On (04/13/10 08:06), James Carlson wrote: > > > > Yes, I believe that was flagged in the man page updates (no?). In case > > it was missed in the fast-track, here's what was intended: > > That's all that was missed. In the quoted text above, it says "3" > settings, but there are actually 4. It's just a nit on the fast-track > materials.
Ok, nit shall be fixed. > > However, in src-priority mode, the definition of "best" match is modified > > thus: > > - first look up the longest match that also satisifes the > > source-address/interface constraint (i.e., routing table lookup as in > > the strong ES mode). > > - if that fails, then remove the source-address/interface constraint > > and find the longest match for the dst. > > I might be straying outside of ARC review (and feel free to redirect > this to networking-discuss), but that doesn't sound quite right to me. > Consider this network: > > +--------+ +--------+ > | | | | > <---A--->+ Host 1 +<---B--->+ Host 2 | > | | | | > +--------+ +--------+ > > Network A is x.x.x.0/24, and connects to "the Internet." Network B is > an internal network, say x.x.y.0/24. > > This means that Host 1 will have a default route pointing somewhere on > network A, and an interface route pointing to x.x.y.0/24 for network B. > Host 2 will have a default route pointing to Host 1's address on network B. > > What happens if Host 2 sends a packet to Host 1's address on network A, > and then Host 1 goes to respond? It sounds like you're saying that Host 2 would presumably have used the src address x.x.y.host2. So when host1 go to respond, we'd look up a route in the strong-es mode first, and assuming that there are no bugs in the src-address selection (there were none when I tested this!) code, host1 would pick x.x.y.host1 as the src address, B as the outgoing interface, and lookup a route for dst/mask = x.x.y.host2/24, interface = B. And we would find the interface route over the default route. > we'll discover the default route _before_ the interface route, and we'll > see that the interface address matches and thus send the packet > (erroneously) out on interface A. I don't see how this would happen. Could you clarify? > preference" (i.e., if there are multiple matching routes that are > exactly equivalent -- same prefix length -- then choose the one with an > interface with the same source, and if no such interface, then choose But that *is* exactly what it is. Note that, if, for whatever reason, host1 was trying to send out a packet to x.x.y.host2 with src address x.x.x.host1, then yes, we would send it out on A instead of B. But then again, when you pick a src of x.x.x.host1 and send it on B, how would you know that there are no ingress filters on B that will drop your packet because your src address looks spoofed as defined in rfc 3704? --Sowmini _______________________________________________ networking-discuss mailing list [email protected]
