BIND_TO DEVICE and the loopback interface

[Oleg Goldshmidt]

Hi Gilad,

> You have a network server application (it's a SIP UA but that
> doesn't matter much) that is bound to an IP on the media network
> interface. Because the media and management networks might be
> completely different, you use the BIND_TO_DEVICE socket option om
> the server sockets so that the kernel will only route traffic for
> that socket via that device.

I presume you mean SO_BINDTODEVICE. Disclaimer: I don't recall ever
using this option myself, so i don't assume I know the intricacies. 

On an intuitive level, I would be very suspicious or any application
that does this. Doesn't this imply - unless the app performs a 3rd
degree interrogation of the underlying HW and OS - that the platform
will have to be configured in a very specific way for the app to work? 
Isn't it more or less what your friend sees?

Besides, an app cannot override the OS-level policies (such as
routing) as a matter of design, security, etc. I think this is also
manifested in this example. 

I think SO_BINDTODEVICE is intended primarily for raw sockets, and
those, in turn, are useful for very specific kinds of applications and
are not for general application level use.

> (lo), and since the server forces the kernel to only route traffic via
> the media interface,

Actually, I think a more precise way to phrase it is that the packets
that don't arrive at this interface are ignored...
 
> Required: a solution, generic as possible, extra points for no need to
> change server and client apps :-)

VLANs?

-- 
Oleg Goldshmidt | pub at goldshmidt.org