Re: [RRG] Renumbering...

[jnc@mercury.lcs.mit.edu (Noel Chiappa)]

    > From: Christian Vogt <christian.vogt@nomadiclab.com>

    > (d) IP addresses in filter devices, such as firewalls, intrusion
    >     detection systems
    > ...
    > Filtering devices may have to be modified even if a *remote* edge
    > network renumbers since they may be configured with remote IP addresses
    > ...
    > filtering devices have to identify hosts or flows using locators.

I would _strongly_ argue that we should *not* be *configuring* _any_ kind of
remote device (be it a filtering box, or anything else) with foreign
*locators*.

Note that this is a subtly different statement from 'remote boxes should not
be using locators to perform their function' - the emphasis in my statement is
on _configuration_. If a remote device wants to take some other kind of name
with which it is confiured (DNS name, EID, etc) and dynamically convert that
to locator(s), and then use the locator(s) to do its job (either because it's
more efficient, or is the only field available in packets, or something)
that's OK - modulo issues of binding lifetimes, etc.

However, your second point - that renumbering a site may require changes in
configuration at _remote_ sites - is the key point here. Renumbering of _any_
kind (either locators, endpoint names, or whatever) will be a non-starter if
those bit-strings are configured in machines elsewhere on the network. I.e. if
you allow that, renumbering is basically impossible.

The conclusion is simple: either avoid such configuration, or renumbering
(which includes provider independence, let's keep prominent) is impossible.

	Noel

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg