[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Source address selection insufficient?
Sorry -- I was confused, reading "source address based routing" rather
than "source address selection".
Policy-based routing works, has been widely implemented (multiple for
v6 as well), and works quite well. You don't even have to do that on
other than site border routers unless you want to.
On Wed, 3 Mar 2004, Pekka Savola wrote:
> On Tue, 2 Mar 2004, Erik Nordmark wrote:
> > Taking the canonical picture from the draft
> > /-- ( A ) ---( ) --- ( C ) --\
> > X (site X) ( IPv6 ) (Site Y) Y
> > \-- ( B ) ---( ) --- ( D ) --/
> >
> > This has 4 locator pairs:
> > A:X-C:Y
> > A:X-D:Y
> > B:X-C:Y
> > B:X-D:Y
> >
> > The set of locator pairs that work when sending out from site X
> > might be A:X-C:Y and B:X-D:Y
> > but the set of locator pairs that work when sending from site Y might
> > be the other two: A:X-D:Y and B:X-C:Y.
>
> I think what you're assuming that ingress filtering is recursive: it's
> done further down the IPv6 cloud from the both sides, rather than only
> at the edge.
>
> This is done today, and is feasible.
> (dtaft-savola-bcp38-multihoming-update-03.txt, in RFC ed queue),
> discusses this a bit.
>
> But I see no problem. You're assuming that someone down towards the
> IPv6 cloud has broken ingress filtering (such a case would be noticed
> today as well). When the correctly-sourced packet has went from the
> edge site to the first ISP, it already has the correct address,
> corresponding the address block of the ISP. If an ISP's upstream does
> not allow the ISP to send traffic from its own addresses, the upstream
> ISP is hosed.
>
> So, I don't see the problem here -- could you elaborate? Maybe I
> didn't understand your scenario?
>
>
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings