[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Host-based may be the way to go, but network controls areneccessary



On Wed, 20 Nov 2002, Erik Nordmark wrote:

> > That doesn't have to be the case. Today, hosts already perform a
> > host/domain name to IP address mapping. You wouldn't take a significant
> > performance hit by looking up the addresses learnt from the DNS in the
> > routing table and tag them with some kind of routing metric. And if you
> > have access to routing at this stage, you can see which exit each
> > addresss takes so which source prefix should be appropriate.

> The host most likely just has one (or two) default routes, so it can't
> make this determination locally. Even the first hop router might not
> have much information about external destinations.

True. But the address info comes from the DNS, and it shouldn't be a
problem to hack the DNS to be aware of routing or do this the clean way
with a new protocol. (In my book, DNS is up for an overhaul anyway since
it still requires the host to know DNS addresses.)

> The routing metrics,
> in whichever router you find them, might not capture and might not be capable
> of capturing the policy folks want - routing is defined to route packets
> and not to describe which source addresses are preferred for which
> destinations.

I think the two are similar enough to be useful. We could also think
about an end-to-end address preference protocol (as long as we're
retiring the DNS anyway...) but that will probably take a bit longer to
do.

> One could naively make the host query a site-wide server for policy decisions
> e.g. each time the host needs to choose source and destination addresses
> for a connection. That would have performance implications.

1. The host can cache this information when there are many connections
   to the same host in quick succession (HTTP...)
2. The host does DNS queries today anyway

> Something that would have less of a performance implication is that
> the host chooses a destination address from the ones returned by the DNS,
> and e.g. the site exit router can detect that the source address is
> not the best one and send back a "please use different source address".

That is also a useful approach although I think Christian doesn't like
it.

> Hence my (so far) futile attempts to understand what policy control are needed
> or desired.

Simple. If you have two or more connections to the internet, you want to
use them to your advantage. This means balancing the total traffic (not
individual sessions) over all links and being able to prefer one link
over another for individual destinations.

People with stateful firewalls also really like their incoming and
outgoing traffic to take the same path, but they don't get that today
either.

Iljitsch