[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: about draft-nordmark-multi6-noid-00

To: mbagnulo@ing.uc3m.es
Subject: Re: about draft-nordmark-multi6-noid-00
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Sat, 25 Oct 2003 23:19:32 +0200 (CEST)
Cc: Erik.Nordmark@sun.com, multi6@ops.ietf.org
In-reply-to: "Your message with ID" <LIEEJBCNFDJHFFKJJDPAAEBBDDAA.mbagnulo@ing.uc3m.es>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> - Are you assuming that the multi-homed site runs bgp with each of its
> direct providers and that it obtains a full bgp feed from each of them?

Not required.
You need routing to work for all of the sites locators.
And for border router rewriting of the source locator to be a useful way
to detect the working path the site's border routers need to have enough
information to tell which outbound path to use. Depending on the failures
you are concerned about this could be as simple as the border routers
being able to tell whether the link to the ISP is up or down, or it
could depend on the site receiving each ISPs routing table to see which
prefixes appear to be reachable over which ISP/link.

I don't think even in the latter case it is necessary to run BGP; if the
ISP could redistribute a its view of reachable prefixes using a separate
instance of an IGP running across the border that should suffice.
(Not that I know if configuring that is much simpler than configuring BGP).

But there is no need for the site to advertise anything to its ISPs; each
ISP only need to know which prefix it has delegated to the site.

> - I understand that ingress filtering compatibility is guaranteed by source
> address rewriting, is that ok? if so, how do handle ingress filtering issues
> when sending initial packets whose source address cannot be rewritten?
> (rewrite ok bit not set)

I don't think ingress filtering can be made strictly better any time soon
even if we adopt some multihoming proposal; if an attacker would want to
exploit holes in IPv6 ingress filtering the attacker could just use
non-multihoming packets (e.g., TCP over IPv6 as currently defined).

Having said that, if the multihoming protocol performs explicit
initiator-driven state creation (draft-nordmark-multi6-sim-00.txt is an
example) instead of having a data packet cause responder state creation
actions as in noid, then one can make the state creation work with "rewrite
ok" enabled.

  Erik

Follow-Ups:
- Re: about draft-nordmark-multi6-noid-00
  - From: masataka ohta <mohta@necom830.hpcl.titech.ac.jp>
- RE: about draft-nordmark-multi6-noid-00
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>

References:
- about draft-nordmark-multi6-noid-00
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>

Prev by Date: about draft-nordmark-multi6-noid-00
Next by Date: draft-nordmark-multi6-sim-00.txt
Previous by thread: about draft-nordmark-multi6-noid-00
Next by thread: RE: about draft-nordmark-multi6-noid-00
Index(es):
- Date
- Thread