Re: Source address selection insufficient?

[Pekka Savola <pekkas@netcore.fi>]

On Tue, 2 Mar 2004, Erik Nordmark wrote:
> Taking the canonical picture from the draft
>              /-- ( A ) ---(      ) --- ( C ) --\
>    X (site X)             ( IPv6 )              (Site Y) Y
>              \-- ( B ) ---(      ) --- ( D ) --/
> 
> This has 4 locator pairs: 
> 	A:X-C:Y
> 	A:X-D:Y
> 	B:X-C:Y
> 	B:X-D:Y
> 
> The set of locator pairs that work when sending out from site X
> might be A:X-C:Y and B:X-D:Y
> but the set of locator pairs that work when sending from site Y might
> be the other two: A:X-D:Y and B:X-C:Y.

I think what you're assuming that ingress filtering is recursive: it's 
done further down the IPv6 cloud from the both sides, rather than only 
at the edge.

This is done today, and is feasible.  
(dtaft-savola-bcp38-multihoming-update-03.txt, in RFC ed queue),
discusses this a bit.

But I see no problem.  You're assuming that someone down towards the 
IPv6 cloud has broken ingress filtering (such a case would be noticed 
today as well).  When the correctly-sourced packet has went from the 
edge site to the first ISP, it already has the correct address, 
corresponding the address block of the ISP.  If an ISP's upstream does 
not allow the ISP to send traffic from its own addresses, the upstream 
ISP is hosed.

So, I don't see the problem here -- could you elaborate?  Maybe I 
didn't understand your scenario?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings