[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Source address selection in IPv6 multihomed multi-addressed sites

To: Cedric de Launois <delaunois@info.ucl.ac.be>
Subject: Re: Source address selection in IPv6 multihomed multi-addressed sites
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sun, 20 Jul 2003 14:37:09 +0200
Cc: multi6@ops.ietf.org
In-reply-to: <3F156970.6050404@info.ucl.ac.be>

On woensdag, jul 16, 2003, at 17:04 Europe/Amsterdam, Cedric de Launois wrote:

These are my random thoughts about source address
selection in IPv6 multihomed multi-addressed sites.

I believe this problem needs to be resolved to get
a complete IPv6 multi-addressing multihoming solution.

[...]

Any comment/suggestion/correction ?

I think your remarks on the mechanisms you mention are (nearly) all good points.

However, I think we need to take a step back and consider the more fundamental problem. The fundamental problem is that we really need to avoid source address spoofing, as this makes certain kinds of abuse nearly impossible to stop. (I.e., people can launch DoS attacks and the attacked systems can't see where the attack came from and they can't filter out the abusive traffic.)

So it is assumed that ISPs will filter their customer's traffic and only let packets with valid source addresses through. This gives us a range of options:

1. do nothing (what we do today) -> traffic will regularly not make it through -> a lot of unhappiness
2. ask ISP to let traffic through -> ISP may say no -> much unhappiness or upstream ISP filters -> also unhappiness
3. figure out the right source address (sort of happens today automatically sometimes) -> traffic will get through, but if the destination is rerouted over the other link the session breaks -> still considerable unhappiness
4. do source address dependent routing -> easy when only one box does this, harder in sites where there is internal routing, still problems with routing changes

If we get to change source addresses for existing sessions, we still need to do 3 or 4 but then we get to survive routing changes without breaking sessions, or we can rewrite the source address on egress and we're done. This has the advantage of being very once it is implemented in all border routers, but I'm afraid of problems in getting to that situation. Also, source address dependent routing gives the host more control over the path the traffic takes, which is good for performance and redundancy.

Follow-Ups:
- Re: Source address selection in IPv6 multihomed multi-addressed sites
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

References:
- Source address selection in IPv6 multihomed multi-addressed sites
  - From: Cedric de Launois <delaunois@info.ucl.ac.be>

Prev by Date: Scope of an Identifier? (Re: Fwd: Minutes / Notes)
Next by Date: Re: Source address selection in IPv6 multihomed multi-addressed sites
Previous by thread: Re: Source address selection in IPv6 multihomed multi-addressed sites
Next by thread: Re: Source address selection in IPv6 multihomed multi-addressed sites
Index(es):
- Date
- Thread