Re: Host-based may be the way to go, but network controls are neccessary

[Erik Nordmark <Erik.Nordmark@sun.com>]

> That doesn't have to be the case. Today, hosts already perform a
> host/domain name to IP address mapping. You wouldn't take a significant
> performance hit by looking up the addresses learnt from the DNS in the
> routing table and tag them with some kind of routing metric. And if you
> have access to routing at this stage, you can see which exit each
> addresss takes so which source prefix should be appropriate.

The host most likely just has one (or two) default routes, so it can't
make this determination locally. Even the first hop router might not
have much information about external destinations. The routing metrics,
in whichever router you find them, might not capture and might not be capable
of capturing the policy folks want - routing is defined to route packets
and not to describe which source addresses are preferred for which
destinations.

One could naively make the host query a site-wide server for policy decisions
e.g. each time the host needs to choose source and destination addresses
for a connection. That would have performance implications.

Something that would have less of a performance implication is that
the host chooses a destination address from the ones returned by the DNS,
and e.g. the site exit router can detect that the source address is
not the best one and send back a "please use different source address".
In this case the border router would not know whether there are alternative
destination addresses that the host could have chosen, thus
I suspect the set of polices that can be handled is less then in the more 
general case.

Not that 8+8/GSE didn't have a way for the network to influence the initial 
destination address to use; the host could learn a new destination
RG from the return traffic.

Hence my (so far) futile attempts to understand what policy control are needed
or desired.

  Erik