hugh Redelmeier wrote:
| > There are two virtual-private subnet lists: inclusive and exclusive.
| > An address is considered private if it is covered by at least one
| > subnet in the inclusive list and no subnet in the exclusive list.
| >
| > No consideration is given to overlap.
|
| What overlap are you thinking of? The most common case is like:
|
| virtual_private=%v4:10.0.0.0/8,%v4:!10.0.0.0/24
|
| I guess this is not the overlap you mean? 10.0.0.2/32 should get
| rejected here, but 10.1.2.3/32 would not get rejected.
That example is fine.
Consider
virtual_private=%v4:!10.0.0.0/8,%v4:10.0.0.0/24
No addresses are private in this case. I imagine that that surprises
you.
Consider
virtual_private=%v4:10.0.0.0/8,%v4:!10.0.0.0/16,%v4:10.0.0.0/24
In this one, the /24 will not have an effect.
| If multiple includes overlap, why would we care as long as we match it?
| If multiple excludes overlap, why would we care as long as we match it?
any matching exclude (no matter how broad) trumps any include (no
matter how narrow).
| > It seems to me that the conventional test would be:
| >
| > What is the smallest subnet that includes the address in question?
| > If it is in the inclusive set, the address is private.
|
| I believe that is already they case? See the above example.
No. See the above example :-) And read the rule I gave (top of this
message).
| > Also, it would seem to be a mistake to have the same subnet appear
| > twice or more (either in the same or different lists). This would be
| > a mistake in the lists.
|
| Seems a pretty harmless mistake. We could ignore the second one and log
| a warning. Causing an error seems excessive and might break things.
It seems pretty harmless unless there is one in each list. Which
takes priority? The answer is easy right now: the one in the exclude
list wins. If we change to "narrowest wins", then the issue comes up.
Note: I don't see a disaster here, only an awkwardness and a surprise.
My guess is that most virtual-private specifications are simple and
don't hit this lack of expressive power.
More information about the Swan-dev
mailing list