[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Source address selection insufficient?

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: Source address selection insufficient?
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Wed, 3 Mar 2004 03:03:40 -0800 (PST)
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, multi6@ops.ietf.org
In-reply-to: "Your message with ID" <Pine.LNX.4.44.0403031004290.10815-100000@netcore.fi>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> I think what you're assuming that ingress filtering is recursive: it's 
> done further down the IPv6 cloud from the both sides, rather than only 
> at the edge.

No, it's about the ingress filtering at site X and site Y.

The initiator at site X can explore using all 4 locator combinations
(e.g. for the TCP SYN) and 2 of those pairs will make it out pasts
the ingress filtering of X's ISPs.
There is no filtering between those ISPs and site Y thus the SYN makes
it to the peer.
But the peer responds (with the SYN ACK) and has no choice on the addresses -
it must respond using the addresses that was in the SYN.

When these (SYN ACK) packets hit the ingress filter in Y's ISPs they are
filtered out.

As a result none of the 4 locator pairs work.

  Erik

References:
- Re: Source address selection insufficient?
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: Source address selection insufficient?
Next by Date: RE: Comments on WIMP and MTU Handling
Previous by thread: Re: Source address selection insufficient?
Next by thread: Re: Source address selection insufficient?
Index(es):
- Date
- Thread