Re: (PM) PM2ER/PM3 source address (fwd)

James (James@superbug.demon.co.uk)
Sun, 01 Feb 1998 02:04:08 +0000

> From: "Dick St.Peters" <stpeters@NetHeaven.com>
> Date: Sat, 31 Jan 1998 01:40:37 -0500
> Subject: Re: (PM) PM2ER/PM3 source address (fwd)
>
> > >Problem: RADIUS and syslog packets from the PM2ER sent out the W1 port
> > > have the ether0 address as their source address.
> >
> > Right. That is one of the core features of ALL of our products. Unit
> > identity is defined by ether0. That is how it has always been, and a lot
> > of ComOS is based on that. The unit is *defined* by ether0.
I think MZ has got a point here. All RADIUS packets should have a
pre-determined client address(See clients file in radius). So a very
good general rule is use the ether0 address. I think this is a lot
simpler than you having to work out what interface the packet will leave
the PM.
I think(hope) the point that MZ was trying to make is that if you need
a unique identity for each PM box. Pick the ether0 interface IP address.
It does not mean that the identity is somehow wrapped up together with
IP addresses. It just means that a sensible (no-brainer) number to
choose for the identity would ether0 IP address. It is guaranteed to be
unique. The ComOS does that when it has to(Radius client ID)
>
> MZ, you couldn't be more wrong than on this issue.
>
> The notion that a device's "identity" and IP address are somehow
> wrapped up together is seriously flawed thinking. It was once an ok
> idea for single-IP host devices, but it has always been a bogus
> concept for routers capable of existing in more than one portion of
> address space.
>
> Witness the explicit OSPF distinction between OSPF router ID and IP
> address. Both concepts are displayed in "show ospf neighbors". One
> IP address does become the ID. However, only for interface(s) to
> which it is assigned is it also the IP address. For the case of a
> router used as CPE, it is acceptable that its OSPF ID be an IP address
> in a customer's space for the verey reason that it is not used as the
> IP address in OSPF.
>
> When a device originates a packet, the packet should have as its
> source address the address of the interface the packet goes out on
> This is necessary for sane network management at the edges where
> administrative realms change.
>
> When a device responds to a packet, it should reply with a source
> address equal to the destination interface address of the packet to
> which it is responding.
>
> > >PM3s do this too. Relatively unimportant things like pings from the
> > >PMs get it right, with source address being that of the interface the
> > >packet is sent out. Just the key admin things - things that most
> >
> > ICMP is the only protocol that uses the interface I believe,
>
> You're mistaken; fortunately the PM gets lots of cases right:
>
> On a PM, if you telnet out its WAN port, the source address is the WAN
> port address. That's as it should be.
>
> On a PM, if you rlogin out its WAN port, the source address is the WAN
> port address, as it should be.
>
> On a PM, if you ping out its WAN port, the source address is the WAN
> port address, as it should be.
>
> A PM uses the WAN port address as the source address when doing OSPF
> interaction out the WAN port, as it should. I haven't checked, but
> I'll bet it uses the WAN port address as the source address in RIP
> packets too.
>
> >From outside, if you traceroute through a PM, entering via the WAN
> port, the returned packet source address is the WAN port address, as
> it should be.
>
> >From outside, if you ping the WAN port entering via either the WAN
> port or the Ethernet port, the returned packet source address is the
> WAN port address, as it should be.
>
> Those are all correct behaviors, but not all is well. If from the
> outside you telnet to the WAN port address, a PM responds with its
> Ethernet address, breaking telnet. This is absolutely dead flat-out
> wrong.
I have not checked this one. If what you say is true, it is wrong. But I
use unnumbered links on WAN ports so I never get the problem you
describe.
If you want to see a really strange routing system, take a look at
Windows NT RRAS.
It, as you might have guessed, does WAN routing differently from
everyone else.
>
> IP addresses do not identify devices, they identify interfaces.
>
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.