[Swan-dev] virutal-private [was: overlapping address pools]
Paul Wouters
paul at nohats.ca
Tue Apr 22 04:30:42 EEST 2014
On Mon, 21 Apr 2014, D. Hugh Redelmeier wrote:
> Consider
> virtual_private=%v4:!10.0.0.0/8,%v4:10.0.0.0/24
> No addresses are private in this case. I imagine that that surprises
> you.
>
> Consider
> virtual_private=%v4:10.0.0.0/8,%v4:!10.0.0.0/16,%v4:10.0.0.0/24
> In this one, the /24 will not have an effect.
I see. Those cases are unexpected (thoug understandable)
> | If multiple includes overlap, why would we care as long as we match it?
> | If multiple excludes overlap, why would we care as long as we match it?
>
> any matching exclude (no matter how broad) trumps any include (no
> matter how narrow).
So it is failing on the side of caution. I do think that longest prefix
first match, regardless of include or exclude, would be more intuitive
and the right thing to do.
> Note: I don't see a disaster here, only an awkwardness and a surprise.
> My guess is that most virtual-private specifications are simple and
> don't hit this lack of expressive power.
Yes, but bigger deploymentments could definitely hit this, especially
after some organic (unmanaged) growth or acquisitions.
Paul
More information about the Swan-dev
mailing list