On Mon, May 30, 2022 at 01:14:51PM +0200, Petr Menšík via networkmanager-list wrote:
Hi, RFC 8801 [1] is standard tracks already. Would it be difficult to implement it in NM? I think it provides very nice way to make profiles on ethernet connections for example. Not sure if I can have multiple configurations switched automatically withou Radius used for port security.
Hi, I have quickly read RFC 8801 and RFC 7756, and it's not clear to me how the PvD model would fit in the NM picture.
But this RFC allows specification of domains and prefixes used on given connection. That would be useful for VPN connected to work for example, but when I still want to reach some local resources. For example printer or local file storage, when I work from home. Unlike Radius it can work fine at home networks too. But it can use TLS for obtaining basic infromation, so those information can be secure at the same time.
From what I understood, the RFCs define the concept of PvDs (provisioning domains) that contain related network configuration as DNS servers, DNS domains, default gateways, etc. A PvD can be explicit (provided to the client via e.g. a RA option), or implicit when a client automatically creates a different PvD for each interface. What is not clear to me is how to use that information. For PvD-aware nodes, the recommendation is to use the received information consistently (for example, use the DNS server from one PvD for the domains of the same PvDs, etc.). Note that NM already does something like that implicitly when using one of dns={dnsmasq,systemd-resolved}: it queries a nameserver only on the interface that announced it, and it routes queries according to the automatically-received domains. The RFC also talks about PvD-aware applications that can choose the PvD, but I don't think infrastructure for that exists outside NM.
It requires some kind of autoconfiguration of IP addresses. But I would like to have possible LLMNR or mDNS configuration configured just on some kind of networks. Could provision domain allow profiles in NM, which would be autoconfigured via network? It would be great for laptops connected via ethernet.
I don't know, there seems no mention of LLMNR or mDNS in the RFC. I see that it allows the nodes to fetch a JSON that contains more information, and that probably can be extended to do everything. While I agree that in theory this feature would be nice, I think the use cases are not well defined yet and it seems that implementing this in NM will require a significant effort. Does any existing DHCP/RA server implement the needed options? Do you know of any existing real deployment of this feature? Beniamino
Attachment:
signature.asc
Description: PGP signature