[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: misconfiguring the tunnel source address [mech-v2-04]

To: "Follen, Stephen" <sfollen@enterasys.com>
Subject: Re: misconfiguring the tunnel source address [mech-v2-04]
From: Alex Conta <aconta@txc.com>
Date: Fri, 20 Aug 2004 15:20:36 -0400
Cc: Pekka Savola <pekkas@netcore.fi>, Erik Nordmark <Erik.Nordmark@sun.com>, v6ops@ops.ietf.org
In-reply-to: <05829C8A6277594395457B34D6A3A6DDB2C4CF@MAANDMBX2.ets.enterasys.com>
References: <05829C8A6277594395457B34D6A3A6DDB2C4CF@MAANDMBX2.ets.enterasys.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707

Follen, Stephen wrote:

This so called "flexibility" to configure a tunnel without the existence a IPv4 interface, basically indicates that the box allows the creation of avirtual point to point link, and route(s) that are using it, when there is no physical connectivity to provide the basis for that link (and routes) to exist.
I do not see the advantage to the user, but can certainly see the
headaches...
The virtual point to point link's (the tunnel's) oper status is held down


I thought so, 'cause otherwise would have been really a bug.

until there is an interface configured with the source address,


...so you the implementation does check the source address...

also until there is a route to the remote v4 destination, etc.

so, you must leave the tunnel creation dormant, and have a wakeup on IPv4 interface, and/or route creation, with all the correlation and checks... well, if we talk complexity, honestly, this asynchronicity is quite a bit more complex ...

I'm not trying to debate the fine points of a particular implementation
here; my point was only that these are implementation details.


They are implementation details indeed...

But as it turns out though, at a closer examination, the implementation still checks, as you say, the source address, and that was the focus of this discussion.


[...]

There are lots of way one can follow most any spec and still not have
things work properly - misconfiguration is always possible.

keep in mind though that this is NOT misconfiguration according to this spec, if the spec DOES NOT state that the tunnel source address MUST be one of the encapsulator's addresses.

That's the whole point...

If you put that in the perspective of a DRAFT standard, and replacing an RFC, that didn't have that BUG, you have a completely different problem than just publishing a bogus PS RFC.

[...]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- RE: misconfiguring the tunnel source address [mech-v2-04]
  - From: "Follen, Stephen" <sfollen@enterasys.com>

Prev by Date: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Next by Date: Re: misconfiguring the tunnel source address [mech-v2-04]
Previous by thread: RE: misconfiguring the tunnel source address [mech-v2-04]
Next by thread: Re: misconfiguring the tunnel source address [mech-v2-04]
Index(es):
- Date
- Thread