Re: Distributing site-wide RFC 3484 policy

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 26-jul-2007, at 9:33, Jun-ichiro itojun Hagino wrote:

> 	i would like to name the devices/networks like:

> 		ISP-A	ISP-B
> 		  |	  |
> 		RT-A	RT-B
> 		  |	  |
> 		==+=======+== PREFIX-A:0::/64, PREFIX-B:0::/64
> 		  | ADDR-A/128, ADDR-B/128
> 		your machine

> 	now, first of all, you really cannot define/determine what is the
> 	best combination among the following to reach the destination, X.
> 	X could be within ISP-A, ISP-B, or totally far end of the planet with
> 	rather long AS path.

That's why it's useful to have a mechanism that can tell you "try to  
reach X over B" in the case that X is much easier/faster/cheaper to  
reach over B than over A.

> 	next, depending on operating system on your machine, the treatment of
> 	default router differs.  this is outside of the "source address
> 	selection".
> 	- some implementation picks the default route out of RT-A/B at will
> 	- some implementation do install both RT-A/B as the default gateway
> 	  but it uses only one of them
> 	- some implementation tries to perform load-balancing

Right. As I've said before, I'd like my system to make sure that when  
I use source address A/128 I go out over ISP A and when I use source  
address B/128 I go out over B. Then you said you tried that and you  
didn't like it so you reverted back to ignoring the address/route  
relationship. Then I asked why but so far, no answer.

> 		ISP-A	ISP-B
> 		  |	  |
> 		RT-A	RT-B
> 		  |	  |
> 		==+=======+== PREFIX-A:0::/64, PREFIX-B:0::/64
> 		  |
> 		router
> 		  |
> 		==+======= PREFIX-A:1::/64, PREFIX-B:1::/64
> 		  | ADDR-A/128, ADDR-B/128
> 		your machine

Right, in this situation my machine wouldn't be able to select the  
exit path. (Note that Marcelo Bagnulo and Christian Huitema had a  
draft about this in multi6 for some time.) That doesn't mean it's not  
useful to have the capability when the host CAN make the decision. As  
an operator, I can always remove the router in the middle. I can't  
realistically rewrite my IP stack.

> 	if one of/both of ISP practices filtering such as uRPF, you would
> 	have to narrow down the choices so that you would pick PREFIX-A for
> 	RT-A (ISP-A), and PREFIX-B for RT-B (ISP-B).  but it is routing
> 	protocol to decide, normally.

So?

> > I don't see how using public address space for the private
> > interconnection between the two sets of servers makes sense.

> 	if you have firewall device to begin with, there is no difference
> 	at all even if you pick a global address for B, or address with
> 	limited scope (site-local, ULA, whatever).

Of course there is. If I have public space, I receive packets. I need  
an ISP. When I change ISPs, I have to renumber. All reasonable things  
if I actually want to go out and connect to the world, but NOT for a  
private interconnect.

>   in fact, if you pick a
> 	global address it would be easier for A to handle traffic from B.

Nonsense.

> > And smart implementers will create a layer that takes care of these
> > details. Annoying, yes. Necessary, absolutely.

> 	no please don't.  for god's sake.  we would need another 10 years to
> 	adapt software, include sendmail, ruby, python, postfix, procmail,
> 	you name it, to the new API.

Fortunately, stuff that doesn't do this too well works most of the  
time. But yes, it's necessary to make software smarter. The idea that  
you get a single address and that it works 100% of the time is plain  
broken.

> > > 	so it would be better for us to provide connectivity to all of the
> > > 	cases in the network setup,

> > And how exactly do you do that in a world where mobile devices roam
> > from network to network, often with overlap between two forms of
> > connectivity and connectivity going away without prior warning?

> 	i do not get what you mean.  more concrete example please?

I can connect to the internet over the cell phone network or through  
wifi. Both are wireless so they drop out from time to time when you  
move around. Each has their own address, so my address keeps changing  
all the time and when both are active I have two addresses.

A dumb TCP/IP stack that sends packets with a wifi source address  
over the cell network is a problem here. So is a dumb application  
that will try to connect over wifi when I'm out of range of the base  
station and doesn't retry over the cell network.

> > >         or do i
> > > 	keep silence and see people go into the pitfall and injured?

> > If you know a better way, by all means...

> 	so i have been trying to...

You warn against doing something, you are not providing a better  
alternative.  :-)