IETF Logo Mail Archive

Re: [homenet] dst/src routing drafts (for IETF-91 rtgwg)

"Fred Baker (fred)" <fred@cisco.com> Wed, 29 October 2014 16:09 UTC

Return-Path: <fred@cisco.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1EF21A1AEB; Wed, 29 Oct 2014 09:09:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -114.511
X-Spam-Level:
X-Spam-Status: No, score=-114.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fV0VKRLMommJ; Wed, 29 Oct 2014 09:09:17 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEAF51A1A4E; Wed, 29 Oct 2014 09:09:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5723; q=dns/txt; s=iport; t=1414598957; x=1415808557; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=2QWzecaPC0eydHgZPn18j4Gr7oDQQYS737TOKLAGrK0=; b=kz3HBi9szpE+yv8QcBxK3qV+dh4PfmLF+cPgE4ruRv77mcWm+wBthS9m Rp6pU7hoi/sgeE7uwGnZSfc4xp3d7rComa8JBhluxNZSTQAJESUw5EuFZ i2EThMeH8fiU847tP9gKtkmR+OBClVKJanb19gpbUzv/g7GW4J3mgR5SW Q=;
X-Files: signature.asc : 195
X-IronPort-AV: E=Sophos;i="5.04,810,1406592000"; d="asc'?scan'208";a="367613256"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-4.cisco.com with ESMTP; 29 Oct 2014 16:09:15 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s9TG9F93026139 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 29 Oct 2014 16:09:15 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.248]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.03.0195.001; Wed, 29 Oct 2014 11:09:15 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: Ray Hunter <v6ops@globis.net>
Thread-Topic: [homenet] dst/src routing drafts (for IETF-91 rtgwg)
Thread-Index: AQHP7KYr8Fy7zf5Z70yFtC9ToRE4KA==
Date: Wed, 29 Oct 2014 16:09:15 +0000
Message-ID: <C9754B86-0A54-4FA5-91B5-4D4339E8D9C8@cisco.com>
References: <20141020204033.GD236844@jupiter.n2.diac24.net> <20141022190653.GB868521@jupiter.n2.diac24.net> <DFE4317C-E4B6-44AB-AED4-2FBBBD2888DA@cisco.com> <B445E8FD-13EE-4014-8D1C-7C9D4A188D2D@cisco.com> <544FF3F2.3050206@gmail.com> <20141029062837.GH5186@eidolon> <B6D9E5BD-8903-4133-8947-BB8AEAD97AA4@cisco.com> <5450D7ED.9010806@globis.net>
In-Reply-To: <5450D7ED.9010806@globis.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.19.64.120]
Content-Type: multipart/signed; boundary="Apple-Mail=_6D616973-B317-4DAA-9C1D-B9051EFAA046"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/KjNj8u07fmZtqRF_AtdkKLsRHeg
Cc: Ole Troan <ot@cisco.com>, "homenet@ietf.org" <homenet@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>, Mikael Abrahamsson <swmike@swm.pp.se>, David Lamparter <equinox@diac24.net>
Subject: Re: [homenet] dst/src routing drafts (for IETF-91 rtgwg)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 16:09:20 -0000

On Oct 29, 2014, at 5:05 AM, Ray Hunter <v6ops@globis.net> wrote:

> 
> 
> Fred Baker (fred) wrote:
>> On Oct 28, 2014, at 11:28 PM, David Lamparter<equinox@diac24.net>  wrote:
>> 
>>> What I'm personally wondering most in this regard is: to what extent
>>> will larger networks deploy multiple prefixes to the hosts?
>> 
>> Well, define “larger”. Any network that gets a PI prefix is unlikely to deploy multiple prefixes. The question is at what size network is makes sense to obtain an AS number and a PI prefix, and use BGP to talk with one’s upstream.
> 
> I don't agree with this statement for the following reasons.
> 
> Availability: There are many enterprises that have very numerous far-flung sales-office type locations which do not host any critical data or applications, but which could benefit from higher availability than that provided by a single ISP provider (some of which are currently served by a specialised box offering a Very Small Office Service running dual IPSec tunnels to a central site, which then performs the break out to the corporate intranet/Internet)
> 
> Latency: There are many sites which could benefit from local Internet breakout to regional cloud services, where you don't want to suffer the latency associated with a back haul from an office in Australia to a regional hub in Hong Kong, or even East coast US to West coast US and back. You'd still also want some back up via the central breakout if the local breakout failed.
> 
> Cost: There are cost savings to be made in many countries where private network services are still many orders of magnitude more expensive than plain old Internet. So Internet offload for non-mission-critical traffic can be very attractive. If you could achieve this via direct host-server connections using address selection rules or multipath TCP; rather than via PBR, GRE tunnels + NAT, that would be a lot simpler.

I have a hunch we’re talking past each other. We would agree, but we’re discussing different cases. I was discussing a case in which a company operates a single addressing plan. I think you’re discussing a company that operates multiple addressing plans, one for each of several locations.

Cisco might be an example of a “larger” company. We have an IPv6 /32, more locations than you can shake a stick at, and maybe 20 DMZs, places where our network interconnects with the Internet. I don’t know exactly what we advertise or where, but I could imagine that a few of our DMZs advertise the /32 and each of our DMZs advertises a /40, or something along that line. For us, PI is “duh, obvious”, and the only case in which we might - *might* - have a second prefix would be a ULA in a lab.

I suspect the company you are discussing might have a number of small offices in as many cities, and as many PA prefixes as it takes. The company might also have a PI prefix, but I would be surprised if it used the PI prefix in all of its little offices; if it did, it would essentially use it for internal traffic, and have some sort of VPN connecting the offices on which it was used. It would, however, use the PA prefixes from the offices when they need to talk outside the house. If it is using the PI prefix plus a PA prefix in any given office, it would depend on RFC 6724’s Rule 8 (longest match) to prefer a PI address when talking to another address within the prefix, and a temporary address from PA space otherwise.

In any event, in the context of my comment above, I am thinking of the many small offices as separate networks. They don’t justify their own PI spaces; the PI in context acts more like PA from the central corporation than PI in the traditional sense of the term. They might well get PA from one or more ISPs, and they might have something akin to PA from their central office or whatever.

Coming back to the question - “would they put multiple subnet prefixes on any given LAN” - the question really comes back to their requirements and stomach for complexity. If they require multihoming, such as Jim suggests, I would hope they would do that. Among my “NAT == Security” customers and SEs, getting them there requires their network to work well (egress routing being one of many important parts of that), and a good security solution that doesn’t involve NAT. Until they have one AND they are convinced, they tell us that the lack of a NAT solution is a reason to delay deployment. I don’t think that last is about the number of prefixes around; it’s about security policy and mindset.

>>  Wherever that boundary is, below that networks will use PA prefixes. The question then becomes: will they multi home?
>> 
>> And I think the answer today is that we don’t know the answer.
> 
> This I agree with.
> 
> 
> -- 
> Regards,
> RayH
>

v2.23.0 | Report a Bug | By Email