[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Six/One Router Design Clarifications



Dino -

Moving NAT functionality anywhere else is probably going to be a
non-starter for sizable network.

Don't agree.  Translation is less complex than tunneling if it is
stateless.  And translation in Six/One Router is stateless.

...ACLs in the Internet core can use transit addresses just as well as
edge addresses because both uniquely identify a host.

But the point is you broke the level of indirection you introduced. If
the transit address changes, you have to change the ACL. You make the
ACL operate on the object that doesn't change. That is EIDs, which are
fixed.

I would argue you are breaking the level of indirection if you operate
on edge addresses while in transit space... :-)

Anyway, the transit addresses in core ACLs are fixed, just as EIDs, if
you are in the edge network's immediate provider.  If you are in an
upstream provider, you would very likely WANT to differentiate packets
based on which provider they went through.  You can easily do this
based on the prefix of a transit address.

Most ACLs are not host-based either. That's another management
nightmare. So that won't work.

Hold on.  It doesn't matter whether the ACL is host-based or at
coarser granularity.  For any edge address or edge address prefix (EID
or EID prefix) that you may put in an edge ACL, there is exactly one
transit address or transit address prefix, respectively, that you
would put into an equivalent core ACL.  No need to have nightmares.

Talking about performance:  An ACL that can limit its looks to a
single place in the IP header (i.e., with translation) can likely be
more efficient that an ACL that needs to look into an inner IP header
behind a pair of LISP and UDP headers.

- Christian



--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg