Hi Dino -When two hosts in upgraded edge networks communicate, addresses are rewritten bilaterally such that the second rewrite is the inverse ofthe first. The result is the same as with tunneling. The differenceis that it works without an additional IP header.Not true. The packet, when traveling in the core, doesn't contain the original addresses. With tunneling, it does.With "the result is the same", I was referring to what hosts see end to end: both tunneling and rewriting are transparent and stateless. Yes, that was unclear, sorry.
Yes, that would be necessary. ;-)
The fact that IP addresses are not carried in packets is something I see as an advantage because it does without extra packet overhead (no extra bandwidth, no MTU issues). And...
The overhead is worth the ability to do debugging and management. NATs are hard to manage but people put up with them because in the 99% case, they connect one subnet to the world and are at the extreme edge of the network. Moving NAT functionality anywhere else is probably going to be a non-starter for sizable network.
Now, if you put the translated address in a mapping database, then we can talk. ;-) But you still have the debugging problem in the core. People love their sniffer tooks like SPAN, wireshark, etc...
And if you have ACLs anywhere in boxes after the translator, they needto change when the translate addresses change. With tunneling, when the inner header addresses are EIDs that are portable, you can change the outer header addresses and the ACLs in the core never have to change....ACLs in the Internet core can use transit addresses just as well as edge addresses because both uniquely identify a host.
But the point is you broke the level of indirection you introduced. If the transit address changes, you have to change the ACL. You make the ACL operate on the object that doesn't change. That is EIDs, which are fixed.
A core ACL needs only a single transit address per host in the general case, i.e., when the ACL is in an edge network's immediate provider.
Most ACLs are not host-based either. That's another management nightmare. So that won't work.
Dino -- to unsubscribe send a message to rrg-request@psg.com with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg