Comments (6)
I think my question is about if there is assumptions on how different addresses within a prefix given to a MASQUE client will be used.
The goal was to avoid assumptions and leave choices like this up to the individual implementation/deployment. We did assume that ADDRESS_ASSIGN addresses are to be used inside the tunnel - so that needs to be spelled out explicitly - but otherwise most questions about addressing are a matter of policy.
For example is there an assumed gateway address?
Gateway addresses are a concept that exists for L2 networks and is not necessary in the setting of a virtual network without any L2 layer. On traditional networks, the purpose of the gateway address is to give the client an identifier it can use ARP/ND to find a MAC address for because that's the L2 destination address it'll use on all off-network destination IPs. But here there is no L2 and no MAC addresses involved, so there's no need for a gateway address.
Are the MASQUE peers actually addressable on the inside so to say of the tunnel.
The addresses exchanged by ADDRESS_ASSIGN are meant to be usable inside the tunnel - but you're right that we should spell that out explicitly.
Can the MASQUE client ping the MASQUE server's tunnel egress? Or is the tunnel totally transparent and its insider have no presence in IP land?
I think that's a matter of local policy that's not specific to CONNECT-IP. Today on the Internet some routers will respond to ping (and do proper ICMP handling so that traceroute works, etc.) while others will not do any of those things but still forward packets. A CONNECT-IP endpoint is just a router in this context and it's free to choose its local policy regarding ICMP handling.
from draft-ietf-masque-connect-ip.
The ADDRESS_ASSIGN capsule contains an IP Prefix Length
field which allows conveying either a single address, or a prefix (i.e. a whole range of addresses).
@gloinul I'm not sure I understand what you meant by "specific addresses that will actually be processed out of this range" though, can you clarify?
from draft-ietf-masque-connect-ip.
The goal is to support both single addresses and ranges. You can do disjoint ranges by using multiple ADDRESS_ASSIGN messages (although I expect use cases for such to be rare).
If an entire range is assigned, e.g., an IPv6 /64, then the client is free to use any address in that range (or all of them), and the proxy MUST drop any packets with a source address outside of the range(s) assigned to that client.
from draft-ietf-masque-connect-ip.
@DavidSchinazi looking at this again, I think my question is about if there is assumptions on how different addresses within a prefix given to a MASQUE client will be used. For example is there an assumed gateway address? Are the MASQUE peers actually addressable on the inside so to say of the tunnel. Can the MASQUE client ping the MASQUE server's tunnel egress? Or is the tunnel totally transparent and its insider have no presence in IP land?
from draft-ietf-masque-connect-ip.
This might be related to #3
from draft-ietf-masque-connect-ip.
Discussed on call, and the ability to assign a prefix does allow a single address or a range. Future extensions could add more semantics to explain the meaning of the addresses.
from draft-ietf-masque-connect-ip.
Related Issues (20)
- Proxy capsule handling requirements HOT 4
- ICMP packet location clarification HOT 1
- Missing bits in example HOT 1
- Should there be an ADDRESS_RELEASE capsule? HOT 5
- Editorial: split handling out of HTTP Datagram Payload Format section HOT 2
- Editorial: add a Performance Considerations section HOT 2
- Editorial: in introduction mention why we update RFC 9298
- Text on disabling congestion control HOT 17
- Clarify assumption in ECN considerations
- Mandate usage of HTTPS HOT 2
- Disabling congestion control a SHOULD? HOT 3
- Clarify the conceptual model of router vs link (Tunnel) HOT 5
- Clarify that IPproto is a traffic filter parameter on the outermost IP header that is to be encapsulated by the tunnel HOT 1
- Go through usage of client and server vs IP proxying endpoint HOT 4
- Treating differentiated services equally? HOT 3
- Wording nit found during EDIT phase HOT 1
- AUTH48: Wrong use of HTTP Proxy HOT 5
- AUTH48: Use of Successful response HOT 3
- AUTH48: Use of "Fail the request" HOT 3
- AUTH48: clarify frames per packet HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from draft-ietf-masque-connect-ip.