[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Host-based may be the way to go, but network controls areneccessary
On Wed, 20 Nov 2002, Erik Nordmark wrote:
> > However there are currently no routing knobs for a multi-homed site to
> > control via which site-exit a packet should be forwarded based on the
> > packet's source prefix (there are a hundred reasons why NAT is used
> > today, and this is one of them). This will result in unnecessary
> > "misses" (which means delay, dead packets, IDS alarms, etc) during the
> > connection setup of any host-based solution within a multi-homed site
> > because of the current source address selection process.
> I would be useful (at least for me) to understand the input and output
> parameters to the policy control.
> The most flexible one is to provide the list of possible destination addresses
> and source addresses as input, and get as a result the desired combinations
> (presumably ranked so that there is an indication of the fallback order
> when the 1st one doesn't work or fails).
> But building solutions for that is likely to cause significant performance
> overhead (at least for a host based solution).
That doesn't have to be the case. Today, hosts already perform a
host/domain name to IP address mapping. You wouldn't take a significant
performance hit by looking up the addresses learnt from the DNS in the
routing table and tag them with some kind of routing metric. And if you
have access to routing at this stage, you can see which exit each
addresss takes so which source prefix should be appropriate.
Alternatively, you could cache this information in the host, which will
either buy you a lot (host with many sessions) or next to nothing (host
with few sessions). The next step would be to share this information
between hosts on the same subnet or within the same site.
> Thus I wonder if there are policy functions that could be good enough even
> though they can only choose the source and the destination is given by the
> host.
I think if we do this the "smart but wrong" way we'll live to regret it
when we need to do it the right way later. For instance, if applications
try to be smart about selecting one address from several given by the
DNS, this makes it impossible for the resolver to do this right and
simply list the addresses in the preferred order.