[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Source address selection insufficient?

To: "Erik Nordmark" <Erik.Nordmark@sun.com>, <multi6@ops.ietf.org>
Subject: RE: Source address selection insufficient?
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Tue, 2 Mar 2004 22:42:31 -0800

> When reading draft-huitema-multi6-hosts-03.txt (which is good because
> it works out enough details to raise questions) I wonder
> if address selection can solve ingress filtering.
> 
> Taking the canonical picture from the draft
>              /-- ( A ) ---(      ) --- ( C ) --\
>    X (site X)             ( IPv6 )              (Site Y) Y
>              \-- ( B ) ---(      ) --- ( D ) --/
> 
> This has 4 locator pairs:
> 	A:X-C:Y
> 	A:X-D:Y
> 	B:X-C:Y
> 	B:X-D:Y
> 
> The set of locator pairs that work when sending out from site X
> might be A:X-C:Y and B:X-D:Y
> but the set of locator pairs that work when sending from site Y might
> be the other two: A:X-D:Y and B:X-C:Y.
> 
> Thus the intersection of the two ingress filtering constraints is the
> empty set.

Correct. If the only thing you do is try the four pairs, it may happen
that no pair works. It is somewhat unlikely in practice, since sites
tend to have a "default" provider, and the pair default-default ends up
working. But it is definitely a possibility, in a "shoot your-self in
the foot" kind of way.

> If the above is true it seems like we need something other than
> source address selection (relaxed filtering, source-based routing,
> or locator rewriting).

Locator rewriting supposes that both sites (X and Y) cooperate. If that
is the case, you can also implement an end-to-end solution, e.g. X sends
"A:X-C:Y", Y replies A:X-D:Y, and both decide to agree on the result.

Relaxed filtering and source-based routing are "local" solutions: they
make no hypothesis on the behavior of the remote site.

Relaxed filtering is by far the simplest solution for the site. It would
"just work". It is probably the solution of choice for sites of any
significant size. Note that in the example it is sufficient to relax
ingress filtering on one of the provider links to eliminate the "double
ingress failure". One can easily imagine a medium-size making "relaxed
filtering" a condition for buying service from a second provider.

Source based routing is trivial to implement in single-subnet sites.

-- Christian Huitema

Follow-Ups:
- RE: Source address selection insufficient?
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

Prev by Date: Wedge between transport and ULP
Next by Date: RE: Source address selection insufficient?
Previous by thread: Re: Source address selection insufficient?
Next by thread: RE: Source address selection insufficient?
Index(es):
- Date
- Thread