Re: Distributing site-wide RFC 3484 policy

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 25-jul-2007, at 17:46, Jun-ichiro itojun Hagino wrote:

> > > 	- the entire "source address selection" stuff was a mistake.
> > > 	  network has to be deployed so that any ip6_src/ip6_dst pair  
> > > can go
> > > 	  out of the organization somehow.

> > That ship has sailed. Even if you could, through some kind of
> > herculian effort, make it so that only a single IPv6 address is
> > available per host rather than 1 or more for 1 or more interfaces,
> > there's going to be the issue of having both an IPv4 and an IPv6
> > address. I currently have a mail client that won't fall back to IPv4
> > if IPv6 doesn't work. That's not acceptable.

> 	you are talking about a separate story.  the thread is about having
> 	to run source-address selection between IPv6 addresses with different
> 	"scope" or reachability.

I'm very much interested in achieving the following:

Get both ADSL and cable connectivity from competing providers (or  
fill in two last 1609 meter technologies of your choice), where each  
of those connections has a separate gateway attached that doesn't  
know about the other gateway. Both announce a PA block from the ISP  
in question using stateless autoconf. My hosts configure with two  
addresses and two default gateways, and use the appropriate gateway  
with a given source address. When an application can't connect using  
one source/dest pair, it tries the others until there is a working  
connection.

Other people are interested in the following situation:

Set of servers A has a public facing side, heavily firewalled, and a  
private side. Set of servers B doesn't talk to the outside world, but  
does talk to servers A on the private side so optimum safety is  
accomplished without having firewalls etc on the private side for  
cost/performance reasons.

I don't see how using public address space for the private  
interconnection between the two sets of servers makes sense.

> 	normal application which makes outgoing TCP connection DOES NOT
> 	perform bind(2), so the application will only try all of the
> 	destination addresses available on the DNS, not all the src/dst  
> pairs.

In shim6 I have spoken up to avoid pushing this functionality into  
applications, but although the application is not the good place for  
it, if it's not done elsewhere, it will have to be done in applications.

And smart implementers will create a layer that takes care of these  
details. Annoying, yes. Necessary, absolutely.

> 	so it would be better for us to provide connectivity to all of the
> 	cases in the network setup,

And how exactly do you do that in a world where mobile devices roam  
from network to network, often with overlap between two forms of  
connectivity and connectivity going away without prior warning?

> 	think about it.  then why "site-local" was killed after a long long
> 	debate?

Ambiguity.

> > Deciding for other people what they don't need is extremely impolite.

> 	is it impolite to stop people from going into a pitfall?

Some pitfalls, and certainly this one, are in the eye of the beholder.

>         or do i
> 	keep silence and see people go into the pitfall and injured?

If you know a better way, by all means...