[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] Six/One Router Design Clarifications
Hi Dino -
When two hosts in upgraded edge networks communicate, addresses are
rewritten bilaterally such that the second rewrite is the inverse of
the first. The result is the same as with tunneling. The
is that it works without an additional IP header.
Not true. The packet, when traveling in the core, doesn't contain the
original addresses. With tunneling, it does.
With "the result is the same", I was referring to what hosts see end
to end: both tunneling and rewriting are transparent and stateless.
Yes, that was unclear, sorry.
Yes, that would be necessary. ;-)
The fact that IP addresses are not carried in packets is something I
see as an advantage because it does without extra packet overhead (no
extra bandwidth, no MTU issues). And...
The overhead is worth the ability to do debugging and management. NATs
are hard to manage but people put up with them because in the 99%
case, they connect one subnet to the world and are at the extreme edge
of the network. Moving NAT functionality anywhere else is probably
going to be a non-starter for sizable network.
Now, if you put the translated address in a mapping database, then we
can talk. ;-) But you still have the debugging problem in the core.
People love their sniffer tooks like SPAN, wireshark, etc...
And if you have ACLs anywhere in boxes after the translator, they
to change when the translate addresses change. With tunneling, when
the inner header addresses are EIDs that are portable, you can change
the outer header addresses and the ACLs in the core never have to
...ACLs in the Internet core can use transit addresses just as well as
edge addresses because both uniquely identify a host.
But the point is you broke the level of indirection you introduced. If
the transit address changes, you have to change the ACL. You make the
ACL operate on the object that doesn't change. That is EIDs, which are
A core ACL needs only a single transit address per host in the general
case, i.e., when the ACL is in an edge network's immediate provider.
Most ACLs are not host-based either. That's another management
nightmare. So that won't work.
to unsubscribe send a message to email@example.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg