[Swan-dev] address range starting with 0 ?

[Andrew Cagney]

On Mon, 22 Mar 2021 at 10:07, Paul Wouters <paul at nohats.ca> wrote:
>
>
>
> commit 6cb075ac1f1b563c629011fa9e961ca22a9c7ab1
> Author: Andrew Cagney <cagney at gnu.org>
> Date:   Sun Mar 21 21:18:55 2021 -0400
>
>      xauth: cleanup passing password file's <addresspool>
>
>      - drop the ttorange(<address>-<address>) hack since ttorange()
>        parses <address>
>      - explicitly reject an empty range, and range starting at zero

(we're talking about the IKEv1 XAUTH password file, ranges, and the
addresspool, not subnets and clients).

The commit goes hand-in-hand with:

commit 024c567c64189ca7a53724be83736af3a0c3a0ac (HEAD -> main,
origin/main, origin/HEAD)
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sun Mar 21 20:48:31 2021 -0400

    ip: in ttorange() allow :: as the start address

    Technically it is valid.  Let caller decide if it is reasonable.
    More consistent - ::/0 is accepted by ranges, subnets, and selectors.

So as a pair they just moved the deck chair:

+    if (non_zero){
+        uint32_t addr  = ntohl(addr_start_tmp.u.v4.sin_addr.s_addr);
+        if (addr == 0)
+            return "'0.0.0.0' not allowed as start";
+    }

in ttorange() to its callers - xauth / addresspool server code.  It
code snippet be traced back to:

commit 709100e6ebba15f9bdc8cc6f2532ebc4248a878e
Author: Antony Antony <antony at phenome.org>
Date:   Mon Apr 21 18:00:18 2014 +0200

    addresspool: code review and improvements by DHR

I suspect this was to stop the addresspool handing out the zero
address, i.e.,  :: or 0.0.0.0?
(if the address pool range ::-:: aka ::/128 was allowed I'm really not
sure what would happen)

> What is wrong with address ranges starting at 0? Did you mean 0.0.0.0/0 ?

> Because I'm using a /28 that starts at the .0 and it works fine and we
> should not block the zero address from being used as a valid address.

As the code stands, the server would need to be configured with
0.0.0.1-0.0.0.15?