[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

transparent addrsel policy adjustment for outbound TE



Hi,

Reading the extended shim design draft, in particular the discussion on app modifications to do SRV lookup triggered the following thought.

I'm pretty sure someone must have run this thought experiment before, so pointers would be useful if so.

When applications perform DNS lookups and get multiple responses, the _resolver libraries_ could, based on transparent (to the app) SRV lookups or policy database, "weigh" the getaddrinfo responses given to the applications. That is, because the apps by default try the addresses in the order they get them from getaddrinfo, instead of returning the records in round-robin fashion, the resolver could very well return certain addresses first (e.g.,) 90% of the time, some others 10%. (The obvious other address destination selection criteria should be applied first.)

This would not have any negative impact on the application as all the addresses would still be there but the ordering would just be modified based on preferences, though running transparent SRV lookups could incur delays etc. if it's not done in parallel.

This could be very effective means for outbound TE decisions without a need to touch applications at all.

This doesn't really help with inbound TE though. (One could add similar function the site's authoritative DNS server, and unmodified resolvers might comply with that policy, but caching DNS servers would mess this up.)

One could imagine that a part of inbound TE (for sessions which originate at the site) could be handled with slightly similar source address selection policies, but this doesn't help with inbound TE for traffic originated from the Internet (but you could add the SRV records or whatever if you care about this).

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings