Re: how to partition routing namespace

2015-10-21 Thread Chris Cappuccio 
Geoff Steckel [g...@oat.com] wrote:
> 
> On reading the latest if_bridge.c it looks like it will cross routing
> domains. No domain information is passed with the packet.
> A lot of it got rewritten between 5.7 and 5.8
> 

What does bridge have to do with it?

I thought you wanted to terminate a tunnel on a router.

Re: how to partition routing namespace

2015-10-21 Thread Geoff Steckel 

On 10/20/2015 10:19 PM, Chris Cappuccio wrote:

Geoff Steckel [g...@oat.com] wrote:

I'm using sixxx.net as an IPv6 tunnel gateway.
They gave me 2001:::0111::0002 as my tunnel endpoint and
2001:::0111::1 as their end and router address.
They gave me 2001:::8111::/64 for my address space.
Note that the tunnel endpoint addresses are globally routeable.

The desired behavior is to partition the network space
inside the machine into the gateway section and the
rest of the machine >> as if they were connected by
a pair of interfaces and a cable << where the interfaces
had addresses in 2001...8111 so that locally generated
packets would go out with that source address.


If the tunnel endpoint x:0111::0002 is globally routeable, why do you
care about the machine's own traffic not appearing from that address?

None the less, if you must have traffic appear from x:8111::/64,
can't you just use that on your gif interface? As gif is a point-to-
point interface, there is no need for both participants to be within the
same subnet. Of course, if you do this, you can't then apply the
x:8111::/64 address to your ethernet interface facing your LAN,
which is where it was meant to go, and why it all works this way
anyways.

If you really must have both x:8111::/64 on the LAN and on the gif
interface, you could specify a /128 address for the gif interface
and only use one of your x:8111::/64 addresses away from your LAN
interface.

Thre is no ARP so even if the remote router knows your gif interface
as x:0111::0002 and routes to it, you can still use whatever address
you want. But I don't really understand why you would want to do this,
unless this tunnel router is the only machine you care to IPv6 on.

Chris

There are a number of reasons 0111::2 is not useful to me.

On reading the latest if_bridge.c it looks like it will cross routing
domains. No domain information is passed with the packet.
A lot of it got rewritten between 5.7 and 5.8

# desired global address
ifconfig vether1 inet6 2001:::8111::8
# synthetic router address
ifconfig vether2 inet6 2001:::8111::9 rdomain 1

# a synthetic wire between vether1 and 2
ifconfig bridge1 add vether1
ifconfig bridge1 add vether2

# system net routing to tunnel section
route add -ipv6 default 2001:::8111:9
# tunnel section routing to external router
route -T 1 add -ipv6 default 2001:::0111::1

(modulo typos & misplaced arguments)

I'll load -current on a machine, set up the configuration
as above & connect it to another machine via a tunnel.
If it doesn't work, it ought to. And I'll try to fix it.
My pf.conf might be comprehensible then.

Many thanks to the people who greatly improved if_bridge.c

Geoff Steckel

Re: how to partition routing namespace

2015-10-21 Thread Stuart Henderson 
On 2015-10-21, Geoff Steckel  wrote:
> They gave me 2001:::0111::0002 as my tunnel endpoint and
> 2001:::0111::1 as their end and router address.
> They gave me 2001:::8111::/64 for my address space.
> Note that the tunnel endpoint addresses are globally routeable.
>
> So... if I say "route add -inet6 default ...0111::1",
> then the source address of any IPv6 connection from this machine
> defaults to 0111::2
>
> This isn't useful. I must use an address in 8xxx::/64
> for functions on the gateway machine.

Try adding 'pltime 0' to the ifconfig line where you configure the
tunnel endpoint address.

The 2001:...811 address can be configured on any interface.

how to partition routing namespace

2015-10-20 Thread Geoff Steckel 

If someone has published a solution, please hand me a clue-by-4

I'm running 5.7.
If anyone would like a dmesg, etc, I'd be glad to provide.
I don't **think** that's relevant here.

I'm using sixxx.net as an IPv6 tunnel gateway.
They gave me 2001:::0111::0002 as my tunnel endpoint and
2001:::0111::1 as their end and router address.
They gave me 2001:::8111::/64 for my address space.
Note that the tunnel endpoint addresses are globally routeable.

So... if I say "route add -inet6 default ...0111::1",
then the source address of any IPv6 connection from this machine
defaults to 0111::2

This isn't useful. I must use an address in 8xxx::/64
for functions on the gateway machine. Adding another
machine is not possible due to power and money constraints.
A $50 machine with two interfaces drawing 10W would solve
this but they're hard to find. Maybe when the port to
arm is stabler... even so

The desired behavior is to partition the network space
inside the machine into the gateway section and the
rest of the machine >> as if they were connected by
a pair of interfaces and a cable << where the interfaces
had addresses in 2001...8111 so that locally generated
packets would go out with that source address.

I'm currently using two rdomains, two routing tables,
and a messy pf.conf using things like (approximately)

ifconfig gif0 
[ipv6 endpoints] rdomain 1

route -inet6 default ::1
route -T 1 -inet6 default 2001...:0111::1

ifconfig lo1 -inet6 ::2/64 rdomain 1

pass inet6 from any to ! \
  route-to lo0 rtable 1

pass on gif0 inet6 from ! \
 to  route to lo1 rtable 0

Occasionally this gets into gif loops and I'm not sure that
packets aren't being silently dropped.

Is there a simpler method?

The far end of the tunnel to sixxx has no hardware
address, so I haven't figured out how to do obscene
things to use that as a gateway address.

Suggestions, upgrade to 5.8 or current or RTFM appreciated.

Geoff Steckel

Re: how to partition routing namespace

2015-10-20 Thread Chris Cappuccio 
Geoff Steckel [g...@oat.com] wrote:
> 
> I'm using sixxx.net as an IPv6 tunnel gateway.
> They gave me 2001:::0111::0002 as my tunnel endpoint and
> 2001:::0111::1 as their end and router address.
> They gave me 2001:::8111::/64 for my address space.
> Note that the tunnel endpoint addresses are globally routeable.
> 
> The desired behavior is to partition the network space
> inside the machine into the gateway section and the
> rest of the machine >> as if they were connected by
> a pair of interfaces and a cable << where the interfaces
> had addresses in 2001...8111 so that locally generated
> packets would go out with that source address.
> 

If the tunnel endpoint x:0111::0002 is globally routeable, why do you
care about the machine's own traffic not appearing from that address?

None the less, if you must have traffic appear from x:8111::/64, 
can't you just use that on your gif interface? As gif is a point-to-
point interface, there is no need for both participants to be within the
same subnet. Of course, if you do this, you can't then apply the
x:8111::/64 address to your ethernet interface facing your LAN,
which is where it was meant to go, and why it all works this way
anyways.

If you really must have both x:8111::/64 on the LAN and on the gif
interface, you could specify a /128 address for the gif interface
and only use one of your x:8111::/64 addresses away from your LAN
interface.

Thre is no ARP so even if the remote router knows your gif interface
as x:0111::0002 and routes to it, you can still use whatever address
you want. But I don't really understand why you would want to do this,
unless this tunnel router is the only machine you care to IPv6 on.

Chris