[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on draft-ietf-shim6-proto-03

To: "Jason Schiller (schiller@uu.net)" <jason.schiller@mci.com>
Subject: Re: comments on draft-ietf-shim6-proto-03
From: Erik Nordmark <erik.nordmark@sun.com>
Date: Fri, 17 Feb 2006 10:53:28 -0800
Cc: Shinta Sugimoto <shinta@sfc.wide.ad.jp>, shim6@psg.com
In-reply-to: <Pine.GSO.4.20.0602161415240.23892-100000@meno.corp.us.uu.net>
References: <Pine.GSO.4.20.0602161415240.23892-100000@meno.corp.us.uu.net>
User-agent: Thunderbird 1.5 (X11/20060113)

Jason Schiller (schiller@uu.net) wrote:

The problem here is not not the multiple addresses, but rather a partial
ID / locator split.  As long as DNS contains information about both the
identity of the host and the location of the host then the ID and the
locator are not completely split.  This creates the problem of sifting
through DNS, and making the solution non-useful for short lived
sessions.  Also, this problem is what is creating the push for provider
independent (PI) IPv6 space to avoid "provider lock-in".

I'm not convinced. HIP provides complete separation between identity andlocation, yet it doesn't provide for any more network policy input thanshim6.

Imagine instead DNS only has knowledge of the identity, say the host
address, local subnetting and a way to uniquely identify the site.  The
source host builds a packet and kicks it to the network without the
locator information.  The network needs some mechinism to map the site
identity to one or more locators.  In this model the source host,
destination host, and DNS system don't care about location.  This is left
up to some protocol in the network.  On ingress this could be easy for the
source, just pre-pend your routing locator.  For the destination there
would need to be some mapping of site ID to one or more locators.  The
network could pick the most convient locator for the destination.

So we have a domain name to ID lookup using the DNS, and then be havesome new system/mechanism for looking up an ID and find one or morelocators, and that new mechanism takes network policy into account. DidI get that correct? Or does the new system also take reachability,available bandwidth, etc into account?


Has anybody thought about the scaling requirements for this new system?

I would assume one should plan for success, and since the ID/locatorseparation will help with renumbering in addition to multihoming, thisprobably means that the system should scale to every site in the futureinternet using it. (I think during IPng discussion folks were throwingaround 10^12 "networks" as the requirement, with 3 orders of magnitudemore hosts.)

We have a system we think can scale to such scales; the DNS, so it isprobably useful to look at how it scales:- hierarchical name space (and when that breaks down as with .com,operating the service becomes quite expensive)

 - caching

This is why I think my above question about what information themechanism takes into account is absolutely critical. If it is more orless static policy (which can be cached for hours) there is a chancethat it can be made to scale.But we might also need the ID name space to have several levels ofhierarchical allocation to scale the lookup.

But if we need to take into account information that changes morefrequently, I think we're likely to end up with something that has thesame scaling issues as BGP. There is no such thing as a free lunch asNoel likes to say.

FWIW, once we have the above, we still need a protocol that can providethe end-to-end locator agility (without creating a large security hole).

So the question in my mind, while we explore the above, is whether wewould do shim6 any differently if we had the above ID lookup system.(Note that there is nothing in shim6 the protocol that assumes that theULIDs are indeed routable addresses; it is merely a convenient way todeploy things and it doesn't have the overhead of doing some extralookups for ID->loc mappings.)

This same site ID to locator mapping protocol could be used by transit
ASes to rewrite the destination locator information and forward the
packet towards the destination at an alternate location.  Transit ASes
that don't wich to perform TE can simply forward the packet and do not
require the added site/locator state.


Are you assuming that
1) every packet would carry IDs (in addition to the locators)?
2) that the routers would do some lookups on the ID?

There is potentially a simpler way for routers to influence thelocators, which is just having them do source locator rewriting (as inMike O'Dell's GSE.)Shim6 already allows this on data packets, and maybe we should makeshim6 allow that on its "control" packets as well. *If* we allow this,and such rewriting is useful, we can get that aspect of GSE behaviorwhile having the "first, do no harm" security level present in shim6.

I'm not sure this scales any better than de-aggregation as all ingress
routers and any transit routers that want TE will need state to map one or
more locators to every site.

The total size of the policy would be large. But if it is mostly staticthen it might be manageable.We can still do load spreading and primary/fallback with a staticpolicy; the policy can be expressed akin to DNS SRV records with apriority (for primary/fallback) and a weight (for load spreading), andthe client of the policy evaluates this.

If you want the policy to change due to dynamic events, even if it isjust based on different policies for different times of day, then thingsget hard.

But this also assumes that anybody that connects is allowed to see thepolicy to be able to do the evaluation of what locator to use. Thatmight run into trouble with existing practices.

An alternative would be to have some TBD mechanism (some new DHCPoption?) for the destination site to distribute its policy (e.g., in theform of priorities and weights) to all the hosts in the site, and thenuse shim6 to express those to every peer that connects to a host in thesite.


Thus at a gross level I see two different ways to factor the system:
A. An ID->loc lookup system which takes some policy into account.

B. An ID->loc lookup system without policy, plus
   policy distribution within each end site and host-to-host exchanging
   of preferences when they start communicating.

For both approaches there is the question how useful it is to allowrouters to rewrite the source locators.

I know how to build B out of existing components. But B doesn't allow atransit ISP to express their policy; only the end sites can do it.

On the other hand, I have no idea what the threat model is for A; how tomake a distinction between a legitimate ISP on the path, and an attacker?


Hmm - perhaps we should write this up in an I-D?

I'm sure there are more details to discuss, and I'd really like toexplore this more to determine whether we need to do shim6 differently.And, from my understanding of approach B, the only open question in mymind is whether we need to make shim6 allow locator rewriting on its I1,R1, etc control messages.


   Erik

Follow-Ups:
- More TE & SHIM6 (was Re: comments on draft-ietf-shim6-proto-03
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- Re: comments on draft-ietf-shim6-proto-03
  - From: "Jason Schiller (schiller@uu.net)" <jason.schiller@mci.com>

Prev by Date: review of draft-ietf-shim6-proto-03.txt, sections 1-2
Next by Date: Re: Review comments on draft-ietf-shim6-proto-03.txt
Previous by thread: Re: comments on draft-ietf-shim6-proto-03
Next by thread: More TE & SHIM6 (was Re: comments on draft-ietf-shim6-proto-03
Index(es):
- Date
- Thread