On 16-jun-2006, at 18:27, Erik Nordmark wrote:
e.g. enforced(!), centrally administered site-wide policy, incl. trafficengineering inbound and outbound. With no way for hosts to make theirown decisions, nothing to (re)configure, no DNS complexity, no wastage of bandwidth for keepalive, no communication setup delays (the slow DSL line have already high latency, don't want to add anything to that) etc.
[FWIW shim6 doesn't have a communication setup delay. But it does have "do no harm" security which is missing from your list.]
But the above sounds like asking for a "free lunch" of a BGP with infinite scaling ;-)
Hm, maybe it makes sense to build in address rewriting by routers (or middleboxes) after all?
That way, the hosts handle the security, but routers can easily overwrite source addresses and middleboxes that carry more state could even overwrite destination addresses, as soon as the shim negotiations have completed.
Can we do better with respect to traffic engineering without throwing out security? draft-nordmark-shim6-esd outlines ways in which we can get the same feedback loop from routers as in GSE.
This depends largely on whether we accept the proposed requirement that hosts are unable to make any decisions of their own. Do we?