[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Host-based may be the way to go, but network controls are neccessary



Erik,

If you see the next paragraph in my message you will see that I
provide a case *against* using this form of solution.

That next para read:

"There are a few short-comings though.  For any one destination, this
approach can only reliably provide prefixes that will be honored at
only one site-exit (anything more raises some complex issues).  This
means that (1) there is possibly no ability to load-share over
multiple ISPs (2) offers no option for host-based high-availability to
destinations outside of the site, (3) works great outbound but does
not offer a good solution for inbound connections (4) i'll stop here
so I can reserve time and brain energy for the rest of my work day."

-- aldrin



% -----Original Message-----
% From: Erik Nordmark [mailto:Erik.Nordmark@Sun.COM]
% Sent: Thursday, November 21, 2002 9:00 AM
% To: Aldrin Isaac
% Cc: Craig A. Huegen; IETF-Multi6
% Subject: RE: Host-based may be the way to go, but network
% controls are
% neccessary
%
%
% > An enhanced network-aware DNS approach is definitely a
% clean way to do
% > valid source address selection.  In order for it to work,
% this service
% > would need to know the current site-exit for every
% external prefix in
% > the site's network routing table (::/0 included), and the source
% > prefixes that that site-exit will honor.  This is certainly not
% > impossible.  I run gated on several unix systems and
% could easily hack
% > out a non-DNS prototype that could do this simply by (1) having a
% > table of all the site-exits and the prefixes honored at those
% > site-exits (2) looking into the routing table and seeing who's the
% > current site-exit for a requested destination (3) respond with the
% > prefixes associated to that site-exit.
%
% Would this run on the host, or run on a DNS resolver box?
%
% In the latter case you need to think about DNSSEC implications
% of your approach. The DNSSEC signatures are on the RRset
% (e.g. all AAAA RRs
% for a name).
%
%   Erik
%
%