[Swan-dev] better name for {left,right}ifaceip?
Antony Antony
antony at phenome.org
Mon Jan 27 16:39:33 UTC 2020
first quick answer to Hugh's follow up questions.
On Mon, Jan 27, 2020 at 10:58:45AM -0500, D. Hugh Redelmeier wrote:
> Has iface-ip been advertised?
no. code is incomplete. We can change at this point. I would be happy to.
Though Paul may have signoff. My recollection is, he want something similar to
leftvti=10.0.1.254/24 for ipsec-ineterface/xfrmi, so when we kill VTI this
new IP address can take leftvti's function. I argued it is also useful for
non ipsec-inetrface case.
> Andrew's points all seem valid too. But I haven't thought deeply about
> this.
There request was to add something like VTI usecase. We need an IP
address/mask (not same as subnet, no port and broadcast and network address
should be invalid).
sourceip != iface-ip. Sourceip is only allowed with /32 or /128 prefix
length. With source ip there will be a route with that IP address as the
source, for source address selection based on route.
e.g
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
https://testing.libreswan.org/v3.28-1519-g8a299ca7ad-master/xauth-pluto-16/OUTPUT/road.console.txt
or typically you would see 0/1 and 128/1 with src 192.1.3.209
iface-ip, when complete, will not be used as the souce ip address for the
route. It should allow prefix length, no ports, protocols... I thought I
can use the subnet with clash. This was a while ago I will look again.
I think in libreswan speak it is a subnet with clash, 0 port, 0 protocol.
I was trying to avoid anther ttoipmask() may be it is necessary
iface-ip=192.1.3.0/24 if we want to be generous 192.1.3.0/255.255.255.0
would be nice to have. then there is an argument to allow 192.1.3.0 as
192.1.3.0/32.
On Mon, Jan 27, 2020 at 10:51:20AM -0500, Andrew Cagney wrote:
> I noticed this user visible addition:
> whack.h: ip_subnet ifaceip;
> keywords.c:509: { "iface-ip", kv_conn | kv_leftright ,
> kt_subnet, KSCF_IFACE_IP, NULL, NULL, },
> the problem I see is that, contrary to the name, it isn't an IP (i.e,
> ip address). Rather, to use IKEv2 terminology, its a traffic
> selector. In fact while:
> 1.2.3.0/24
> 101.102.103.104/32:65535
> are valid, a simple IP address such as:
> 1.2.3.4
> is not (see ip_subnet_check.c).
with port is not valid iface-ip.
1.2.3.4 => 1.2.3.4/32 could be. I am not sure
> A quick fix would be to drop the "ip" from the new user-visible name?
could be. I prefer ip address there like sourceip.
The current one is
./netkey-vti-09/west.conf: leftvti=10.0.1.254/24
10.0.2.0/24 dev ipsec0 scope link
> However, this is confounded by libreswan's existing plithera of
> options that either implicitly, or explicitly, specify traffic
> selectors (these are the ones I stumbled across, there are probably
> more):
> sourceip= - only allows IP addresses and is considered mutually
> exclusive to ifaceip=, I'm not sure why
> subnet=
> subnets= - who knew there was already a way to describe multiple
> traffic selectors
> addresspool=
>
> This makes me wonder if the new ifaceip= option is needed, and instead
> one of the above should be reused?
> Strongswan, for instance, seems to have extended sourceip= so that it
> accepts subnets, see interop-ikev2-strongswan-39-mobike-responder).
extending sourceip is a possibilty. It might need more keyword. They %source
or something?
> PS: per the below from ip_subnet.h, ip_subnet is becoming a really
> unfortunate choice of name
subnet is more popular in industry. subnet:port is a narrow usecase, yet
important:)
> * This is not the subnet you're looking for.
> *
> * In libreswan ip_subnet is used to store client routing information.
> * IKEv2 calls this traffic selectors and it allows the negotiation
> * of:
> *
> * LO_ADDRESS..HI_ADDRESS : LO_PORT..HI_PORT
> *
> * The structures below can only handle a limited subset of this,
> * namely:
> *
> * NETWORK_PREFIX | 0 / MASK : PORT
> *
> * where PORT==0 imples 0..65535, and (presumably) port can only be
> * non-zero when the NETWORK_PREFIX/MASK is for a single address.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list