[Babel-users] preferred source address vs babel
Christof Schulze
christof.schulze at gmx.net
Fri Jul 6 20:16:30 BST 2018
Hi Juliusz,
On Fri, Jul 06, 2018 at 11:19:03AM +0200, Juliusz Chroboczek wrote:
>> For multi-homed devices it would be interesting being able to specify
>> a preferred source address for routes exported via babel. If the preferred
>> src address is not specified, the kernel will select the src address and
>> thus will leak ipv6 addresses into a network where they are foreign.
>
>The kernel will normally select an address that is assigned to the
>outgoing interface. Why is this mechanism not enough for your needs?
>
>> This should be configurable and could be static for one babeld instance.
>> Before going ahead and patching this into kernel_netlink.c (around line
>> 1053 I think) I would like to get some feedback on the idea.
>
>I have no objection (and I'd be glad to apply a well-written patch that
>does that), but I don't think this should be necessary.
I opened a PR for this - whether it is well-written is up to your
judgement. :)
>Could you please explain exactly why you need this feature?
Consider the following screenshot of a traceroute:
Https://chat.sum7.eu/upload/4b2ab8b47d9551a701a91aa9e52f815cb7ff4a7b/7EqJP1J7fyiNL2ZYVvYMM1xQW6YcdimuQgTk0gCb/20180706_173921273_75eb.jpg
The hop having the address beginning with 2a02 is a node in the network
2a06:8782:ffbb:bab0:/64. It has two ipv6 addresses. The one that is
visible in the screenshot: 2a02:8109:dc0:2b8:5054:ff:fe3e:caca on WAN
and 2a06:8782:ffbb:bab0:5054:ff:fe38:4b77 on the mesh.
The packets never traverse the 2a02-network yet it is showing up in the
traceroute and that way the 2a02 addresses are leaking into the mesh
revealing information about the node that should not be revealed.
Sacondly packets originating from
the node like DNS may leave the node with an inappropriate ipv6 address
and could possibly be routed out through the wan interface of the node.
That means that mesh-internal ipv6 traffic is not routed mesh-internal.
This is odd at best.
Specifying -P we can make sure to use the correct mesh-internal
origin-address and path when reaching targets inside the mesh even on
multi-homed devices.
Regards
Christof
--
() ascii ribbon campaign - against html e-mail
/\ against proprietary attachments
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/babel-users/attachments/20180706/91de5155/attachment.sig>
More information about the Babel-users
mailing list