Re: Host-based may be the way to go, but network controls are neccessary

[Peter Tattam <peter@jazz-1.trumpet.com.au>]

On Thu, 21 Nov 2002, Iljitsch van Beijnum wrote:

> On Wed, 20 Nov 2002, Erik Nordmark wrote:
> 
> > > That doesn't have to be the case. Today, hosts already perform a
> > > host/domain name to IP address mapping. You wouldn't take a significant
> > > performance hit by looking up the addresses learnt from the DNS in the
> > > routing table and tag them with some kind of routing metric. And if you
> > > have access to routing at this stage, you can see which exit each
> > > addresss takes so which source prefix should be appropriate.
> 
> > The host most likely just has one (or two) default routes, so it can't
> > make this determination locally. Even the first hop router might not
> > have much information about external destinations.
> 
> True. But the address info comes from the DNS, and it shouldn't be a
> problem to hack the DNS to be aware of routing or do this the clean way
> with a new protocol. (In my book, DNS is up for an overhaul anyway since
> it still requires the host to know DNS addresses.)
> 
> > The routing metrics,
> > in whichever router you find them, might not capture and might not be capable
> > of capturing the policy folks want - routing is defined to route packets
> > and not to describe which source addresses are preferred for which
> > destinations.
> 
> I think the two are similar enough to be useful. We could also think
> about an end-to-end address preference protocol (as long as we're
> retiring the DNS anyway...) but that will probably take a bit longer to
> do.
> 
> > One could naively make the host query a site-wide server for policy decisions
> > e.g. each time the host needs to choose source and destination addresses
> > for a connection. That would have performance implications.
> 
> 1. The host can cache this information when there are many connections
>    to the same host in quick succession (HTTP...)
> 2. The host does DNS queries today anyway
> 
> > Something that would have less of a performance implication is that
> > the host chooses a destination address from the ones returned by the DNS,
> > and e.g. the site exit router can detect that the source address is
> > not the best one and send back a "please use different source address".
> 
> That is also a useful approach although I think Christian doesn't like
> it.
> 
> > Hence my (so far) futile attempts to understand what policy control are needed
> > or desired.
> 
> Simple. If you have two or more connections to the internet, you want to
> use them to your advantage. This means balancing the total traffic (not
> individual sessions) over all links and being able to prefer one link
> over another for individual destinations.

As an ISP, I often want the reverse.  Some links are backup and cost a lot more
to run and should be deprecated.  Other links might be flaky or have bizarre
characteristics (e.g, radio or satellite) so that they should be deprecated for
some reason (or only be used in one direction).

My suppliers have been rather unfriendly in honouring BGP priorities, and
sometimes my only level of control has been to shut the links down which kind
of defeats the purpose of multihoming.

> 
> People with stateful firewalls also really like their incoming and
> outgoing traffic to take the same path, but they don't get that today
> either.
> 
> Iljitsch
> 
> 
> 

Peter

--
Peter R. Tattam                            peter@trumpet.com
Managing Director,    Trumpet Software International Pty Ltd
Hobart, Australia,  Ph. +61-3-6245-0220,  Fax +
61-3-62450210