[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IETF multihoming powder: just add IPv6 and stir

To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Subject: Re: IETF multihoming powder: just add IPv6 and stir
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 14 May 2003 11:01:53 +0200
Cc: multi6@ops.ietf.org
In-reply-to: <200305140629.PAA11598@necom830.hpcl.titech.ac.jp>

On woensdag, mei 14, 2003, at 08:30 Europe/Amsterdam, Masataka Ohta wrote:

Unless the source address is already a valid address assigned by the
ISP you're forwarding the packet to (which can't by definition always
be the case in a locator/identifier scheme),

That's why I overviewed in draft-ohta-e2e-multihoming-03.txt:

   However, to enable source address filtering to discard packets with
   source addresses not belonging to an ISP, it is useful to enable a
   host, not some intelligent intermediate router, select a source
   address compatible with an outgoing ISP.

Does it really matter who does it? This should be something we leave up to the implementers, if at all possible. However, if you want to get this deployed while the century is still young you'll have to make the hosts do it if the routers can't.

   For that purpose, intra
   domain routing protocols should maintain routing table entries with
   not only preference values of an external routes, but also proper
   prefixes to be selected for source addresses, if the entries are
   chosen by a host.

No way. First of all having a routing table in each host is a huge waste of resources. Second, why use fifth hand information if a host can simply send some packets and see if they make it through? That's much more effective and light-weight at the expense of some only a few otherwise unnecessary end-to-end packets. Routing protocols seldom know which paths are good. They barely know how to avoid the very bad and non-functioning ones.

The solutions should be end to end that complex functionality must
be performed only on hosts.

I agree in principle. However, if we can give people the option to offload this to a middlebox if they so desire, that's a plus. (Which is a very different thing from requiring middleboxes or requiring routers or other non-middlebox boxes in the middle to do it.)

Hosts needs help from routing protocols.

That's the same logic as suing a lawyer. At the surface it seems to make sense but you really don't want to do it if you can avoid it.

However, with multiple addresses to an interface, selection of source
address/locator can be performed properly only with the help from
routing protocol, which is a reason why IPv6 is broken in
source address selection.

The trouble with current transport protocols is that once you've selected your source address you can't change it. So we change it and then listen for ICMP messages to see when we have the wrong source address.

Or you can turn the whole thing around and decide if the host is going to use a source address that belongs to ISP A, well, then we have to send this packet out over ISP A. That way we don't even need routing tables in routers. :-)

you need to rewrite it in
order to get through ingress filtering and to be able to receive ICMP
messages.

No. See above.

Note that I was taking no position about where the rewriting happens: this may very well be done inside the source host.

Remember that path MTU discovery is pretty much mandatory in
IPv6 so you need those ICMPs.

No. PMTUD is one, among many, of a useless feature of IPv6.

Why is it useless?

Just send packets not loger than 1280B.

That's unacceptable.

In fact, we need to go even further and implement functionality in neighbor discovery to enable the use of jumboframes between two hosts that support them even though other hosts on the same subnet may not.

Ingress filtering is important to keep
denial of service attacks in check to at least some degree.

Ingress? Do you mean egress?

No. I can't trust my neighbors to send me only good packets, so I have to make sure this is the case myself.

You can't filter an ICMP packet generated for a packet with forged
source address, because the ICMP packet has valid source and
destination addresses.

That's why we must filter the original packet with the forged source address. Then there is no trouble with ICMP messages generated for it.

Note that an alternative proposal is to let routers have complex
packet tracing functionality.

I assume you mean tracing forged sources? This done for only very few packets so it doesn't get in the way of regular operation.

Follow-Ups:
- Re: IETF multihoming powder: just add IPv6 and stir
  - From: "Michael H. Lambert" <lambert@psc.edu>

References:
- Re: IETF multihoming powder: just add IPv6 and stir
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

Prev by Date: Re: Mutli6 meeting in Vienna
Next by Date: Re: Mutli6 meeting in Vienna
Previous by thread: Re: IETF multihoming powder: just add IPv6 and stir
Next by thread: Re: IETF multihoming powder: just add IPv6 and stir
Index(es):
- Date
- Thread