Darren Reed writes: > James Carlson wrote: > > Darren Reed writes: > > > >> James Carlson wrote: > >> > >>> It's the usual UDP application problem: if you're a UDP-based server, > >>> then you're supposed to use the same IP address and port as the source > >>> values in your reply as the client originally used in his destination. > >>> > >>> > >> The question in my mind was: why can't the IKE daemon use a single IP > >> address - > >> why does it need to use "every" address? > >> > > > > Because clients can send packets to "any" address. > > > > But how do they choose which one to send to? > > Do they just pick the other end of the tunnel?
I'm confused. Why does it matter? This is the IKE daemon we're talking about, not the Sun-specific punchin code. The IKE daemon is general-purpose. It has to work on any Solaris system using IPsec, whether or not it has tunnels, and regardless of the number of configured IP interfaces. If the system is multi-homed, the server needs to obey the source address selection requirements, which means that it needs to select a source based on the destination that the client originally used -- which, on a multi-homed system, can be *any* of the configured addresses on the system. And it's the server-side we're talking about. The client side has no such problems; it can just send to any address it wants and doesn't have to worry about source selection, because the default selection is good enough. This is a very, very common issue for UDP daemons. For example, it's an issue that affects DNS servers and RIP. -- James Carlson, Solaris Networking <[email protected]> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ networking-discuss mailing list [email protected]
