[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Host-based may be the way to go, but network controls are neccessary



 In your previous mail you wrote:

   Something that would have less of a performance implication is that
   the host chooses a destination address from the ones returned by the DNS,
   and e.g. the site exit router can detect that the source address is
   not the best one and send back a "please use different source address".

=> this is the "source redirect", IMHO something we really need.

   In this case the border router would not know whether there are alternative
   destination addresses that the host could have chosen, thus
   I suspect the set of polices that can be handled is less then in the more 
   general case.
   
=> as Christian showed in his draft, there are cases where a "wrong" source
doesn't work. It is important to handle such cases, and optimization should
come after (so do the source redirect now and continue to think about
better/more complete solutions).

   Not that 8+8/GSE didn't have a way for the network to influence the initial 
   destination address to use; the host could learn a new destination
   RG from the return traffic.
   
=> this is known too to be a major security hole...

   Hence my (so far) futile attempts to understand what policy control
   are needed or desired.
   
=> a minimal control is needed (cf Christian's draft, the argument is
ingress filtering). More is surely desired but complex enough that
no proposal is already a clear win.

Thanks

Francis.Dupont@enst-bretagne.fr
   
PS: draft-huitema-multi6-hosts-01.txt