[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: An idea: GxSE
On Wed, 27 Jun 2001, Sean Doran wrote:
> Jon (Taz) Mischo <taz@tazlore.com> writes:
>
> | This is similar to the idea I had expressed.
>
> Let me see if I understand where you're headed.
>
> 1. split v6 address into two components:
> "SK" - unique and end-to-end
> "GR" - shared and local
Correct.
> 2. The unique and end-to-end component corresponds to "who", as in
> "who is it that originated this packet" (satisfying Vixie) or as
> in "who is at the receiving end of this packet" (satisfying demulti-
> plexing)
Indeed.
> 3. The other component corresponds to "where", as in "where in the
> (local) topology can I find a hop much closer to my desired destination".
> IOW, "where" is a forwarding instruction for LOCAL routers that help
> them get towards the unique "who".
Slight clarification. Local isn't the right word here. The SK portion
would be local i.e. behind the remapping. GR would be used in front of
the GR remapping. GR is used to tell the rest of the world how to get to
the SK address via announcements. There may be more than one valid GR/SK
pair announced. To the non-GxSE site, these look like multiple addresses
for the same host, to the GxSE site, they look like multiple paths to the
same host. As such, it is similar to landmark routing in that it tells
any router along the way how to get closer to the SK address. Except for
where rewriting occurs, however, this is fairly fixed (standard routing
behavior). This is only variable when inside an administrative domain
that maintains GR/SK pair mappings and has the authority to remap said
address. In that case, the GR can be re-written to control the behavior
between the host and the rewriting router, but only within the same
domain. In other words, you can't redirect someone else's traffic. If
you announce a set of viable GR/SK pairs to the world, someone else can't
announce different GR's for your SK's globally. They could, however,
remap within their own administrative domain, allowing them to control
your path via rules instead of via metrics, for instance.
> 4. The forwarding instruction may cause _routers_ to do any number of things:
> discard packet (with or without signalling an error)
> forward a packet out a particular interface
> swap "labels" - forward out a particular interface but with a
> new forwarding instruction
Yes and no. You're treading on thin ice there. You're almost discussing
MPLS. This is, however, different than MPLS. There is no label stacking,
and thus you are limited in your remapping, unless you distribute your
mappings within your own AD. You cannot announce your mappings unless you
have authority over the SK.
> 5. Should _hosts_ which are not also routers EVER look at GR? Why?
> What should the host expect of a non-unique locally-scoped address
> component?
The GR would be unimportant to the host. However, this can be done in a
manner to hide the GR mappings from the host. A non-unique locally scoped
address should not be affected, as we are interested in unique addresses
only.
> 6. Should _routers_ ever touch the SK ("who") component?
> By "touch" I mean (a) mutate or (b) examine.
> The simple case for (b) is when the host examines SK to determine if
> the packet is addressed to the router itself.
(a) No, NEVER. If the SK is compromised, you have lost all the value of
using GxSE.
(b) Sometimes. If a router examines the GR and sees that it is
autoritative for that GR, it would examine the SK to determine where to
route the packet within the AD.
> 5&6 go to the heart of the end-to-end against NAT argument,
> and I would be curious to see if any kind of consensus can be
> formed among the people with very strong (and opposite) views
> who are here on this list.
GxSE and NAT are mutually exclusive technologies. GxSE as I envision it
takes the good things from NAT and mates them with end-to-end and routing
concepts. NAT is much abused today. It was originally designed to deal
with ISPs that didn't have the address space to allocate enough IP
addresses, or had policies against doing so. It was a way for people to
get around these problems.
GxSE is the next logical step in evolution from NAT. It provides a way to
deal with globally scoped unique addresses that allows for multihoming.
IPv6 takes away some of the constraints that created NAT, though many
people seem to think it is important for security. And it is, if you
don't know how to write network policies. Of course, it is hardly "safe."
Naturally, people will want to NAT GxSE. This is evil. It should be
avoided.
> I would also be interested in the input of host and router vendors
> who have some experience in implementing a variety of protocols.
>
> Sean.
-Jon
--
"Be liberal in what you accept,
and conservative in what you send."
--Jon Postel (1943-1998) RFC 1122, October 1989