Do ADDRESS_ASSIGN Capsule support assigning an address range? about draft-ietf-masque-connect-ip HOT 6 CLOSED

I think my question is about if there is assumptions on how different addresses within a prefix given to a MASQUE client will be used.

The goal was to avoid assumptions and leave choices like this up to the individual implementation/deployment. We did assume that ADDRESS_ASSIGN addresses are to be used inside the tunnel - so that needs to be spelled out explicitly - but otherwise most questions about addressing are a matter of policy.

For example is there an assumed gateway address?

Gateway addresses are a concept that exists for L2 networks and is not necessary in the setting of a virtual network without any L2 layer. On traditional networks, the purpose of the gateway address is to give the client an identifier it can use ARP/ND to find a MAC address for because that's the L2 destination address it'll use on all off-network destination IPs. But here there is no L2 and no MAC addresses involved, so there's no need for a gateway address.

Are the MASQUE peers actually addressable on the inside so to say of the tunnel.

The addresses exchanged by ADDRESS_ASSIGN are meant to be usable inside the tunnel - but you're right that we should spell that out explicitly.

Can the MASQUE client ping the MASQUE server's tunnel egress? Or is the tunnel totally transparent and its insider have no presence in IP land?

I think that's a matter of local policy that's not specific to CONNECT-IP. Today on the Internet some routers will respond to ping (and do proper ICMP handling so that traceroute works, etc.) while others will not do any of those things but still forward packets. A CONNECT-IP endpoint is just a router in this context and it's free to choose its local policy regarding ICMP handling.

from draft-ietf-masque-connect-ip.

The ADDRESS_ASSIGN capsule contains an IP Prefix Length field which allows conveying either a single address, or a prefix (i.e. a whole range of addresses).

@gloinul I'm not sure I understand what you meant by "specific addresses that will actually be processed out of this range" though, can you clarify?

from draft-ietf-masque-connect-ip.

The goal is to support both single addresses and ranges. You can do disjoint ranges by using multiple ADDRESS_ASSIGN messages (although I expect use cases for such to be rare).

If an entire range is assigned, e.g., an IPv6 /64, then the client is free to use any address in that range (or all of them), and the proxy MUST drop any packets with a source address outside of the range(s) assigned to that client.

from draft-ietf-masque-connect-ip.

@DavidSchinazi looking at this again, I think my question is about if there is assumptions on how different addresses within a prefix given to a MASQUE client will be used. For example is there an assumed gateway address? Are the MASQUE peers actually addressable on the inside so to say of the tunnel. Can the MASQUE client ping the MASQUE server's tunnel egress? Or is the tunnel totally transparent and its insider have no presence in IP land?

from draft-ietf-masque-connect-ip.

This might be related to #3

from draft-ietf-masque-connect-ip.

Discussed on call, and the ability to assign a prefix does allow a single address or a range. Future extensions could add more semantics to explain the meaning of the addresses.

from draft-ietf-masque-connect-ip.