On 3/28/24 10:36, qubist wrote:
> 1. Why was 10.137.x.x and 10.138.x.x subnet chosen? (and not e.g
> 10.222.x.x)
Speaking as a QubesOS user with some networking experience (though
little professional networking experience), I doubt that there was a lot
of thought put into the exact numbers here. They needed to be in the
10.0.0.0/8 namespace so that they are a private namespace (they could
have used
192.168.0.0/16 or
172.16.0.0/12, but these are smaller
namespaces and /12 is an uncomfortable netmask to work with) but beyond
that the numbers don't have special meaning. They just needed to decide
on some number to use consistently. Or at least they did when the
netmask was /16 for both, meaning that 10.137.0.0 and 10.138.0.0 were
two separate networks. But now the netmask is /24 meaning that each host
is on its own network (where the network only supports a single host).
It would hypothetically be better to randomize across the entire
10.0.0.0 namespace since everything is on a separate network anyway, but
it's not clear to me how much practical benefit that would have and I'm
not sure if the network domains (sys-firewall, sys-net, etc) would need
to change to account for this (they might use 137/138 as magic numbers
when making decisions, but they might not).
The above is all about ipv4. My ISP doesn't give me an ipv6 address so I
don't have any experience with it.