[Design] routing riddles (was: co-terminal)

Michael Richardson wrote:

> trying to
happens to
> roam (unknowingly even) to a network that has an OE gateway. The
situation
> looks like:

> The problem is on OE-peer, where the eroute table contains:

Hmmmm. It's not obvious to my little brain what "we would prefer" in situations like this. I can think of at least four possibilities:

• tunnel OE-rw preferred to OE-gw (with failover if/when OE-rw goes down)
• vice versa
• equal-cost multipath
• superencryption of OE-rw within OE-gw

ISTM this is just the tip of an iceberg called "plays nicely with routers". This is a routing problem.

> The situation is recognizeable from the situation where an extruded
> IP has moved to another location, or where one is attempting to do
> multihomed OE (which is not supported at this time) because the
> tunnels are distinguished by having different gateways, yet one of
> the gateways is *equal* to the end node.

There are more-general and more-robust ways of recognizing the problem. Recognizing the problem is easy. The problem is that there's a question about the routing. At runtime, once you recognize that there's a question, the hard parts are

• gathering enough information to make it possible, even in principle, to intelligently answer the question.
• supporting each of the reasonable answers.

I suspect that as long as eroutes are different from routes, it is not possible even in principle to answer the runtime questions.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

You can perhaps say that N-1 of the possible answers are unsupported, but that's a little like looking under the lamp-post.

A well-designed MAST device should make it possible to properly solve such problems. Or perhaps more to the point, a non-MAST solution to such problems is probably not feasible.

We can learn a few things from this excercise. For starters, it seems tunnels need proper handles. Things like wild-side address (right=...) or even private-side address (rightsubnet=...) are not sufficiently distinctive to be proper handles. Recall the previous discussion of "lineages".