Discussion:
NetBSD systems as half-routers for P2P or VPN links
(too old to reply)
Erik Fair
2013-02-07 07:01:40 UTC
Permalink
Can NetBSD systems in a pair with a point to point link (physical or VPN'd through ... pick your virtual interface) act as half-routers, with the intermediate link being "unnumbered" (to use Cisco parlance)?

If so, what's the configuration recipe?

Erik <***@netbsd.org>


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Greg Troxel
2013-02-07 14:24:59 UTC
Permalink
I think what you're asking about requires routing daemon support, more
than OS support.

There is some support for this in quagga, with ospf6, but I am unclear
on it, and it may be in patches around the net rather than in a release.
Ignatios Souvatzis
2013-02-07 15:35:54 UTC
Permalink
Post by Erik Fair
Can NetBSD systems in a pair with a point to point link (physical or VPN'd through ... pick your virtual interface) act as half-routers, with the intermediate link being "unnumbered" (to use Cisco parlance)?
For the legacy IP version:

my pppoe up script, also been used earlier on sync ppp over ISDN, has
these lines:

ifconfig ${PIF} 0.0.0.0 0.0.0.1 link1 up
route add default 0.0.0.1

Async serial interface pppd supports what you want by giveing the interface
the same address as the machine has anyway, but as point-to-point link.

Of course, with modern IP you can just use the link-name qualified
link-local addresses for point to point links, if you insist to
not make them globally- numbered. Use any address in fe80::/64 but your
local one for the route to the peer and beyond. The disadvantage is
that diagnostics (traceroute6, ping6, or norml-usage failures) might
carry the link-local address back, which wouldn't be useful to a
remote fellow network administrator.

Regards,
-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Dennis Ferguson
2013-02-07 17:48:28 UTC
Permalink
Post by Erik Fair
Can NetBSD systems in a pair with a point to point link (physical or VPN'd through ... pick your virtual interface) act as half-routers, with the intermediate link being "unnumbered" (to use Cisco parlance)?
If so, what's the configuration recipe?
Ah, one of my more favorite doesn't-work-right topics. The short
answer is no, in a BSD kernel you can't use an interface for a
protocol without that protocol's addresses configured on the
interface. The work-around is to configure the local address
on the p2p interface the same as an interface in the box which does
have an address configured, while setting the destination to some
arbitrarily chosen address which is unlikely to be used by a host
you need to talk to. Note that the addresses on a BSD point-to-point
interface are (unlike Cisco, I suspect) unrelated host addresses;
they don't need to have a prefix in common but they do need to be
there.

The longer answer is that it is a misfeature of BSD protocol
configuration; a network protocol is traditionally configured 'up'
on an interface by configuring an address for that protocol on the
interface. The "protocol configuration" == "address configuration"
has some very annoying side effects. It is one of the (short list of)
reasons why an IPv4 DHCP client can't use the kernel UDP stack to send
and receive its UDP packets, and instead has to resort to BPF and roll
its own IP/UDP; it would need to put an IPv4 address on the interface
to configure it up for sending and receiving the IPv4 packets it
needs to exchange to learn the address to put on the interface. It
is also the reason you can't keep IPv6 from yammering out interfaces
as soon as they are turned on even when you know there is no hope
of there being anyone for it to talk to (short of compiling the whole
thing out of the kernel, that is); if "protocol configuration" ==
"address configuration", but IPv6 can conjure up and configure its
own addresses, then there is no way at all to tell IPv6 where it is
and isn't appropriate to do that.

I think the right solution for this is to separate protocol-is-up
configuration from address configuration. That is, you turn the
interface hardware on, then you configure the network protocols you
want to operate there 'up', and only then do you (or the protocol
you've just configured up) add address configuration, or not. Note
that a multiaccess interface with the protocol up but without
addresses isn't very useful, but it is useful enough for DHCP to
exchange packets and learn the addresses to configure the way
a normal UDP application does. A point-to-point interface, on
the other hand, is pretty much fully functional once configured
up without any addresses at all. Once point-to-point addresses
are relieved of their "protocol configured up" function their
remaining utility is limited and optional.

I'm hence not quite sure why you are calling it a "half-router"
when the addresses aren't there. The relationship between the
two routers, or between a router and a host, is identical
whether a point-to-point link has addresses configured or not;
the addresses don't matter very much, they are essentially a
form of static route configuration.

Dennis Ferguson
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mouse
2013-02-07 19:52:26 UTC
Permalink
The "protocol configuration" == "address configuration" has some very
annoying side effects. It is one of the (short list of) reasons why
an IPv4 DHCP client can't use the kernel UDP stack to send and
receive its UDP packets, and instead has to resort to BPF and roll
its own IP/UDP;
How could the anything use the kernel UDP stack when the interface has
no addresses? It can't even tell what packets are intended for it
under such circumstances. It is not possible to send an IP packet
without putting _something_ in the ip_src and ip_dst fields. Using IP
without configuring an address means incoming traffic can't work
because the kernel has no way to tell whether a packet is intended for
it or not; outgoing connectionless traffic could in principle work, but
would require userland to explicitly specify the source address for
each packet (since the kernel can't assign one as usual).
it would need to put an IPv4 address on the interface to configure it
up for sending and receiving the IPv4 packets
Oddly enough, I've seen addresses configured with 0.0.0.0 while DHCP is
trying to get an address on them.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Dennis Ferguson
2013-02-07 23:41:31 UTC
Permalink
Post by Mouse
The "protocol configuration" == "address configuration" has some very
annoying side effects. It is one of the (short list of) reasons why
an IPv4 DHCP client can't use the kernel UDP stack to send and
receive its UDP packets, and instead has to resort to BPF and roll
its own IP/UDP;
How could the anything use the kernel UDP stack when the interface has
no addresses? It can't even tell what packets are intended for it
under such circumstances. It is not possible to send an IP packet
without putting _something_ in the ip_src and ip_dst fields. Using IP
without configuring an address means incoming traffic can't work
because the kernel has no way to tell whether a packet is intended for
it or not; outgoing connectionless traffic could in principle work, but
would require userland to explicitly specify the source address for
each packet (since the kernel can't assign one as usual).
That's fairly straight forward. Most UDP applications, for example ntpd
and bind, need to be able to explicitly tell the kernel what source address
to put in an outgoing packet in any case since, if there is more than one choice
for this, they need to make sure that the source address in a response is
the same address that was the destination of the request they are responding to
(TCP does this automatically, but kernel-stateless UDP requires applications
to manage this themselves). If you have a way for applications to tell
the kernel what source address to use in outgoing packets then the DHCP
application, having suitable privileges, can use this to tell the kernel
it wants the source address to be 0.0.0.0. Note that the exact mechanism
ntpd and bind use now can't quite manage this but is also broken in other
ways, anyway; both ntpd and bind will spectacularly fail to run, for no good
reason, on machines with a sufficient large interface configuration. A
different way to indicate the source address, say a sendmsg() option, could
satisfy DHCP's needs as well as helping fix the interface scaling problems
that ntpd and bind have.

That's the source address. While you can't send a packet to a unicast
destination address out an ethernet with no addresses configured you can
always multicast the packet or send it out using the 255.255.255.255
broadcast address. DHCP is required to use the latter; this should
just work.

That's the outgoing side. On the incoming side there are a couple of options.
If the interface is configured on you will see IP packets arriving from it and,
while the kernel won't recognize unicast-addressed packets as its own it will
willingly receive packets to multicast and the all-ones broadcast addresses with
no address configuration. The DHCP client has the option of asking the server
to send responses to the all-one's broadcast address (the server doesn't have
to broadcast the response, but it does put that address in the packet IP
destination) and, if it does, those incoming packets will be delivered to it even
in a very vanilla kernel. That's the easy way.

The harder way is to let the DHCP server send the packet back to your new
unicast address. This packet will arrive on the interface but will eventually be
discarded as "not for us". This wouldn't be worth fixing for DHCP alone (DHCP
has the 255.255.255.255 alternative), but note that the need to receive packets
that don't look like they are addressed to the local box is not solely DHCP's
problem; certain routing protocols, e.g. RSVP and PIM, need to be able to do
precisely the same thing. The thing all of these protocols have in common is
that the packets of interest will normally end up in an exception path in an
unmodified networking stack (the discard path for DHCP, the IP options processing
path for the routing protocols), so having a facility against which packets
could be checked if they arrive at that exception path to see if they might be
of interest to the local system regardless of their destination address would
kill several birds with one stone.

Generically speaking I don't think there's any reason a DHCP client couldn't
be implemented as a fairly normal UDP application with a decently functional
networking stack, and fixing the things which prevent a NetBSD networking
stack from supporting this would have benefits for applications beyond just
DHCP.
Post by Mouse
it would need to put an IPv4 address on the interface to configure it
up for sending and receiving the IPv4 packets
Oddly enough, I've seen addresses configured with 0.0.0.0 while DHCP is
trying to get an address on them.
That's another way at getting the kernel to send packets with a 0.0.0.0
source address. I prefer just being able to explicitly tell it what
the source address needs to be since many UDP applications running on
multihomed hosts and routers need this.

Dennis Ferguson
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...