Scott Brim wrote:
As soon as the packets are tunneled, you lose visibility on what is happening.And if you aren't the guy doing the tunneling, you *really* lose visibility, and in turn, accountability, the ability to localize anddiagnose problems, and generally you are left twisting in the wind if anything goes wrong. Which it will. But, unlike, say, VPNs, this isn't a localized set of sites, in a closed community. This is the whole Internet, getting to your site.We're talking about encapsulation across the DFZ. Why would I want a core ISP to examine bodies of my packets? What is the problem with "losing visibility"? None of an intermediate ISP's operational responsibilities involve looking inside beyond the outer IP header.
It's the other way around that matters - your packets being tunneled, means you don't get to see things like:
- ICMP unreachables concerning the outer header destination - ICMP MTU exceeded concerning the outer header - ICMP TTL exceeded concerning the outer headerIf you operate the xTR, you have some ability to do diagnostics. If not, you are relying on the xTR operator.
And, when this is affecting inbound traffic, isolating common fault points becomes a big N^2 issue, where N is no longer aggregated...
Brian Dickson(Not a big fan of operating networks using GRE, MPLS, or ATM, but have done so.)
-- to unsubscribe send a message to rrg-request@psg.com with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg