[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Six/One Router Design Clarifications



Hi Dino -

When two hosts in upgraded edge networks communicate, addresses are
rewritten bilaterally such that the second rewrite is the inverse of
the first. The result is the same as with tunneling. The difference
is that it works without an additional IP header.

Not true. The packet, when traveling in the core, doesn't contain the
original addresses. With tunneling, it does.

With "the result is the same", I was referring to what hosts see end
to end:  both tunneling and rewriting are transparent and stateless.
Yes, that was unclear, sorry.

Yes, that would be necessary.  ;-)

The fact that IP addresses are not carried in packets is something I
see as an advantage because it does without extra packet overhead (no
extra bandwidth, no MTU issues).  And...

The overhead is worth the ability to do debugging and management. NATs are hard to manage but people put up with them because in the 99% case, they connect one subnet to the world and are at the extreme edge of the network. Moving NAT functionality anywhere else is probably going to be a non-starter for sizable network.

Now, if you put the translated address in a mapping database, then we can talk. ;-) But you still have the debugging problem in the core. People love their sniffer tooks like SPAN, wireshark, etc...

And if you have ACLs anywhere in boxes after the translator, they need
to change when the translate addresses change. With tunneling, when
the inner header addresses are EIDs that are portable, you can change
the outer header addresses and the ACLs in the core never have to
change.

...ACLs in the Internet core can use transit addresses just as well as
edge addresses because both uniquely identify a host.

But the point is you broke the level of indirection you introduced. If the transit address changes, you have to change the ACL. You make the ACL operate on the object that doesn't change. That is EIDs, which are fixed.

A core ACL needs only a single transit address per host in the general
case, i.e., when the ACL is in an edge network's immediate provider.

Most ACLs are not host-based either. That's another management nightmare. So that won't work.

Dino


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg