[Babel-users] IPv6 ULA GUA S2S routing problem
Daniel Gröber
dxld at darkboxed.org
Tue Mar 14 09:07:09 GMT 2023
Hi Jochen,
On Tue, Mar 14, 2023 at 09:28:48AM +0100, Jochen Demmer wrote:
> > What do you mean? If your AllowedIPs set is empty wireguard will just
> > act as a big useless black hole.
>
> Well there were several blog posts and texts that said running
> wireguard without a filter to IPs was a bad idea. I do not concur
> that's why I implemented it without a filter and I'm happy with it :-)
Right, that is true in general. You want AllowedIPs to be as restrictive as
is practical (but never empty). In the case of dynamic routing things are
just a bit more complicated than in a static setup.
Essentially the problem is the dynamic v6 prefix at your Site A. In a
static setup you could just set AllowedIPs to be the prefix(es) of the site
at the other end of the tunnel and that'll work, but if the prefix keeps
changing you can't do that. You'd need support for setting AllowedIPs
dynamically in babeld which just isn't a thing yet.
Together with babel's source-specific routing support I do thing this is
something we can do even without any protocol changes and I have at
numerous occations thought about adding it but just haven't really had the
motivation yet. Mainly because I have static prefixes everywhere since I
run my own AS :P
--Daniel
More information about the Babel-users
mailing list