Rethinking network configuration
Posted 04-15-2012 at 02:43 AM by Skaperen
Previously I wrote about configuring interfaces with static IPs based on matching them with what actual network (subnet) the interface is connected to. Now I'm thinking about it in even more different terms. But this concept will need some changes in the kernel itself.
To start with, the kernel already (by default) will "leak" an IP address to other interfaces. Specifically, if an ARP query comes in on one interface for an IP address only configured on another interface, it will be answered, anyway, on the interface it arrives on. The concept is explained in the kernel source tree file Documentation/networking/ip-sysctl.txt where it describes the "arp_filter" setting:
So it should make sense to simply have all the host IP addresses collected in one common place. Then sort out what goes where by where (interface) the ARP queries come in at. It would still be good to have a way to filter this by policy rules, so you can, for example, disallow certain IPs (or MACs) at certain interfaces.
Then there is also the issue of which IP address to use as a source IP when initiating outbound IP traffic. Normally, the best IP address (if that interface has IPs in the destination subnet, that first of those is best) configured on the interface that is the best path to the destination would be used for that. This much is probably still best solved by exploring the connected subnet to see what is there (ask DHCP, spy on ARP queries, etc).
But for incoming traffic, a master list of IP addresses to recognize would make more sense.
More network rethinking ideas will come later.
To start with, the kernel already (by default) will "leak" an IP address to other interfaces. Specifically, if an ARP query comes in on one interface for an IP address only configured on another interface, it will be answered, anyway, on the interface it arrives on. The concept is explained in the kernel source tree file Documentation/networking/ip-sysctl.txt where it describes the "arp_filter" setting:
Quote:
0 - (default) The kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.
Then there is also the issue of which IP address to use as a source IP when initiating outbound IP traffic. Normally, the best IP address (if that interface has IPs in the destination subnet, that first of those is best) configured on the interface that is the best path to the destination would be used for that. This much is probably still best solved by exploring the connected subnet to see what is there (ask DHCP, spy on ARP queries, etc).
But for incoming traffic, a master list of IP addresses to recognize would make more sense.
More network rethinking ideas will come later.
Total Comments 0