On 5/31/22 11:18, Beniamino Galvani wrote:
> On Mon, May 30, 2022 at 01:14:51PM +0200, Petr Menšík via networkmanager-list
> wrote:
>> Hi,
>>
>> RFC 8801 [1] is standard tracks already. Would it be difficult to
>> implement it in NM? I think it provides very nice way to make profiles
>> on ethernet connections for example. Not sure if I can have multiple
>> configurations switched automatically withou Radius used for port security.
> Hi,
>
> I have quickly read RFC 8801 and RFC 7756, and it's not clear to me
> how the PvD model would fit in the NM picture.
My nmcli c on older laptop shows several wifi profiles, but just single
ethernet profile. I would like to have also pvd profile, which could
configure some properties of a connection. Obviously not an address, but
could configure DNS domain list, additional services. A nice start it
would be (dbus?) event emitted from NM that PvD name were received on a
connection.
>> But this RFC allows specification of domains and prefixes used on given
>> connection. That would be useful for VPN connected to work for example,
>> but when I still want to reach some local resources. For example printer
>> or local file storage, when I work from home. Unlike Radius it can work
>> fine at home networks too. But it can use TLS for obtaining basic
>> infromation, so those information can be secure at the same time.
> From what I understood, the RFCs define the concept of PvDs
> (provisioning domains) that contain related network configuration as
> DNS servers, DNS domains, default gateways, etc. A PvD can be explicit
> (provided to the client via e.g. a RA option), or implicit when a
> client automatically creates a different PvD for each interface.
I think implicit matches already different connections in NM. But it
would be nice, if it could at least record received PvD identifiers in
DHCP[46].OPTION entry for a start. Then additional experimental service
could reconfigure extra services based on that.
> What is not clear to me is how to use that information. For PvD-aware
> nodes, the recommendation is to use the received information
> consistently (for example, use the DNS server from one PvD for the
> domains of the same PvDs, etc.). Note that NM already does something
> like that implicitly when using one of dns={dnsmasq,systemd-resolved}:
> it queries a nameserver only on the interface that announced it, and
> it routes queries according to the automatically-received domains.
Yes, but it uses list of domains intented for search option in
resolv.conf for list of domains. Which serves different purpose and does
not have to be complete. Especially when multiple connections specify
search, it is questionable whether you want them all searched and in
which order. RFC 8801 can provide list of domains and ranges related to
connection when only RA is used. Does not require DHCP and can be more
secure. RFC 6731 can provide list of domains, I think Kea server can
send it.
> The RFC also talks about PvD-aware applications that can choose the
> PvD, but I don't think infrastructure for that exists outside NM.
I think PvD matches purpose of NM. I doubt there should be separate
service for handling it.But I admit I would like to have some
customization depending on connected network. For example I would like
to have sshd started on trusted networks. But have complete firewall
protection on less trusted networks.
>> It requires some kind of autoconfiguration of IP addresses. But I would
>> like to have possible LLMNR or mDNS configuration configured just on
>> some kind of networks. Could provision domain allow profiles in NM,
>> which would be autoconfigured via network? It would be great for laptops
>> connected via ethernet.
> I don't know, there seems no mention of LLMNR or mDNS in the RFC. I
> see that it allows the nodes to fetch a JSON that contains more
> information, and that probably can be extended to do everything.
I meant I would be able to configure LLMNR and mDNS on PvD profile for
ethernet. For example on corp.redhat.com connection I would enable mDNS
to be able print on local printer. But on hotel.example.com with
ethernet port I would like to disable similar services. I can do that
already on different connections, but how can be a connection
autoselected in case they don't use 802.1x security? I think this RFC
allows to have different profiles on single device, similar to SSIDs on
wifi networks. Of course the json can specify anything. Another question
is whether you would like to trust all information provided by the
network by default. I think that is important on public transport
connections or conferences, where I would like to have option to accept
just minimal trust in its network and refuse any optional features.
> While I agree that in theory this feature would be nice, I think the
> use cases are not well defined yet and it seems that implementing this
> in NM will require a significant effort.
>
> Does any existing DHCP/RA server implement the needed options? Do you
> know of any existing real deployment of this feature?
>
> Beniamino
I don't know any implementation which can send or receive it. Not sure,
this is a few months old RFC. But its support would help with few my use
cases. I think the implementation on server side is trivial. More
complicated it would be on client side. I think I would be able to
implement basic support into dnsmasq.
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
