[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Alternatives to source address rewriting (was RE: Preserving established communications (was RE: about draft-nordmark-multi6-noid-00)



On 3 nov 2003, at 15:05, marcelo bagnulo wrote:

You don't want source address rewriting and you need an ingress filtering
compatibility mechanism, which could be source address based routing. There
are other options for this as decribed in Christian's draft, such as
- a routing header (or tunnel) initiated from the host
- an icmp source address error from the exit routers back to the host
- tunnels between exit router (sort of source address based routing limited
to the exit router)

Another way to handle this would be to bascially build two networks all the way down to the host:



ISP A ISP B | | Router Router | | Router Router \ / Host

So the ISP selection happens inside the host, once a network is selected it is no longer possible to deviate from the path intended by the host.

The question here is whether every multi-homed ISP will be able to get an
allocation or it will have to obtain addresses form its upstream providers,
right?

Current rules say you must have 200 customers that take IPv6 addresses from you in two years. Now obviously there are going to be ISPs for which this is a problem, but I don't see how we can arrive at very large numbers of multihomed sites that use ISPs with less than 200 customers.


An alternative here would be for the ISP to set up routing with such a multihomed customer over only one of its own ISPs.

- icmp back to the host. You have already mentioned some security concerns
about letting externally generated ICMPs influence the path selected by
hosts

This isn't a solution as packets that belong to existing sessions can't be retransmitted with different source adddresses.


- tunnel between exit router. well, i guess that this would be really
complex, since you would require tunnels between all exit router of the isp

This is really the same thing as my "two separate networks" thing above, except that no actual hardware is used.