From: Juliusz Chroboczek <jch@irif.fr>
To: "Erin Shepherd" <bird-users@erinshepherd.net>
Cc: "Daniel Gröber" <dxld@darkboxed.org>,
"Alexander Zubkov" <green@qrator.net>,
babel-users@alioth-lists.debian.net,
"Kyle Rose" <krose@krose.org>,
bird-users@network.cz, wireguard@lists.zx2c4.com
Subject: Re: [Babel-users] [RFC] Replace WireGuard AllowedIPs with IP route attribute
Date: Sat, 18 Nov 2023 13:22:03 +0100 [thread overview]
Message-ID: <871qcn8d5g.wl-jch@irif.fr> (raw)
In-Reply-To: <918e1d5b-9f11-4f9c-bf9a-94cb0d41ce2b@app.fastmail.com>
> Is tying source address filtering to the routing table the right thing to do
> here? It seems to me that it would cause issues similar to those we see more
> generally with Unicast Reverse Path Filtering
Issues are caused by the kernel performing filtering that the routing
protocol is not aware of: it causes the routing daemon's routing table to
no longer match the effective forwarding table (the kernel's routing
table). That's the reason why uRPF breaks most routing protocols, that's
the reason why we have trouble making Wireguard work with Babel, and also
the reason behind https://github.com/jech/babeld/issues/111.
Contrariwise, we can teach Babel to explicitly take into account the
kernel features that we're interested in using. Thus, Babel could be
aware of the restrictions placed on a wireguard interface, and collaborate
with Wireguard so that the routing table and the forwarding table remain
congruent. I haven't looked at the issue in detail, but I believe that
would be an interesting (short-term) research project, one that I would be
glad to collaborate with (but not necessarily lead, at least not right now).
For the specific case of source address filtering, Babel already has an
(implemented) extension to deal with source addresses, and I encourage you
to consider whether it can be used to deal with the issue at hand. Please
see https://arxiv.org/pdf/1403.0445.pdf and RFC 9079.
-- Juliusz
next prev parent reply other threads:[~2023-11-19 13:45 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-19 14:02 Daniel Gröber
[not found] ` <5112ea1f-0f67-4907-a3c5-b6c7b9e591ca@kr217.de>
2023-08-19 18:17 ` Daniel Gröber
2023-08-19 20:00 ` [Babel-users] " Steffen Vogel
2023-08-19 21:23 ` Daniel Gröber
2023-08-28 15:40 ` Kyle Rose
2023-08-28 16:07 ` Daniel Gröber
2023-08-28 17:40 ` Juliusz Chroboczek
2023-08-28 17:55 ` Kyle Rose
2023-08-28 22:13 ` Daniel Gröber
2023-09-03 3:21 ` Ivan Labáth
2023-09-29 13:12 ` Daniel Gröber
2023-09-29 16:19 ` Reto
[not found] ` <804a0c0a-78df-7f4c-1d0d-213e8bdb4120@nic.cz>
2023-11-09 11:57 ` [Babel-users] " Alexander Zubkov
2023-11-18 2:19 ` Daniel Gröber
[not found] ` <918e1d5b-9f11-4f9c-bf9a-94cb0d41ce2b@app.fastmail.com>
2023-11-18 12:22 ` Juliusz Chroboczek [this message]
2023-11-20 2:05 ` Daniel Gröber
[not found] ` <CABr+u0b6vrZoYzQcMiCXX7W0XsQRNMzQfZnT5cK1MQoZ4NoqkA@mail.gmail.com>
2023-11-22 7:39 ` Daniel Gröber
2023-08-19 20:05 ` Kyle Rose
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qcn8d5g.wl-jch@irif.fr \
--to=jch@irif.fr \
--cc=babel-users@alioth-lists.debian.net \
--cc=bird-users@erinshepherd.net \
--cc=bird-users@network.cz \
--cc=dxld@darkboxed.org \
--cc=green@qrator.net \
--cc=krose@krose.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).